IVI Framework Viewer

Supplier Management

A2

Select suppliers that are committed to observing the organization's personal data protection obligations, and manage supplier compliance with them.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Supplier Management at each level of maturity.

1Initial
  • Practice
    Draft and agree data protection contract details.
    Outcome
    No supplier data protection contracts in place.
  • Practice
    Manage the contractual relationship between the data controller and the data processor.
    Outcome
    Supplier contracts contain some provisions for data protection.
    Metric
    % supplier contracts containing data protection provisions.
  • Practice
    Provide qualification criteria on data protection for the identification, validation, and selection of suppliers.
    Outcome
    Data protection contracts are mandatory and tailored to each individual supplier relationship with clear provisions for breaches.
    Metrics
    • % supplier contracts containing data protection provisions.
    • # data contract breaches.
    • # data contract breaches by supplier.
2Basic
  • Practice
    Draft and agree data protection contract details.
    Outcome
    Data protection contracts are in template form and can be readily used in any supplier contract.
    Metrics
    • % supplier contracts containing data protection provisions.
    • # data contract breaches.
    • # data contract breaches by supplier.
  • Practice
    Manage the contractual relationship between the data controller and the data processor.
    Outcome
    Continuous mutually beneficial beneficial improvements from both supplier and consumer are implemented to maximize value and minimize risk.
    Metrics
    • % of suppliers with data processor contracts.
    • % of contracts with ‘right to audit’.
  • Practice
    Provide qualification criteria on data protection for the identification, validation, and selection of suppliers.
    Outcome
    No contract management in place.
3Intermediate
  • Practice
    Draft and agree data protection contract details.
    Outcome
    Periodic, informal contract reviews with suppliers are identifying and correcting issues.
    Metric
    % data contracts reviewed.
  • Practice
    Manage the contractual relationship between the data controller and the data processor.
    Outcomes
    • Contract reviews are held on a scheduled basis.
    • Performance is assessed and any shortfalls are remedied.
    Metrics
    • % data contracts reviewed.
    • # data contract review anomalies actioned.
  • Practice
    Provide qualification criteria on data protection for the identification, validation, and selection of suppliers.
    Outcomes
    • Supplier performance reviews are seen as a two way exercise in improvement.
    • Corrective actions are assigned at both the consumer and supplier sides as appropriate.
    Metrics
    • % data contracts reviewed.
    • # data contract review anomalies actioned.
    • # Frequency of reviews.
4Advanced
  • Practice
    Draft and agree data protection contract details.
    Outcomes
    • Both supplier and consumer endeavour to cooperate on industry best practice norms.
    • A mutually beneficial exchanges of ideas and information is the norm at review meetings.
    Metrics
    • % contracts that are optimised for value generation and risk minimisation.
    • # of suppliers audited for best practice data protection.
    • # Ideas adopted by the consumer from the supplier.
    • # Ideas adopted by the supplier from the consumer.
  • Practice
    Manage the contractual relationship between the data controller and the data processor.
    Outcome
    Suppliers selected on an ad hoc basis without formal processes.
  • Practice
    Provide qualification criteria on data protection for the identification, validation, and selection of suppliers.
    Outcome
    Suppliers selected using processes and methodologies that vary across the organisation.
    Metric
    % of suppliers qualifying data protection criteria.
5Optimized
  • Practice
    Draft and agree data protection contract details.
    Outcome
    Supplier selection is a centralised and transparent process using predefined selection criteria.
    Metric
    % of suppliers qualifying data protection criteria.
  • Practice
    Manage the contractual relationship between the data controller and the data processor.
    Outcome
    Supplier selection is mostly automated with tool based tendering, scoring and selection processes.
    Metrics
    • % of suppliers qualifying on all business criteria (e.g. ISO9000, etc.).
    • % of suppliers that are improving data protection practices.
  • Practice
    Provide qualification criteria on data protection for the identification, validation, and selection of suppliers.
    Outcome
    Continuous process improvement and optimisation.
    Metric
    % of suppliers that are continually improving data protection practices.