- Identify vendors through completing data inventory
- Tier vendors according to risk level
- Mitigate vendor risk
- Periodic review
This Vendor Privacy Assessment Quick Guide is designed to help you begin the vendor privacy assessment process. Note that this assessment is limited to the privacy aspects of vendor management, and should be considered part of a broader vendor management strategy. This guide may be used to assess third party vendors that collect, share, sell, or otherwise obtain the organization’s personal information.
Identify vendors through completing data inventory
- The data inventory should identify the vendors with whom the organization shares personal information, what categories of personal information is shared with those third parties and when, how it is shared, and the purposes of sharing.
- Once the vendors have been identified, interviews with key stakeholders should be conducted to document the personal information involved in the third party relationship. Ask the following:
- Which business processes share personal information with any third party vendors?
- [CCPA] Consider whether CCPA applies - does any of the personal information shared with vendors belong to California residents?
- [GDPR] Consider whether GDPR applies - does any of the personal information shared with vendors belong to individuals located in the European Economic Area (EEA)?
- What is the volume of information being shared with or sold to the vendor?
Tier vendors according to risk level
- Identify which vendors are high-risk, medium-risk, or low-risk.
- Consider which vendors engage in high-risk processing, such as processing sensitive personal information (including personal information about children), high volumes of personal information, and whether information is sold to third parties.
- Consider whether data protection agreements and specific contractual obligations exist for certain vendors due to requirements of additional regulations (e.g. CCPA or GDPR).
- Evaluate whether any vendors have been engaged without completing a security questionnaire.
- Prioritize compliance efforts with high-risk vendors.
Mitigate vendor risk
- Determine whether a contract exists between the organization and the vendor that addresses the sharing and use of personal information. If a contract does not exist, take steps to put one in place.
- Determine whether any specific language must be added to any existing contracts.
- [CCPA] Contracts must include language prohibiting the vendor from retaining, using or disclosing personal information for any purpose other than as needed to perform the services specified in the contract.
- [CCPA] Ensure the contract is explicit about whether personal information is being sold to the third party, as different obligations apply to the sale of personal information. If the vendor is acting as a service provider to your organization, the contract should state the third party is prohibited from selling personal information.
- [GDPR] Ensure all of the Article 28 required restrictions and obligations with respect to third party service providers are included in your vendor contract or supplemental data processing agreement. Refer to the Data Processing Agreement Checklist for a description of required restrictions and obligations.
- Utilize a data processing agreement checklist for all vendor contracts moving forward.
- Perform a due diligence assessment of vendors.
- Perform vendor screening and verify the identity of each vendor.
- Identify whether any vendor relationships present reputational, strategic, or transactional risks.
- Evaluate the security practices of each third party vendor, ensuring that the appropriate level of technical and administrative security measures are in place to ensure the protection of personal information disclosed to the vendor.
- Identify whether any ongoing oversight or auditing will be required as part of the vendor relationship.
- A vendor management program should undergo periodic review as the vendor relationships change over time. For general alignment with leading global regulatory requirements such as GDPR and CCPA, we recommend this review takes place annually.