Performing a vendor due-diligence or privacy risk assessment when onboarding a new vendor is of utmost importance. For compliance purposes, as well as to protect your brand reputation, you should be aware of any risks associated with potential vendors, including data breaches and misuse of customer data.
Additionally, it is important to review the vendor’s public policies and procedures to ensure that they are adequate for protecting your organisation and your data. What could raise a flag and make you suspect of their data practices? We’re here to help. In this article we will provide some examples of red flags to look for when conducting a vendor due-diligence or privacy risk assessment.
What is Vendor Due-Diligence – Data Privacy?
An organization conducts vendor due diligence (VDD) before entering into a business relationship with a third-party or vendor. During a vendor assessment, an organization determines if a vendor is being honest about their privacy practices and identifies any potential privacy risks that could pose a threat to the organization.
Vendor Due Diligence under the GDPR
With any third parties who process personal data on your behalf, you should always have a Data Processing Addendum according to Article 28 of the GDPR.
However, actually getting them to implement appropriate technical and organisational measures to keep the data safe, and the same for their sub-processors, is more of a challenge.
There’s no guarantee that this is the case simply by signing a piece of paper. Therefore, it is important to choose data processors that are inline with data protection laws, so you could avoid headaches in the future. Under the EU and UK GDPR, data controllers can hold themselves responsible for the compliance (or non-compliance) of their processors, this is where conducting vendor due diligence comes in handy.
Why Vendor Due Diligence Is So Important?
When engaging with a third-party vendor, a company shares access to databases, access to personal data and other sensitive data. It is crucial to ensure that the vendor is capable of protecting such data, otherwise the company might be exposed to:
Privacy Risks:
The company is responsible for protecting the personal data of its employees, customers, and users even when the vendor has access to that data. A company might be exposed to legal violations and fines if it fails to engage vendors who can protect such data.
Reputational risks
It includes connecting the company’s name to misuse of personal data or exposing it to outside threats. The company may also experience a decrease in customer trust, damaged brand reputation, and reduced sales if they are associated with a vendor that has experienced a breach.
Operational risks
A vendor may mishandle or mishandle any data or personal data, which could damage the entire operation. This includes delays or unexpected issues with the system, inadequate system performance, and data breaches caused by inadequate security measures.
Information Security Risks
Security risks that vendors can pose include the mishandling of personal data, exposing the company to outside threats, and inadequate security measures that can lead to data breaches. These risks can lead to legal violations and fines for the company, a decrease in customer trust, damaged brand reputation, and reduced sales.
Financial Risks
In the event a vendor is unable to meet its commitments or provide quality services, the company may suffer financial losses. Additionally, if the company is fined for inappropriate handling of personal data, it will be subject to high fines under the GDPR – 4% of global turnover or 20 million, whichever is greater.
Read more about Vendor Due-Diligence
Vendor Assessment: Data Privacy Due-Diligence
In order to avoid such risks, companies must conduct vendor due-diligence before engaging with a vendor.
During the vendor due-diligence Process, Look Out For These Red Flags:
🚩 “Including but not limited to”
Their privacy policy includes language like “including but not limited to” before listing the elements of data types they collect. Can you trust them with your data if they can’t explain what data they collect?
🚩 “Legitimate interest” is king
The only (or most relied on) legal basis for when they’re data controllers is “legitimate interest”. This legal base should only be used in specific cases and should only be used after conducting a LIA (Legitimate Interest Assessment). And no, the vendor’s legitimate interest of profit does not outweigh a data subject’s basic right to privacy.
🚩 Roles are not clear
The vendor services are clearly that of a data processor and yet it insists that they should be considered data controllers. If they don’t have a solid explanation for that, you’d better run and find an alternative.
🚩 Vague Answers
A vendor that claims in its commercial documentation that it offers numerous processing locations. But when you ask when and where you can configure your preferences so that your data’s processing is limited to a specific location, the answers you receive are vague and avoidable. This most probably means they don’t have that option at all or it’s not ready for use. Either way, better to move on if not for the non-existing services, then for their lack of transparency.
🚩 General authorization to appoint sub-processors
They have included general authorization to appoint sub-processors without notice. You don’t want to find out later that your vendor has appointed a problematic sub-processor that might risk your relationship with your clients.
Simplify Vendor Due-Diligence Processes
Performing or undergoing vendor due-diligence can drain your resources. If you claim your company’s Privacy Passport on Trust Hub, you’ll eliminate the need for lengthy manual assessments.
The best way to avoid repetitive tasks is to showcase your company’s privacy practices.
With Trust Hub you can:
- Showcase your company’s privacy practices
- Eliminate manual assessments
- Undergo vendor due diligence faster
- Enhance customer trust
- Get a free access to hundreds of vendor risk profiles
Noa Kahalon
Noa is a certified CIPM, CIPP/E, and a Fellow of Information Privacy (FIP) from the IAPP. Her background consists of marketing, project management, operations, and law. She is the co-founder and COO of hoggo, which builds transparency around data privacy practices.