The role of procurement in data privacy governance is critical to any organisation’s data privacy framework. Yet, most stakeholders fail to set rigorous standards in their procurement methodology. That neglect and that lack of rigour multiplies companies’ vulnerabilities.
Procurement process helps organisation make sure there is, in the first place, value for money without unacceptable risks. Imagine a company using a third-party company to process large amounts of personal data in their business without carrying out extensive due diligence process. In the contract, the third-party claims that they would notify client when there is a breach in “less than a day”. When a breach happened, the third-party company didn’t have the process or have the right channel to notify their client. If procurement process was defined properly the company in question would figure out gaps before employing services of the third-party company.
There is good reason for data privacy professionals to build a good relationship with procurement within their organisation. That involves closely working with procurement managing vendors. That is the new norm as most companies depend heavily on vendors, suppliers, third-party companies to serve their customers. For example, an insurance company may pass customer information to third-party companies to help them process claims.
One reason why data privacy professionals must work with procurement is to tease out what types of questions they should ask a particular vendor, understand their function and how their services feed into the business. It is natural that procurement would create a business sense why such purchases will boost overall revenue. Since procurement might not have subject matter expertise about data privacy regulations it is important they partner with their data privacy personnel. Unfortunately, most organisations are not at this level of maturity, but it is key to embed this into the procurement process.
In procurement process, contract management plays a key role. Usually, procurement has good reputation for getting the best deal and saving the business some money. However, lack of expertise to know what to look for in the contract can lead to situations where companies agree to unfavourable clauses. For instance, the retention or deletion periods during the term of agreement might not be clear, or how deletion would be done after the term of the contract is usually cloudy. It is important the contract carries these details in clear form. If data privacy professionals work with procurement, these atypical clauses in contracts can be identified.
Another area most companies ignore is to have an extensive log of all vendors they employ. This log should have information of all vendors, their service, the information they process, the timeline of term agreement and highlight any risks each vendor presents. Dealing with too many vendors can be overwhelming, as such, it is good to have a repository that shows which vendor does what per time. This exercise will help companies have a granular level of rational information about each vendor.
Contracts with suppliers, vendors, or third parties usually state right to audit, but most companies fail to carry out these audits. However, it is good practice for data privacy personnel to ensure that these audits are carried out. Without carrying out these audits, everything the supplier claims to have has not been verified, which means the company is handing over information without concrete verification.
As data privacy regulation matures, the procurement role in data privacy governance will become critical. Companies must create a procurement process that flows through data privacy. The data privacy department and procurement department must work hand in hand to bring in right vendors or mitigate risks presented by any vendor.
