Supplier Management
Define personal data protection qualification criteria for identifying and validating suppliers, and select suppliers who are committed to observing the organization's personal data protection obligations. Draft and agree the data processor contract, and manage contract compliance with the suppliers.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Supplier Management at each level of maturity.
- 2Basic
- Practice
- Begin to identify key personal data protection requirements that need to be considered in supplier selection activities.
- Outcome
- Personal data protection requirements can be taken into account as a criterion in determining supplier suitability and selection.
- Metrics
- # of personal data protection requirements considered in supplier selections.
- % of suppliers qualifying on personal data protection criteria.
- Practice
- Begin to include provisions for personal data protection in supplier contracts.
- Outcome
- The supplier contract includes a small set of provisions to protect personal data.
- Metric
- % of supplier contracts containing personal data protection provisions.
- Practice
- Conduct periodic, informal contract compliance reviews across a number of key suppliers.
- Outcome
- The contract reviews with suppliers can begin to identify and correct issues.
- Metric
- % of data contracts reviewed.
- 3Intermediate
- Practice
- Define a comprehensive set of personal data protection requirements and use them in most supplier selections.
- Outcomes
- Personal data protection requirements are a key criterion in determining the suitability and selection of most suppliers.
- The likelihood of personal data protection breaches as a result of supplier actions is reducing.
- Metrics
- # of personal data protection requirements considered in supplier selections.
- % of suppliers qualifying on personal data protection criteria.
- Practice
- Make supplier data processor contracts and obligations to protect personal data mandatory requirements, and tailor them to each individual supplier relationship.
- Outcome
- Specific obligations to protect personal data can be imposed on suppliers and clear penalties for breaches can be enforced.
- Metrics
- % of supplier contracts containing personal data protection provisions.
- # of data contract breaches.
- # of data contract breaches by supplier.
- Practice
- Build formal contract compliance reviews into the contract and ensure that both the data controller and data processor monitor compliance.
- Outcomes
- Contract reviews are held and key aspects of supplier performance/compliance are assessed on a scheduled basis.
- Many issues/shortfalls can be identified and remedied.
- Metrics
- % of data contracts reviewed.
- # of data contract review anomalies detected.
- % of data contract review anomalies actioned.
- 4Advanced
- Practice
- Use the comprehensive set of personal data protection requirements in all supplier selections.
- Outcomes
- Personal data protection requirements are a key criterion in determining the suitability and selection of all suppliers.
- The likelihood of personal data protection breaches as a result of supplier actions is minimal.
- Metrics
- # of personal data protection requirements considered in supplier selections.
- % of suppliers qualifying on personal data protection criteria.
- Practice
- Incorporate supplier data processor contracts and obligations to protect personal data as part of an automated supplier selection process, and tailor them based on context and system inputs.
- Outcome
- Specific, tailored obligations to protect personal data can be consistently imposed on all suppliers, and clear penalties for breaches can be enforced.
- Metrics
- % of supplier contracts containing personal data protection provisions.
- # of data contract breaches.
- # of data contract breaches by supplier.
- Practices
- Conduct contract compliance reviews for all suppliers.
- Automate the collection and analysis of an agreed, comprehensive set of contract compliance metrics in most cases.
- Outcomes
- Contract reviews are held and a comprehensive overview of supplier performance/compliance is possible.
- Corrective actions can be assigned, as appropriate, to address all issues/shortfalls.
- Metrics
- % of data contracts reviewed.
- # of data contract review anomalies detected.
- % of data contract review anomalies actioned.
- 5Optimized
- Practice
- Ensure the personal data protection requirements for supplier selection are continually informed by the latest industry, research, and legislative insights.
- Outcome
- Supplier suitability is continually assessed against an up-to-date set of personal data protection requirements.
- Metric
- Frequency of review and update of the personal data protection requirements for supplier selections.
- Practice
- Continually review the personal data protection obligations in the supplier data processor contracts to ensure that they align with legal/regulatory obligations and business objectives.
- Outcome
- Supplier data processor contracts always reflect an up-to-date, relevant set of personal data protection obligations.
- Metric
- % of supplier contracts with a ‘right to audit’.Frequency of review of personal data protection obligations in the supplier contracts.
- Practice
- Continually improve the contract compliance management process.
- Outcomes
- Parties involved in contract compliance management endeavour to cooperate on industry best practice norms.
- A mutually beneficial exchange of ideas and information is the norm at review meetings.
- Metrics
- % of data contracts that are optimized for value generation and risk minimization.
- # of suppliers audited for best practice data protection.
- # of ideas adopted by the consumer from the supplier.
- # of ideas adopted by the supplier from the consumer.