Supplier Management
Select suppliers that are committed to observing the organization's personal data protection obligations, and manage supplier compliance with them.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Supplier Management at each level of maturity.
- 1Initial
- Practice
- Draft and agree data protection contract details.
- Outcome
- No supplier data protection contracts in place.
- Practice
- Manage the contractual relationship between the data controller and the data processor.
- Outcome
- Supplier contracts contain some provisions for data protection.
- Metric
- % supplier contracts containing data protection provisions.
- Practice
- Provide qualification criteria on data protection for the identification, validation, and selection of suppliers.
- Outcome
- Data protection contracts are mandatory and tailored to each individual supplier relationship with clear provisions for breaches.
- Metrics
- % supplier contracts containing data protection provisions.
- # data contract breaches.
- # data contract breaches by supplier.
- 2Basic
- Practice
- Draft and agree data protection contract details.
- Outcome
- Data protection contracts are in template form and can be readily used in any supplier contract.
- Metrics
- % supplier contracts containing data protection provisions.
- # data contract breaches.
- # data contract breaches by supplier.
- Practice
- Manage the contractual relationship between the data controller and the data processor.
- Outcome
- Continuous mutually beneficial beneficial improvements from both supplier and consumer are implemented to maximize value and minimize risk.
- Metrics
- % of suppliers with data processor contracts.
- % of contracts with ‘right to audit’.
- Practice
- Provide qualification criteria on data protection for the identification, validation, and selection of suppliers.
- Outcome
- No contract management in place.
- 3Intermediate
- Practice
- Draft and agree data protection contract details.
- Outcome
- Periodic, informal contract reviews with suppliers are identifying and correcting issues.
- Metric
- % data contracts reviewed.
- Practice
- Manage the contractual relationship between the data controller and the data processor.
- Outcomes
- Contract reviews are held on a scheduled basis.
- Performance is assessed and any shortfalls are remedied.
- Metrics
- % data contracts reviewed.
- # data contract review anomalies actioned.
- Practice
- Provide qualification criteria on data protection for the identification, validation, and selection of suppliers.
- Outcomes
- Supplier performance reviews are seen as a two way exercise in improvement.
- Corrective actions are assigned at both the consumer and supplier sides as appropriate.
- Metrics
- % data contracts reviewed.
- # data contract review anomalies actioned.
- # Frequency of reviews.
- 4Advanced
- Practice
- Draft and agree data protection contract details.
- Outcomes
- Both supplier and consumer endeavour to cooperate on industry best practice norms.
- A mutually beneficial exchanges of ideas and information is the norm at review meetings.
- Metrics
- % contracts that are optimised for value generation and risk minimisation.
- # of suppliers audited for best practice data protection.
- # Ideas adopted by the consumer from the supplier.
- # Ideas adopted by the supplier from the consumer.
- Practice
- Manage the contractual relationship between the data controller and the data processor.
- Outcome
- Suppliers selected on an ad hoc basis without formal processes.
- Practice
- Provide qualification criteria on data protection for the identification, validation, and selection of suppliers.
- Outcome
- Suppliers selected using processes and methodologies that vary across the organisation.
- Metric
- % of suppliers qualifying data protection criteria.
- 5Optimized
- Practice
- Draft and agree data protection contract details.
- Outcome
- Supplier selection is a centralised and transparent process using predefined selection criteria.
- Metric
- % of suppliers qualifying data protection criteria.
- Practice
- Manage the contractual relationship between the data controller and the data processor.
- Outcome
- Supplier selection is mostly automated with tool based tendering, scoring and selection processes.
- Metrics
- % of suppliers qualifying on all business criteria (e.g. ISO9000, etc.).
- % of suppliers that are improving data protection practices.
- Practice
- Provide qualification criteria on data protection for the identification, validation, and selection of suppliers.
- Outcome
- Continuous process improvement and optimisation.
- Metric
- % of suppliers that are continually improving data protection practices.