Vendor Management and Data Privacy

Entering into appropriate data processing agreements (DPAs) with vendors has become a critical component of vendor management. However, it can be one of the most time-consuming and complex aspects of data privacy compliance, according to a JD Supra article.

At the beginning of a vendor relationship, Legal Ops must determine whether a DPA is required. DPAs are only legally required when personal data or personal information are being disclosed to the vendor, and only if the vendor is acting as a processor of personal data on behalf of the customer or service provider.

The comprehensive privacy laws in certain U.S. states contain contractual requirements that exempt the vendor from entering into a DPA. Some state and federal laws may impose contractual requirements for specific types of data in particular industries that might be exempt from the data privacy laws.

Venders typically insist on using their own DPA form. It is important to carefully review it to make sure it isn’t drafted in their favor. These are some provisions that you will want to consider adding to the DPA:

• Requiring the vendor to comply with applicable U.S. data privacy laws
• Ensuring that personal data also constitutes “confidential information”
• Imposing additional technical measures to protect personal data
• Requiring the vendor’s assistance with the investigation and any remediation of a personal data breach at the vendor’s cost.

Keep in mind that DPAs are not the only way to manage vendors. Before engaging a vendor, you should conduct diligence on their privacy and security practices.