Vendor Risk Management

Related to contract management, vendor risk management provides a method for managing privacy risks that would otherwise be outside of your control. Once your customers’ data passes to a third party, there’s little you can do to continue to protect it unless you engage in robust vendor risk management processes. There is a significant overlap between vendor risk management and contract management. However, aspects of vendor risk management are not related to contracts; similarly, not all contract-related privacy issues involve vendors. Hence, the two are represented by separate elements in this model.

Less Mature

The concept of vendor risk may not be present in an organization with immature vendor risk management practices. Not only will the regulatory requirements around mitigating vendor risk be poorly understood, but there may be no actual activities taking place to mitigate vendor risk. If regulatory requirements are understood, they may be met according to the letter of the law but not its spirit.

Contractual language may be put into place, but there will be little or inconsistent auditing for compliance. Likewise, there will be inconsistent or absent reviews of privacy risk in vendors prior to onboarding. When a privacy breach or privacy incident occurs relating to vendors, there may be little to no remediation.

More Mature

Mature vendor risk management involves an established and continuously improved process for assessing vendors for privacy risk. That starts before vendor selection occurs by using candidate vendors’ privacy practices to establish a short list of acceptable candidates and continues on through onboarding, ongoing review, the establishment of risk mitigation strategies, implementation of risk mitigation plans should vendor practices change, and regular communication with vendors to ensure compliance with privacy and security requirements.

Recommended Next Steps

Privacy professionals interested in improving their vendor risk management process should:

• Identify a means of evaluating vendors’ privacy practices prior to onboarding, including vendor assessments. Ideally, these assessments should be tailored based on the likely risk that the vendor poses to individuals’ data privacy, the vendor’s criticality to the organization’s operations, the sensitivity of the data that will be shared with the vendor, and the level of oversight needed to manage the risks introduced by the vendor.
• Take these factors into account during post-onboarding vendor risk management activities as well.
• Implement a vendor privacy risk management solution to provide capacity to adequately assess vendor risk.