Vendor Management and Privacy By Design: Part 1
If you rely on a one-sided approach to contracts, it is possible that you’re hurting yourself. While it may not be evident at the beginning of a relationship, the way you treat your Vendors is likely to have an impact on how you will be treated when an incident occurs. For example, it may affect the information you receive pursuant to a breach, even if it impacts your business.
In this article, we are going to talk about a standard Vendor process. The next part will focus on the impact of ISO Standards, the U.S. cybersecurity order, and how Privacy by Design can be leveraged to create solid Vendor relationships.
Vendor relationships are a multi-directional challenge. On one hand, the company acquiring the service (“Client”) is looking to ensure that the company providing the solution (“Vendor”) will remain in compliance with different laws, regulations, and standards during the engagement; on the other hand, Vendors want to make sure that they are contractually obligated to the minimum required standards of compliance, ideally only to those existing at the time of the agreement.
Clients and Vendors are often intimidated by the idea of accountability1 and the risks that come from it. While accountability is absolutely a key component of any privacy framework and the cornerstone of PIPEDA’s fair information principles, a collaborative approach to Vendor management would suggest that, prior to focusing on accountability, applying Privacy by Design’s “Proactive, not Reactive” principle to Vendor relationships would prove more beneficial. If you think about it, by implementing this principle, all the remaining Privacy by Design principles would be addressed.
As opposed to assigning blame from the start, an idea that is often linked to accountability, collaboratively and proactively approaching privacy and security matters will create a trust environment from which accountability will follow if expectations have been clearly stated by the parties. The “Proactive, not Reactive” principle is highly representative of due diligence, the basic accountability standard.
In this article, we will analyze a typical procurement process as part of a privacy management program. What we will see is that existing contractual gaps could be solved using Privacy by Design principles throughout the development and subsequent management of Vendor relationships.
Privacy by Design may assist in building business processes that lead to collaborative Vendor relationships. While this topic has been minimally addressed by some privacy frameworks, there are limitations to what an objective set of guidelines are able to provide. The power of human relationships tends to be undervalued or ignored when it comes to using it to improve privacy compliance, regardless of the fact that user reaction to a lack of or insufficient privacy protection is instinctive and emotional.
Standard Vendor Process
We are going to talk about the standard Vendor process because contracts are a key component of privacy programs. They permit the identification of data to be shared with Vendors, measures to be taken to protect personal information, privacy and security standards to be followed, change management, and, in some cases, they shed light about communication channels between the parties. Overall, they set an accountability standard that will guide the relationship and showcase power balance or imbalance.
When it comes to Vendor relationships, contract negotiations tend to focus heavily on the Vendor’s security posture without considering why certain controls are required in the first place: To protect personal information, confidential information, and intellectual property assets. In many cases, this happens because contract, legal, and compliance teams don’t have a thorough understanding of which measures -security and otherwise- would be “adequate” to protect the organization based on the specific context of the agreement. Consider here how useful Privacy Embedded into Design of business practices could be to manage challenging Vendor relationships.
The type of risk management conducted by legal teams may not necessarily reflect technology capabilities and limitations. As an example, even though Vendors are contractually obligated to implement “industry standard” protective measures, barely anyone really knows what “industry standard” means. This is usually reflected in the generic definitions provided in standard contracts. How does this represent the principle of Respect for User Privacy? How can we contractually protect it if not everybody has the same understanding of key issues?
A problematic area is that lawyers, including in-house counsel, aren’t always aware of the operational implications of implementing certain third-party services or they simply don’t handle data breaches from that point of view (operational), which doesn’t allow them to see how standard contractual clauses may be impairing the company’s ability to assess a particular situation (Visibility and Transparency). As a result, contracts often reflect some of the suggestions offered by different regulators in terms of language, notwithstanding that, in many cases, what is needed to comply actually goes beyond those recommendations (i.e., information that service providers are required to share with a company -Client- when a breach has taken place).
A common Vendor process is depicted below: Usually, the tone of the Client-Vendor relationship is set prior to negotiating the agreement.
a) The Issues
Throughout this process, some stages are riskier than others (highlighted in red):
- Initial conversations between Client and Vendor allow the parties to identify if they can work together. This is often done through a sales person on the Vendor side. Sales people are exclusively focused on making a sale; therefore, they will tell the potential Client what it is expecting to hear, regardless of the consequences.
- The Vendor risk management questionnaire is a way to identify the Vendor’s risk profile so that the Client may decide whether it is capable of mitigating the risk or willing to take it. The questionnaire tends to focus on cybersecurity posture, which is absolutely necessary, but may be poorly conducted without the proper context.
- A key component to a solid questionnaire strategy is to involve a multi-disciplinary team to review the questionnaire in light of the risk posed by the Vendor service (IT, risk management, compliance, privacy office, and contract management teams should provide feedback); this means that in order to ensure questionnaire relevance, every Vendor needs to be pre-assessed based on the service to be provided.
- In addition, it is important for the organization to clearly define if it intends to rely on the questionnaire during the contractual stage (i.e., by incorporating the questionnaire as a schedule to the contract) so that the appropriate language is added to the questionnaire and to the contract.
- The questionnaire may have to be revisited once the parties have agreed about contract language and applicable privacy and cybersecurity standards. A review should be performed each year, or within a shorter period if the Vendor will be providing additional services.
- Due to cost concerns, the annual audit has become a clause that every Client wants to have but almost nobody can implement. This clause is mostly useful for corporations that can afford a third-party penetration testing service or a full audit.
- Discussions about service level agreements, improvements to the service and updates to privacy and security measures are time consuming and can have a negative impact on the relationship where not properly managed. A collaborative approach where each party bears in mind what is at stake for the other is crucial to reach an understanding.
- Pricing increases can be extremely complex whether or not the parties have a formula in place to calculate it, especially when the Client is demanding improvements to the service or improvements to privacy or security measures. Clients must be aware that compliance comes at a cost and improving existing controls may not be suitable for smaller Vendors, which could mean a relationship break unless the Client is willing to pay higher fees or reach a different kind of agreement. Offboarding vendors can be tedious and also expensive, because of that Clients often do their best to keep steady relationships. A balanced approach is necessary.
b) Thoughts on How to Approach the Issues
From the above we have that:
- There is value in having conversations with a potential service provider’s team beyond their sales people. It is a good idea to push for that because asking the right questions can showcase what the Vendor can and cannot provide, what are the relevant areas for improvement, and what is the impact on the Client.
- The standard Vendor questionnaire should be customized for each Vendor, using input from teams that may be impacted by the service. This questionnaire should address operational concerns related to privacy: How is the Vendor going to support access requests, requests to be forgotten, data corrections, what is the timeframe commitment, what privacy framework does the Vendor stick to. That said, the questionnaire should be confirmed through “informal” conversations about the way in which the Vendor addresses privacy because those conversations will provide input into the veracity of what the Vendor indicated in the questionnaire.
- It is ideal to have an audit clause in your contract; however, if the Client knows that it won’t be implemented, it is worth considering what other measures are feasible. For example, once every 6-months there could be a meeting between security and infrastructure teams from Client and Vendor to discuss challenges, brainstorm improvement ideas, and put together a roadmap to implement them.
- In relation to pricing challenges, the parties should address them from the negotiation stage so it is clear that the Vendor will commit to implementing changes but there might be extra costs when a Client is demanding improvements for compliance that are above and beyond legal/regulatory standards.
- In 2020, the Centre for Information Policy Leadership published a very interesting report called “The Central Role of Organisational Accountability in Data Privacy”, where it shared the CIPL Accountability Framework, which is based on 7 elements: 1. Leadership and oversight, 2. Risk assessment, 3. Policies and procedures, 4. Transparency, 5. Training and awareness, 6. Monitoring and verification, and 7. Response and enforcement.↩