Headache no. 1: I don’t know the vendors
“How many vendors do we have?” That should be an easy question to answer, and the answer should be pretty specific.
We should know:
- How many digital vendors we have,
- Who they are and
- If they are data processors.
The solution is the three S’s: System owner, Structure, System.
- Every system in your organisation must have an owner and he or she should be responsible for also knowing the vendor.
- To pull that off, you need structure, a framework that makes it easy for the system owner to know what information you need about the vendor. See an example of such a framework here.
- The easiest way to set that up is to have a dedicated GRC solution that makes collaboration easy through a great task management system.
But hey. How do I find the system owners?
Let’s proceed to headache no. 2.
Headache no. 2: Who is buying IT? Or “I’m just testing something.”
When I asked: “What is your biggest headache when it comes to vendor management” on Linkedin, someone said:
“When everyone is "just trying out the tool" and your business ends up with 678 tools.”
That is probably the compliance pain I hear most often. Data protection is not involved when the business units buy new IT services.
It has a name: Shadow IT, and it is often estimated that 30-40 % of IT spending is shadow IT. A lot of vendors are effectively marketing to end users within companies.Your colleagues will use productivity tools like Trello, store things in Dropbox and communicate with their team through WhatsApp - and they will pay with their credit card.
So, what is the solution?
I think it’s threefold:
- Team up with IT: You are not alone in this one. IT and infosec also want to know. Maybe, they even have a technical solution for some of it.
- Be curious: Go talk to people in the organisation and be curious about how they do their jobs and what tools they use.
- Create a data protection culture: This is the hardest part. For great advice on doing it, listen to this webinar with TDC NET:
Headache no. 3: I’m not involved when a new vendor is vetted
A side effect of not knowing that new software is coming into the organisation is that many privacy and data protection people are not involved in vetting the vendor.
That is an obvious problem.
The solution is getting yourself out into the organisation to do the things described in headache no. 2. You have to be visible and sell data protection. It’s a cultural thing.
Headache no. 4: So, you want me to negotiate a data processing agreement, when we’ve already bought the system?
Your marketing manager just signed a three-year deal for a new Software as a Service tool - and paid in advance.
Now your job is to negotiate the data processing agreement.
You just have a few extra demands for their security, breach notification and some amendments in connection with international transfers…
... but for some reason, they do not even respond to your e-mails.
It would probably be easier to negotiate that BEFORE signing the main agreement. Some would even say, you have a snowball’s chance in hell of getting your amendments to the agreement.
But. You need to try, so we wrote an article about just that…
Headache no. 5: I don’t believe my vendor information is up to date
One thing is getting an overview of all your vendors. Another is keeping it up to date.
Thing is: If you have 2-300 vendors, chances are that some of them will go bankrupt, be acquired by another company, change their contact information etc. etc.
Can you trust your vendor information? Too many can’t.
The solution is fairly simple.
- Be in dialogue with your vendors on a regular basis
- Ask them to update their information and
- Have a centralised system where information is kept up to date.
By the way: This could be the job of the system owner.
Headache no. 6: Do we use the services of this vendor?
More than 60 % never use their gym membership - but still pay every month.
Some studies suggest that it is more or less the same with software. Probably for much the same reasons. Someone thought she wanted it and never got around to cancelling it when she didn’t use it.
We don’t know, however, when our customers begin using Wired Relations and get an overview of their systems and vendors, it is not uncommon that they realise that they pay for 10, 20 or even 30 systems that they do not use.
Those systems, obviously, pose both a cost and a risk to the company.
The solution again is simple, though not easy.
- Have system owners and,
- Regularly ask them if the system is still in use (a great time is when you are auditing the system).
Headache no. 7: Who are my critical vendors?
Some of your 250 vendors are more critical than others.
To information security it is those posing the biggest risk to the company.
To you data protection people, it is those posing the biggest risks to the data subjects.
In any case, risk assessments are the way to go. Assessing the risks that your vendors pose to your data subjects will give you an overview of which vendors are most critical for you to keep an eye on.
See more about risk management here.
Headache no 8: Communicating with the vendor
As you can see, communication is key to vendor management.
However, many data protection pros have a hard time getting that dialogue rolling. When they ask simple questions, they never hear back from vendors. And, maybe they even forget that they ever asked.
This is not easy, however, a good structure around the communication is key to at least making it easier and vendor audits are truly central.
Let’s proceed to headache no. 9.
Headache no. 9: Auditing my 250 vendors
If the Jeopardy answer is: “Something data protection people hate.”
The question could well be: “What are vendor audits?”
The reason: Lots of manual labour, lack of overview of who actually answered the questionnaire, checking your e-mail four times an hour to see if the last ones answered and sending out reminders.
It’s just an up-hill battle.
The answer is structure.
See how vendor audits can be structured right here.
Headache no. 10: What is my job here – and what should I stay away from?
I once spoke to a head of IT. He was so sick of people asking him how to mail merge in Word or create a macro in Excel.
The reasoning was always the same: “It’s on the computer. You’re IT. You must know.”
If we, in data protection, get a great vendor management workflow up and running, we run the risk of getting TOO involved.
In a helicopter view, vendor management is:
- Selection and Evaluation
- Contract Negotiation
- Performance Monitoring
- Risk Management
- Relationship Management
- Cost Management
Most of that process should be anchored with the business, IT and information security. However, if you are great at doing what you do, you could potentially be asked to:
- Find potential vendors
- Evaluate their performance
- Negotiate the contract
- Make sure the contract is being terminated when the system is not used
- Renegotiate terms yearly to cut costs.
And. That is probably something you should stay away from.
Having system owners (who are not data protection) is key to making sure that you focus on the data protection issues, not everything else.
In summary
Vendor management is a big task in data protection. However, a few things can make it whole lot easier:
- Having system owners do much of the work,
- Having a great, centralised structure, so that everybody knows what information you need,
- Be in constant communication with your system owners and (often through them) your vendors
... The painkiller
At Wired Relations we aim to kill your vendor management pains (and other compliance related headaches). Book a demo to see how.
Great vendor management depends on governance: In this webinar, we talk to TDC NET about how good governance can build a great privacy culture. You'll get great inspiration on how to set-up a governance structure for handling new vendors.
