We suggest asking any vendor (at least) these essential questions about privacy before you share a byte:
5 Essential Questions to Ask Vendors About Privacy
What Data Do You Need, Why Do You Need It, & How Will You Use It?
In today’s cyber risk landscape, it’s essential that you only share the data and personal information that you absolutely need to with third-party vendors (and that’s assuming you have consent or a legitimate reason to share it in the first place).
Prior to disclosing any information to a third-party vendor, inquire about the specific data they require to fulfill the intended purpose for which you are sharing it with them. They should be able to provide a short list of the specific data categories requested, alongside the reason(s) they need it and how it will be used. Their reasons for collecting the data should be sound, but you should also investigate whether they can perform their functions well or well enough without the data.
This question also sheds light on the privacy practices and attitude of the vendor. If they don’t have a good answer as to why they are collecting certain data, or their purposes for collection aren’t justifiable, then there’s a good chance their privacy hygiene generally is poor. This should act as a flag to move on and look to another vendor.
Will You Share Our Data with Anyone – & If So, Why & With Whom?
Your organization is ultimately responsible for what happens to the data it collects and shares with others. So, it’s essential you know if your vendors are sharing data with other parties.
At a minimum, you should ask your third-party vendors:
- If you engage sub-vendors, what is the purpose of that engagement? And what is their role in relation to the data and personal information we share with you?
- Can you provide a complete list of those sub-vendors and the data/personal information you will share with them?
- How do you ensure they adhere to the same privacy standards as you? And how will they protect us and the personal information and data we share?
If the vendor you choose has lax standards in relation to its sub-vendors, you can:
- Select a different vendor; or
- Require them to not share your data/personal information with any third parties without prior approval; and
- Make it a contractual clause that they integrate minimum privacy standards in any sub-vendor contracts.
How Do You Manage Privacy Risks Relating to Our Data Internally?
This question essentially asks the third-party vendor about their culture of privacy. It requires them to outline what processes and procedures they have in place to protect your data.
Ideally, they will be able to supply their documented processes alongside information about their regular privacy training.
What Does Your Data Deletion Process Look Like?
While your third-party vendor contract should include clauses that outline the requirements for data deletion and destruction at the end of the contract, it’s still valuable to ask about the company’s data deletion processes.
You should consider how often they delete the data, whether it could be deleted or destroyed more often, and whether there are any gaps in their process. It’s also helpful to ask how they ensure all the data is deleted or destroyed, how long the process takes, and whether this can be done upon request or if it is contingent on any other factors.
If Our Data Is Breached, How Do We Manage the Risks and Recovery Together?
Given the legal, financial, and reputational risks to your company, it’s important that you have some control in response to a third-party data breach. The extent to which your response will be joined depends on your risk appetite and the type(s) of data you share with them – sensitive data should warrant a more hands-on approach than, say, someone’s full name and address.
In any event, companies should prepare for a data breach with their vendor, including routine response simulations. Equally, your vendor contracts should require vendors to communicate transparently and to enact the agreed response in the event of a data breach.
If your company needs help managing its third-party data risk, reach out. Our privacy attorneys would love to work with you.
The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.