We know from research that managing vendors, especially software vendors, is challenging. Companies have, depending on what research you look into, somewhere between 250 and 320 apps or pieces of software on average.
30 to 40 percent of that is shadow IT, that is software that is not officially known within the organisation.
Therefore, many of the software vendors are not really “managed” by the organisation - some research suggests that on average more than 50 % of software vendors are not managed at all.
That comes with a number of serious problems to the organisation.
Problem 1: It costs money
When organisations acquire Wired Relations, they often get a complete overview of systems and vendors for the first time. They realise that they have systems they do not use and they find two or three systems which basically do the same thing.
Therefore, they terminate a lot of systems and renegotiate others leading to cost savings throughout the organisation.
And it is not just a one-time thing. When you have an overview of systems and vendors, you are able to periodically ask if the systems are still in use, and you can point staff interested in a certain feature to existing systems and vendors already onboard in your organsation.
Problem 2: It is risky business
Every vendor comes with a risk to the business and your data subjects - data breaches, third-party hacker attacks and so on.
If you are not managing your vendors, you are not managing the risks they impose on your organisation. Therefore, risks go unnoticed in the business.
Luckily, it is possible to get a handle on vendor management in three steps.
Step 1: New vendor is coming in
First, you need to make sure that you have a robust workflow for onboarding new vendors and new systems.
You have to:
- Screen the vendors to make sure you know what they do, the risks associated with it and get a formal go or no-go for the system.
Making your DPIA process work is the most important thing to do to make sure that you systematically screen all your vendors.
Read the article: Get a handle on the DPIA process: 7 steps to a great implementation of new systems, for more information on that important workflow.
- The screening gives you a lot of input when you are negotiating the important data processing agreement.
Dive into that by reading: The battle of the data processing agreement.
It is all about culture
That, obviously, is easier said than done. After all, we just learned that upwards of 40 % of software is not known to the organisation, let alone to Privacy and Infosec.
The solution is creating a culture of privacy and security within the organisation.
TDC NET, a company which provides digital infrastructure in Denmark, has been able to create such a culture. No vendor and no system get in the door without a thorough screening.
Mona Persson, head of privacy compliance at TDC NET, was nice enough to let us in on how they achieved that in a recent webinar. Listen to it here (there is a lot of inspiration for you):
If you want to dive further into how that is done, we have created a masterclass on the PIA / DPIA process that will be useful to you.
Get it here:
In the webinar we talk about how to secure buy-in and collaboration from the entire organisation - in other words: How to create a privacy and security culture.
Step 2: Vendor management at scale
Onboarding new vendors is one thing. Constantly managing the load of existing vendors at scale is another ball game.
Basically, you need to regularly do these four things:
- Audit vendors to make sure that they do what you have agreed. Read more about making vendor audits work here:
- Re-evaluate your risk assessment of the vendor to make sure that you are still managing the risks of that particular vendor. Read more about effective risk management here.
- DPA renewal: Every once in a while you need to revisit your data processing agreements to make sure that they are still suitable for your purpose. Your audits and risk assessments are great input for that.
- As a by-product of being in regular communication with your vendors, you will be able to keep your compliance documentation up to date. Vendors do go bankrupt, merger or are acquired by other companies - or they just move or lay off your contact there.
I believe that the most important step to making regular vendor management at scale work is… a robust task management system. Every time a new vendor comes in, you need to make recurring tasks for auditing, re-evaluating risk, DPA renegotiation etc.
Step 3: Exit
When we discover software that is no longer in use, it is because some organisations are bad at terminating apps that go out of use.
At Wired Relations, at least every year, we are asked: “Do you still use this piece of software?” We are able to do that because we have a register of our systems and vendors.
We are actually pretty good at terminating software we do not use, however, we still find things. It is also always a great reminder that we should ask ourselves: “Do we really need this?”.
Reach out
These are the processes that need to work for great vendor management. We are pretty sure that you are already great at some of it, making some of it work, and need to improve on some issues.
If you want to talk to us about it - and see how Wired Relations supports it - please reach out and book a demo.
