How to vet your vendors: Ensuring data privacy and security compliance

Join top executives in San Francisco on July 11-12, to hear how leaders are integrating and optimizing AI investments for success. Learn More

The nature of vendor data compliance

Third-party vendors’ data and compliance, or the lack thereof, can hurt organizations’ own compliance with data-related regulations, potentially with a significant negative impact on their business.

Why exactly? Incomplete, inaccurate or noncompliant data, regardless of where it comes from, can quickly lead to poorly informed strategic and operational decisions which can erode a company’s productivity, reputation and bottom line.

For example, if your sales teams are operating according to bad data — reaching out to people who don’t wish to be contacted, are no longer relevant or have outdated contact information — it becomes very easy to waste effort, lose time and money and even damage a brand’s reputation. And because companies can be held accountable and fined for compliance breaches for their use of data, it is important to use a trustworthy and compliant vendor.

What organizations can do about it

A company’s compliance record is only as strong as its weakest link, so they must vet and approve any potential vendors and partners before signing on to work with them, as well as assess their existing vendors to confirm that they are data compliant.

To do so, organizations must ask the right questions and take the following precautions:

First, make sure your vendors meet the requirements of any necessary regulations or certifications, such as GDPR, CCPA, ISO, TRUST-e and IAPP, and the more, the better. This not only proves that a company takes data privacy seriously, it widens the scope of where and how data can be used (GPDR compliancy = EU reach).

Once certifications are checked, organizations must understand how a given vendor uses its data. Is it providing temporary access to licensed data or selling this data indefinitely? Does it sell customer data to third parties? Where is it getting its data from, and how is it collected and stored? A vendor that can’t keep its data sharing and usage practices above board can’t necessarily be trusted to be honest about or meet requirements for compliance.

Adherence and compliance through data infrastructure and security measures

Equally as important is ensuring that the vendors actually adhere to regulatory requirements and checking what data privacy infrastructure and security measures they have in place. Do they employ permission and user access controls, employee security awareness, patch management, system configuration management and periodic penetration testing?

How do they handle data subject concerns? Do they notify new data subjects? Is there an opt-in/opt-out feature? Are databases accurate, and are they updated regularly based on customer feedback and privacy requests?

If the answers to these sorts of questions are consistently “no,” then it may be time to look elsewhere.

The right data security and privacy mindset

Finally, ask about the organization’s overall mindset and handling of data security and privacy. Have they made it a priority across their organization? Do ALL employees receive data and privacy-related training, even if the entire team doesn’t work on those issues directly? A third-party partner that goes above and beyond in this capacity will make for a more reliable and proactive partner across the board.

Decision makers shouldn’t be afraid to ask pointed questions and express concerns when vetting new and existing vendors — asking these types of questions and acting accordingly are key to upholding privacy principles like purpose limitation. The vendors and partners a company chooses to work with can have a significant impact on success, so it is critical to ensure that these partners are reliable from a data perspective, and of course, beyond.

Likewise, when courting potential vendors, a lack of transparency regarding any of the above issues should be a major red flag and lead to a re-evaluation of the relationship.

Business as usual in the data age

We live in an age where data security and privacy are not a “nice to have.” They are a must, especially because data itself is a must. So, if organizations want to operate in the global economy safely and successfully, they must make data-related issues a top priority. This applies to both their internal data procedures and those of their vendors.

By asking the right questions and ensuring that their partners are as dedicated to data compliance as they are, organizations can earn the peace of mind that their business operations are fully up to standard and compliant.

Assaf Eisenstein is cofounder and President of Lusha.