In this ‘Practical Privacy Series’ our aim is to give the benefit of our experience to those of you who may be building a privacy compliance programme for the first time. You may only have a limited understanding of data protection and privacy. Perhaps this is not your main job. Or perhaps you are relatively new to creating and maintaining data protection compliance programmes. It may be that you know the law, but you’ve never put it into practise before.
We appreciate that in these circumstances certain jobs may appear daunting. Or you may want the confidence to know that you are on the right track, or that there are certain things that everyone finds tricky. Hopefully, we can help and give you the confidence to get this right.
Your end goal
Your end goal is an accurate and up to date record of all third parties that you share personal data with. But where to start? You should already have drawn your data flows and your Article 30 Record. This will give you some idea of the major Vendors and Partners that your organisation is sharing data with.
Now what you need to do is conduct a thorough information gathering exercise.
Tips for completing your Record of Vendors & Partners
Use a questionnaire
Like most jobs associated with data protection compliance, you can’t do it by yourself. You need the help of a team and you need to spread the data protection compliance message wide. When establishing and maintaining a culture of continuous privacy compliance using The Privacy Compliance Hub, we recommend setting up a cross departmental team of Privacy Champions. It is these Privacy Champions that get questionnaires completed across your organisation. For the questions you need to ask in your questionnaire, check below for the list of information we recommend you need in your Record of Vendors & Partners.
Use your Finance Team
An easy way to capture a large number of your Vendors & Partners is to ask your Finance Department who you are paying. At The Privacy Compliance Hub, we use an accounting package called Xero and it is very easy to export a list of every company we are paying from Xero.
Link to your agreements
It is a great idea if you store your executed agreements online to link to them from your Record of Vendors & Partners. At The Privacy Compliance Hub we store our executed agreements online in Google Drive so in our Record of Vendors & Partners we can link to all our data processing agreements and audit questionnaires.
Use the power of search
We fully recognise that a number of large processors of personal data are not the sort of companies you will have negotiated agreements with, or will have sent audit questionnaires to quizzing them on their privacy practices. Companies like Amazon, Google and Microsoft just do not respond to such an approach. In these circumstances, it can be difficult to find which online terms and conditions you may have agreed to and to assess the security and privacy practises of such companies. In such circumstances, the quickest and easiest (if not easy!) way to find the right terms and conditions and policies is a simple search on Google. From experience, we know that finding such things within the actual platforms is very difficult and time consuming.
Information needed in your Record of Vendors & Partners
The purpose of your Record of Vendors & Partners is to demonstrate that your organisation is protecting personal information, is able to be transparent and can respond to individuals exercising their rights in relation to their personal information. For example, it should come as no surprise to individuals that your organisation uses Google Analytics on your website because you will have recorded Google Analytics as a Vendor, you will have done the necessary security checks, you will have recorded Google Analytics in your data flows and Article 30 Record and this will have prompted you to make sure that Google Analytics is mentioned in your privacy notices.
We recommend that you have the following basic information in your Record of Vendors & Partners:
- Vendor/Supplier name;
- general description of Vendor/Partner;
- team responsible for Vendor/Partner;
- whether the Vendor/Supplier is a Controller, a Processor or a Joint Controller;
- whether an NDA has been signed with the Vendor/Partner;
- whether a commercial agreement has been signed with the Vendor/Partner;
- what personal information (if any) is being shared with the Vendor Partner;
- where the Vendor/Partner is located;
- whether a separate data processing agreement has been entered into with the Vendor/Partner;
- whether a risk assessment has been carried out on the Vendor/Partner; and
- when the Vendor/Partner was last audited for compliance with data protection and security.
Our Record of Vendors & Partners looks something like this:
Check your Record of Vendors & Partners against your data flows
Are all the third parties that you are sharing personal information with included in your data flows? If not, consider whether you need to include them, or perhaps, create a new data flow to show how personal information flows between your organisation and the third party.
Check your Record of Vendors & Partners against your Article 30 Record
Your Article 30 Record should show which organisations you are sharing personal information with. Are all the organisations in your Record of Vendors & Partners in your Article 30 Record? If not, you need to be able to justify why not. For example, perhaps the Vendor does not process any personal information.
Keep your Record of Vendors & Partners up to date
You need to keep your Record of Vendors & Partners up to date. As you develop new products and processes and take on different suppliers, your Record of Vendors & Partners will need updating. This may impact your data flows and your Article 30 Record. You need a process in place to enable you to capture these changes, record them in revised Records and data flows and, perhaps, amend your privacy notices as necessary.
For example, you may decide that before a new supplier can be brought on board, or a new App or Platform signed up for, a person in your Privacy Team needs to approve it, much the same as approval is often needed from the Finance Team. At The Privacy Compliance Hub, our Route Map easily guides you through this process so that nothing is forgotten.