IVI Framework Viewer

Supplier Management

A2

Define personal data protection qualification criteria for identifying and validating suppliers, and select suppliers who are committed to observing the organization's personal data protection obligations. Draft and agree the data processor contract, and manage contract compliance with the suppliers.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Supplier Management at each level of maturity.

2Basic
  • Practice
    Begin to identify key personal data protection requirements that need to be considered in supplier selection activities.
    Outcome
    Personal data protection requirements can be taken into account as a criterion in determining supplier suitability and selection.
    Metrics
    • # of personal data protection requirements considered in supplier selections.
    • % of suppliers qualifying on personal data protection criteria.
  • Practice
    Begin to include provisions for personal data protection in supplier contracts.
    Outcome
    The supplier contract includes a small set of provisions to protect personal data.
    Metric
    % of supplier contracts containing personal data protection provisions.
  • Practice
    Conduct periodic, informal contract compliance reviews across a number of key suppliers.
    Outcome
    The contract reviews with suppliers can begin to identify and correct issues.
    Metric
    % of data contracts reviewed.
3Intermediate
  • Practice
    Define a comprehensive set of personal data protection requirements and use them in most supplier selections.
    Outcomes
    • Personal data protection requirements are a key criterion in determining the suitability and selection of most suppliers.
    • The likelihood of personal data protection breaches as a result of supplier actions is reducing.
    Metrics
    • # of personal data protection requirements considered in supplier selections.
    • % of suppliers qualifying on personal data protection criteria.
  • Practice
    Make supplier data processor contracts and obligations to protect personal data mandatory requirements, and tailor them to each individual supplier relationship.
    Outcome
    Specific obligations to protect personal data can be imposed on suppliers and clear penalties for breaches can be enforced.
    Metrics
    • % of supplier contracts containing personal data protection provisions.
    • # of data contract breaches.
    • # of data contract breaches by supplier.
  • Practice
    Build formal contract compliance reviews into the contract and ensure that both the data controller and data processor monitor compliance.
    Outcomes
    • Contract reviews are held and key aspects of supplier performance/compliance are assessed on a scheduled basis.
    • Many issues/shortfalls can be identified and remedied.
    Metrics
    • % of data contracts reviewed.
    • # of data contract review anomalies detected.
    • % of data contract review anomalies actioned.
4Advanced
  • Practice
    Use the comprehensive set of personal data protection requirements in all supplier selections.
    Outcomes
    • Personal data protection requirements are a key criterion in determining the suitability and selection of all suppliers.
    • The likelihood of personal data protection breaches as a result of supplier actions is minimal.
    Metrics
    • # of personal data protection requirements considered in supplier selections.
    • % of suppliers qualifying on personal data protection criteria.
  • Practice
    Incorporate supplier data processor contracts and obligations to protect personal data as part of an automated supplier selection process, and tailor them based on context and system inputs.
    Outcome
    Specific, tailored obligations to protect personal data can be consistently imposed on all suppliers, and clear penalties for breaches can be enforced.
    Metrics
    • % of supplier contracts containing personal data protection provisions.
    • # of data contract breaches.
    • # of data contract breaches by supplier.
  • Practices
    • Conduct contract compliance reviews for all suppliers.
    • Automate the collection and analysis of an agreed, comprehensive set of contract compliance metrics in most cases.
    Outcomes
    • Contract reviews are held and a comprehensive overview of supplier performance/compliance is possible.
    • Corrective actions can be assigned, as appropriate, to address all issues/shortfalls.
    Metrics
    • % of data contracts reviewed.
    • # of data contract review anomalies detected.
    • % of data contract review anomalies actioned.
5Optimized
  • Practice
    Ensure the personal data protection requirements for supplier selection are continually informed by the latest industry, research, and legislative insights.
    Outcome
    Supplier suitability is continually assessed against an up-to-date set of personal data protection requirements.
    Metric
    Frequency of review and update of the personal data protection requirements for supplier selections.
  • Practice
    Continually review the personal data protection obligations in the supplier data processor contracts to ensure that they align with legal/regulatory obligations and business objectives.
    Outcome
    Supplier data processor contracts always reflect an up-to-date, relevant set of personal data protection obligations.
    Metric
    % of supplier contracts with a ‘right to audit’.Frequency of review of personal data protection obligations in the supplier contracts.
  • Practice
    Continually improve the contract compliance management process.
    Outcomes
    • Parties involved in contract compliance management endeavour to cooperate on industry best practice norms.
    • A mutually beneficial exchange of ideas and information is the norm at review meetings.
    Metrics
    • % of data contracts that are optimized for value generation and risk minimization.
    • # of suppliers audited for best practice data protection.
    • # of ideas adopted by the consumer from the supplier.
    • # of ideas adopted by the supplier from the consumer.