Vendor Management and Privacy Compliance

It has become commonplace in today’s business world to use third-party vendors for certain tasks that would prove too difficult, time-consuming or resource-demanding to carry out in-house. However, this need for efficiency must be balanced with the need for the organization that hires the vendor to maintain its own privacy. This article will detail the interplay between vendor management and privacy compliance regarding information security and will explore different angles to consider.

The best way to maintain control over third-party vendors and organizational data privacy is to use a two-pronged strategy consisting of effective contract negotiation and due diligence.

Contract Negotiation

Control of Organization Data

When it comes to organization data, there is no denying that the data is the exclusive property of the organization. There is also no denying that when a third-party vendor works with an organization, they will most likely be exposed to at least some of the organization’s data.

A well-negotiated contract will set out in clear terms that the control of organizational data, including ownership, lies with the organization. The third-party vendor must respect this fact and deliver to the organization any of the organization’s data within its possession at the organization’s request. This extends to data destruction as well. Additionally, a well-negotiated contract will state that third-party vendors also shall not assert any lien against organizational data as long as this is included in the contract.


Data privacy is a smart contract clause for an organization to negotiate and is commonly included in well-negotiated third-party vendor contracts. A good baseline data privacy clause should include the following:

  1. Organizational data shall be used by the third-party vendor to the extent necessary to perform the responsibilities of the contract
  2. Organizational data shall not be disclosed to third parties without prior express written content from the (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Greg Belding. Read the original post at: