Managing third parties can be a challenge; especially when it comes to privacy practices. How stringent your organization’s privacy practices must be will vary by industry vertical, but it is not a far stretch to assume that no company wants to be known to mishandle customer data. How, then, can you ensure that your vendors are meeting your expectations for the safe handling of data in conformance with your approved privacy practices?
Step 1: Communicate
Requirements for privacy practices must be clearly communicated. If possible, include these requirements in the contract to ensure a higher likelihood of conformance. If the vendor won’t agree to additional contractual terms, then offer another method of communication, such as a memorandum of understanding, or at least a formal memo with a read receipt or acknowledgement. Your organization’s reputation is on the line, and thus your organization needs to take reasonable measures to protect itself against reputational harm from inadequate privacy protections. It is not unreasonable to formally communicate these expectations to your vendors, and doing so is imperative for enforcement.
Step 2: Audit
You have clearly communicated the expected level of performance. Maybe you were able to bake the terms into the contract, or maybe it has just been stated. In either case, it is then important to follow-up and ensure that those practices align to your expectations. Auditing policies and practices helps your vendor know that you take these terms seriously. Doing so also provides a mechanism for detecting a failure to comply. In most cases, issuing assessment questionnaires to the vendor on a regular basis will be sufficient, though spot-checking beyond questionnaires and policies is also important toward demonstrating that they do what they claim.
Step 3: Enforce
Is your vendor failing to meet expectations? Hold them accountable. If the requirements were included as terms in the contract, then there is potentially cause for pursuing breach of contract. If the requirements were simply communicated, but they were not contractually agreed to, then it may be time to shop for a new vendor. Or, maybe your organization will decide that the vendor’s services are more important than the requirements, at which point the privacy practice should be revised to better reflect the priorities of the business. In all cases, however, it is imperative to be consistent and clear with enforcement and accountability. The entire program should be executed in alignment with the enterprise risk management program to ensure that all risk factors are properly accounted for, and to make sure that decisions and requirements properly conform to the needs and priorities of the business.