It takes a team of singers to make a choir. One single individual can’t make an orchestra performance. You need the drummers, trumpeters, and singers. Without a careful combination of these characters, the output of the band might be mediocre.
In the same vein, without an accurate vendor management methodology, a company’s data protection framework is incomplete. In complying with the Nigerian Data Protection Regulation, companies must monitor vendor activities.
Vendors usually fall under the category of data processor. They act under the instructions of the data controllers. In most cases, their services or products help the data controller complete contractual obligations to their customers. And, as such, they become a quasi-extension of the company.
Data controllers must carry out some crucial steps before employing the services of a vendor. What are these steps?
The first area the data controller wants to check is the reputation of the vendor. The company should contact references, do their research and ask tough questions about the company before engaging their services. Imagine a bank which employed the services of a vendor without checking the history of the company and only found out a team of hackers managed the particular vendor. Consequently, the bank paid for not doing her homework in vetting the company.
What is the current financial condition of the company and most importantly, what type of insurance coverage do they have? Understanding the financial position of the vendor is essential. The type of insurance they may have will also help inform your company if you are actually in contract with the right vendor.
Another important aspect the data controller should check is the vendor’s information security protocols. Do they have the right encryption methodologies, firewalls and other paraphernalia in the protection of information at rest, and in transit? As a data controller, you want a vendor who has your customers’ data to have the right security methodologies. Failure to find this information might expose the data controller to data breaches.
Upon the termination of the contract with the vendor, what are the methods of disposing of information? Is the vendor clear on what the right disposal methods are? The data controller should agree with the vendor through a contract on the correct disposal methods.
Your company also wants to find out if the company has trained their employees about data protection and more importantly if they know their roles and responsibilities with regards to ensuring that data is not misused and transferred in willy-nilly fashion. What type of access do the staff have to customer data and do their staff access data on a need to know basis. The company employing a vendor, sometimes, could go the extra mile also to ensure that the vendors and their reps get appropriate training.
When there is a breach, the vendor should be able to assist in the management of the incident. Have you as a company carried out necessary checks if the vendor can handle security incidents or breaches?
Above all, the controller must ensure that there is a contract that lists out the privacy protections and requirements. The statement of work and service level agreements between the controller and the vendor must state responsibilities about data privacy responsibilities. Furthermore, contracts should note how to breach obligations and consequences for breaking data privacy promises.
To conclude, most companies need vendors to execute their services. A bank might use a vendor in ensuring that customers get their cards or token. As such, that bank needs to ensure that they do a thorough check before employing the services of that particular company. To build a complete data protection framework, data controllers must ensure all aspect of their company data privacy framework covers vendor assessment.