Contract Management

Certain jurisdictions require that any processor or service provider handling data have specific contractual provisions in place with the organization they receive data from. These are typically handled by way of data processing addendums that specify the obligations of each party and the security measures that protect the data.

Since modern businesses rely on a small galaxy of vendors, partners, outsourcers, and others to operate, being able to manage the contracts associated with those third parties effectively is essential to protecting the PI they manage. In the context of a data privacy program, contract management refers to the process of ensuring that privacy obligations are incorporated into contracts with thirdparty service providers and vendors. Privacy professionals need to work closely with legal and procurement teams to identify when contracts need language addressing data privacy, which existing contracts must be updated, and how to negotiate new contracts with privacy-related language.

Less Mature

An immature contract management process may involve ad hoc contract reviews without standardized privacy language or regular monitoring of vendor compliance with privacy obligations. Personal data may be transferred to counterparties without contractual protections in place, and privacy professionals may lack insight into which contracts lack appropriate language, which incorporate the right language, which need to be updated, and so on. Contract managers are likely siloed from any privacy function at the organization.

More Mature

In contrast, a mature contract management process involves close collaboration with legal and procurement teams on a standardized set of language that protects PI when transferred to a third party or when received from a third party. It takes into consideration the different privacy laws governing the different counterparties and establishes appropriate contract reviews, third-party compliance, and the contract management process as a whole.

Recommended Next Steps

To improve the contract management process:

• Establish regular meetings with your colleagues in the legal and procurement departments and whichever other stakeholders may regularly handle contracts.
• Create an accurate and regularly updated data inventory and/or RoPA to understand when and where data flows to third parties.
• Develop standardized contractual language to implement within as many contracts as necessary. When counterparties object to specific language, have a plan in place for which clauses and terms are essential, which alternatives are acceptable, and so on.
• Review relevant laws, regulations, and rules to see if any specific language should be added to your standard privacy language.
• Conduct regular audits of your third parties to assess compliance with agreed-upon obligations.
• Tie these processes to ongoing reviews such as those performed by security teams or compliance teams.