Data Privacy and Security of your Vendors

Data privacy and security extends beyond your company. It actually forwards to all of your vendors, services providers, third party apps, and anyone else that processes (or handles) your data – whether an advertising platform, email provider, marketing technology, or even your appointment booking system.

It is up to you to hold your vendors to an appropriate data privacy and security standard. So how do you do that? Here are three possible ways that may be combined with each other.

  1. Third Party Audits. If your vendor is on top of their stuff, they have already thought of this and have undergone an ISO 27001 certification, or have a SOC 2 report that you can review. ISO 27001 and SOC 2 involves outside auditors putting your vendor through a rigorous audit to make sure they are following data security best practices, and certifying them. These are expensive endeavors, so you’ll usually see this from larger or more established companies.
  2. Vendor Security Assessment. If your vendor hasn’t gone through these audits, you can put them through a Vendor Security Assessment (VSA) – which is essentially an extensive Excel spreadsheet (or, if they’re modern, software!) that asks all sorts of questions about how your vendor approaches data security. Here’s what goes into a VSA:
    1. Identifying Information. Who are they? What do they do? Who is your main point of contact for data security at the organization (such as a Security Officer, or attorney)? How do you get in touch with them? Get all the requisite information and have it handy in case something goes wrong.
    2. Security Standard Questions. Basic Vendor Security Assessments usually have over 100 questions about security standards – and, unfortunately, this blog post will not be covering all of them. Questions include several categories, including how the vendor manages physical security, approach asset management, whether they conduct risk assessments, whether they train their workforce on data security standards, what kind of protective technologies they have in place, and the list goes on and on.
    3. Privacy Standard Questions. Much like the section about security standards – Basic Vendor Security Assessments have over 60 questions about privacy standards. These questions include several categories, including how your vendor determines their legal bases to collect data, if they have a chief privacy officer, if they stay on top of data privacy regulations, if they establish privacy roles within the company, how they manage data quality and integrity, how they handle data minimization and retention, and whether they enter into contractual agreements with their vendors about data privacy and security.
  3. Legal Agreements. Your vendors can also sign a separate legal agreement that may be required by specific data privacy regulations – such as:
    1. Business Associate Agreements for HIPAA.
    2. Data Processing Agreements for GDPR.
    3. Your own custom data privacy agreement, set forth by policy by your organization to hold your vendors to certain standards and requirements.

Let us Help

This post is just a high level overview of how you can ensure the Data Privacy and Security standards of your Vendors. There are many more nuances and specifics around this.

Kader Law can help you put your vendors through security assessments, and help you ensure that your vendors have their stuff together. If you need legal assistance, feel free to contact us.

This post is not legal advice, and does not establish any attorney client privilege between Law Office of K.S. Kader, PLLC and you, the reader.