How to vet your vendors: Ensuring data privacy and security compliance

Big data has big implications for businesses thanks to its unique ability to provide the information needed to scale and succeed.

But as data usage grows, issues of data security, privacy and compliance have come into focus, capturing the attention of both customers and regulators. As a result, strict regulations like the GDPR and CCPA have been introduced to dictate standards for companies that wish to operate both locally and internationally.

While this means that more businesses are taking data compliance more seriously, what many still overlook is the data privacy measures and compliance record of their third-party vendors — often only considering them at the last stage of the procurement process. This can lead to a nasty surprise for businesses that must still rely on the data compliance of their vendors: A vendor’s lack of compliance can compromise a business’ own.

In other words, it’s not enough for companies to ensure their own data compliance. They have a responsibility to make sure that their vendors are compliant as well. Here’s why and how businesses should vet their third-party vendors before working with them.

The nature of vendor data compliance

Third-party vendors’ data and compliance, or the lack thereof, can hurt organizations’ own compliance with data-related regulations, potentially with a significant negative impact on their business.

Why exactly? Incomplete, inaccurate or noncompliant data, regardless of where it comes from, can quickly lead to poorly informed strategic and operational decisions which can erode a company’s productivity, reputation and bottom line.

For example, if your sales teams are operating according to bad data — reaching out to people who don’t wish to be contacted, are no longer relevant or have outdated contact information — it becomes very easy to waste effort, lose time and money and even damage a brand’s reputation. And because companies can be held accountable and fined for compliance breaches for their use of data, it is important to use a trustworthy and compliant vendor.

What organizations can do about it

A company’s compliance record is only as strong as its weakest link, so they must vet and approve any potential vendors and partners before signing on to work with them, as well as assess their existing vendors to confirm that they are data compliant.

To do so, organizations must ask the right questions and take the following precautions:

First, make sure your vendors meet the requirements of any necessary regulations or certifications, such as GDPR, CCPA, ISO, TRUST-e and IAPP, and the more, the better. This not only proves that a company takes data privacy seriously, it widens the scope of where and how data can be used (GPDR compliancy = EU reach).

Once certifications are checked, organizations must understand how a given vendor uses its data. Is it providing temporary access to licensed data or selling this data indefinitely? Does it sell customer data to third parties? Where is it getting its data from, and how is it collected and stored? A vendor that can’t keep its data sharing and usage practices above board can’t necessarily be trusted to be honest about or meet requirements for compliance.

Adherence and compliance through data infrastructure and security measures

Equally as important is ensuring that the vendors actually adhere to regulatory requirements and checking what data privacy infrastructure and security measures they have in place. Do they employ permission and user access controls, employee security awareness, patch management, system configuration management and periodic penetration testing?

How do they handle data subject concerns? Do they notify new data subjects? Is there an opt-in/opt-out feature? Are databases accurate, and are they updated regularly based on customer feedback and privacy requests?

If the answers to these sorts of questions are consistently “no,” then it may be time to look elsewhere.

The right data security and privacy mindset

Finally, ask about the organization’s overall mindset and handling of data security and privacy. Have they made it a priority across their organization? Do ALL employees receive data and privacy-related training, even if the entire team doesn’t work on those issues directly? A third-party partner that goes above and beyond in this capacity will make for a more reliable and proactive partner across the board.

Decision makers shouldn’t be afraid to ask pointed questions and express concerns when vetting new and existing vendors — asking these types of questions and acting accordingly are key to upholding privacy principles like purpose limitation. The vendors and partners a company chooses to work with can have a significant impact on success, so it is critical to ensure that these partners are reliable from a data perspective, and of course, beyond.

Likewise, when courting potential vendors, a lack of transparency regarding any of the above issues should be a major red flag and lead to a re-evaluation of the relationship.

Business as usual in the data age

We live in an age where data security and privacy are not a “nice to have.” They are a must, especially because data itself is a must. So, if organizations want to operate in the global economy safely and successfully, they must make data-related issues a top priority. This applies to both their internal data procedures and those of their vendors.

By asking the right questions and ensuring that their partners are as dedicated to data compliance as they are, organizations can earn the peace of mind that their business operations are fully up to standard and compliant.

Assaf Eisenstein is cofounder and President of Lusha.