GDPR and Vendor Management: How to remain compliant?
Companies can’t simply outsource the responsibility of data governance and privacy compliance to their vendors. Especially under the new GDPR guidelines, companies have an obligation to conduct due diligence, have appropriate contract terms in place, and monitor the services provided by vendors to ensure they are processing data in accordance with applicable data protection regulations. If there is a violation or data breach caused by a vendor, your organization will be liable. GDPR and vendor management is essential to remain compliant.
A framework for vendor management & GDPR compliance: people, process, technology & metrics:
- identify the right people
- formulate a process for interfacing with vendors
- leverage technology to manage the process
- maintain solid metrics for internal and external compliance purposes
People: A first step is to determine who in your organization should be engaged with vendor selection and vendor management. Identify and assign someone to be accountable within each business team that utilizes vendors. This will help identify the privacy champions who are responsible for complying with company policy on vendor management and for evangelizing a culture of mindful sharing of data with vendors. While it’s great if you have a formal Vendor Management Office, the alternative may be a committee of stakeholders from the procurement/sourcing, legal, privacy, and security departments.
Process: It’s important to view vendor management as a life cycle. It begins with the strategic choice of vendors and should include a formal intake process. A common misconception is that free or click-through terms are GDPR-safe. Wrong! Any processing of personal data by a third-party vendor must be in scope with a GDPR-compliant vendor-management process, regardless of the cost of the service offering. Another common misconception is that these obligations only apply to processors managing customer data. Wrong! Processors that manage a company’s employee data must also be in scope.
Defining appropriate contractual terms, conducting security reviews, and sponsoring ongoing maintenance and monitoring are part of the cycle. The goal is consistent treatment of data by the company and its processors to maintain compliance with regulatory obligations and promises made to data subjects.
Global companies that are interested in cross-border transfer of information out of certain countries must also pay attention to outsourcing. The data protection regimes in Europe require controllers to provide direction to and monitoring of their data processors. Additionally, acceptable mechanisms for cross-border transfers of data — including binding corporate rules and the EU-U.S. Safe Harbor agreement—require companies to have adequate assurance that onward transfers of personal data will be protected by those providers and vendors. This level of assurance is also required in many of the new laws in the Asia-Pacific region, including the Australian Privacy Principles and Hong Kong’s Personal Data Privacy Amendment.
Technology: Ad hoc vendor inventory and contract record keeping is a recipe for disaster. Many companies struggle with compiling and maintaining a complete inventory of vendors and vendor contracts. This is especially true in organizations where there is no central repository of vendor contracts, or where business teams may keep (or not) copies of vendor contracts locally. Ideally, you should create have a centralized system which will not only track vendor contracts but will also provide robust reporting to flag vendors who process personal data, flag vendor-use by geography and alert stakeholders of contract terms with upcoming renewal dates.
Metrics: With the right technology platform in place, your organization will have superior visibility into your vendor management roadmap and should have no problem tracking progress and measuring milestones. This is key, because you will want to be able to create documentation which demonstrates compliance with GDPR.
Vendor management is a multi-faceted process that requires many steps to ensure accuracy and consistency. Translation and interpreting providers also have a responsibility to ensure they are following the privacy protocols of GDPR. INGCO International works hard to comply with GDPR requirements in relation to the management of all or our vendors as well as recognizing our responsibilities as a vendor to our clients. This blog is not intended as legal advice rather it is our current GDPR compliant process regarding vendor management and our intention to follow industry best practices. Contact us now to discuss your translation and interpreting needs and how we can help ensure your projects are GDPR compliant.