How can you negotiate with vendors to improve data security and privacy?
Data security and privacy are essential for any business that relies on vendors to provide services, products, or solutions. However, not all vendors have the same standards or practices when it comes to protecting your data and your customers' data. How can you negotiate with vendors to improve data security and privacy? Here are some tips to help you achieve better outcomes.
-
Pretam A S.Global PV Agreements at Teva | Aspiring Associate Director | Compliance | PV Training | AI Enthusiast | Content Creator…
-
Karim BouletDirector of F&B Operations | 5* Luxury Hospitality Management | Remote Locations
-
Noga RosenthalGeneral Counsel and Chief Privacy Officer at Ampersand| Advisory Board Member | Data Strategy | Policy | Technology…
Before you approach any vendor, you need to have a clear understanding of your own data security and privacy requirements. What kind of data do you share with vendors? How sensitive is it? What are the legal and regulatory obligations that apply to your industry and location? What are the risks and consequences of a data breach or misuse? By assessing your needs, you can identify the key issues and priorities that you want to address with your vendors.
-
Negotiation should be a collaborative process to establish a strong and secure relationship with our suppliers. When negotiating to enhance data security and privacy, we need to set clear requirements and define minimum standards. Requesting regular security audits aligned with industry standards and including detailed clauses in contracts with penalties for non-compliance is key. We will ensure suppliers have a robust incident management plan and share relevant information. Verify staff training to prevent human errors is essential. We’ll also conduct periodic assessments for sustained high standards. And choose transparent suppliers complying with relevant regulations. Summarizing, we need to collaborate for a strong, secure relationship.
-
Understand the risk presented by the vendor relationship, how would a security incident, data breach, or interruption in service impact the organization? Ensure you have a written policy and methodology for evaluating the vendor's programs. Ask for a copy of their policies - when we've done this, sometimes vendors send over policies that are in draft which is a signal that they don't have an established program. Require they have cyber insurance in sufficient limits to cover not just any impact to you but their other customers as well.
-
First, know your company's data and security needs and articulate those, clearly, in the RFP to weed out vendors who are not able to meet those needs. Make it clear in the RFP, that the inability to meet those needs is a deal killer. Limit the vendors from whom the company accepts RFPs to those qualified to actually meet those needs.
-
This is spot on. In this age of constant breaches by Vendors, it's key to asses corporate needs and potential exposure as the consequences of data breach are enormous and sometimes attracts huge penalty from regulators asides reputational damage to brands. It therefore is key that organisations-particularly privacy officers make it a point of duty to assess potential risks or loose ends and constantly rejig the processes to guard against avoidable incidences.
-
La negociación debe ser un proceso colaborativo donde ambos ganen. Los proveedores y clientes deben de ser transparentes y por supuesto solventes. De nada servirá un ardua negociación si después no se gestiona bien o peor si no se cobra. Además de buscar proveedores que sean fieles a las políticas de privacidad instauradas en cualquier economía de mercado, la información es susceptible de venderse, algo que nunca debe de ocurrir. Lo dicho win / win.
Once you know your needs, you need to research the vendors that you are considering or working with. What are their data security and privacy policies and procedures? How do they comply with relevant laws and standards? How do they handle data breaches and incidents? How do they communicate and report on data security and privacy matters? By doing your research, you can evaluate the vendors' capabilities and performance, and compare them with your expectations and benchmarks.
-
When negotiating with vendors on privacy and security matters, it's important to approach the discussion with a clear strategy and a focus on achieving mutually beneficial outcomes. 1. Define your requirements: Before engaging in negotiations, clearly define your organization's privacy and security requirements. 2. Research and due diligence: Conduct thorough research on the vendor's privacy and security practices. 3. Prioritize privacy and security: Make it clear to the vendor that privacy and security are non-negotiable aspects of your partnership. 4. Collaborative approach. 5. Clearly communicate expectations. 6. Contractual agreements. 7. Ongoing monitoring and review.
-
The very first step the client should take is to understand what data they are sharing and what the data flow is. I am always surprised by requests from clients to secure their data only to learn that the data is not even flowing to our systems or even accessible/viewable by our employees at the user level.
-
The challenge arises when you are not aligned with your vendor. In a perfect world we are always aligned with our vendors, but the reality can be quite different. Privacy laws and security requirements can differ in different jurisdictions and what is required for one may not be required for the other. There is also inequality of interests that may come in. Cloud services is a good example. Most businesses have a need for cloud services with certain security requirements, but an AWS or Azure will only offer what they offer and there is no bargaining with them about it. Understanding a vendor's security is a gar cry from being able to rely in them.
-
Researching vendors is a critical step in ensuring a robust and secure partnership. Understanding their data security and privacy policies, compliance with laws and standards, and protocols for handling breaches is key. This due diligence allows for a thorough evaluation of vendors' capabilities and performance against your expectations and benchmarks. It's a proactive approach that not only helps in making informed decisions but also ensures alignment between your organization's standards and the vendor's practices.
-
Leveraging supporting regulatory frameworks relating to data protection and cybersecurity is the single most effective tool to compel vendors to bolster related terms and conditions. Absent applicable regulation, setting your own corporate policies to explicitly meet or exceed industry or local data protection and cybersecurity standards, and then requiring vendors to include language that, in turn, meets or exceeds the standards of your coporate policies can also prove to be effective. Depending on the size and business model of the vendor, their willingness to adopt new standards or provide bespoke language in an agreement will vary. In some cases, the vendors would rather you find another vendor than adapt to your requirements.
After you have done your research, you need to set clear expectations with your vendors. You can do this by drafting or reviewing the data security and privacy clauses in your contracts, service level agreements, or terms and conditions. You should specify what data you will share with vendors, how they will use, store, and protect it, what rights and obligations they have, and what penalties or remedies apply in case of a breach or violation. You should also define how you will monitor and audit the vendors' compliance, and how you will resolve any disputes or issues.
-
For critical projects, always conclude an NDA (Non Disclosure Agreement) in which you specify exactly which data your supplier can and cannot share with other parties. This is the first action you take after contacting us. Do not disclose any details about your sensitive project until the NDA is signed. It doesn't offer you 100% security. But if you set a penalty, there is at least a disincentive for the supplier to keep their data confidential.
-
Well said, any contract should be drafted keeping end result in mind. it should protect the rights and obligations from both the sides. It must fully protect any data breach and privacy by way of strong remedies and penalties.
-
Having an NDA is good, but not foolproof when dealing internationally and perhaps with a small company. You need to investigate your potential partner filly and always ask for recommendations. If the other side has no one who can speak (write) on their behalf, that may be a warning sign of worse things.
-
It’s always important to review and feel confortable with the “subcontracting services clause”, either is not permitted or it is, but including certain padlocks and keeping always the original vendor’s responsibilities.
-
Clearly defining data parameters with vendors is crucial. Specify data types, usage terms, and protection measures in contracts. Outline rights, obligations, and penalties for breaches. Incorporate monitoring and auditing for ongoing compliance. Your emphasis on dispute resolution demonstrates a holistic approach. This detailed approach ensures transparency and aligns expectations, fostering a secure and efficient vendor relationship.
When you have set your expectations, you need to negotiate effectively with your vendors. Preparation and planning is key to success, as you should know your goals, alternatives, and limits, as well as anticipate the vendors' interests, concerns, and objections. Communicating clearly and respectfully is also important, as you should explain the rationale and benefits of your data security and privacy requirements while listening to the vendors' feedback and suggestions. Additionally, you should focus on mutual value and trust by emphasizing the long-term relationship and collaboration. Lastly, be flexible and creative by compromising on some aspects while exploring different options that can meet your data security and privacy objectives.
-
Thank you so much for sharing. SCC is required during data transfer outside the EEA as per my knowledge. When a vendor is processing data across borders then it might be effective. For SCC, the client should clearly specify the information for the vendor.
-
In negotiations, embrace a collaborative, win-win approach aligning goals for mutual benefit. Institute incentives, rewarding surpassing security standards. Facilitate knowledge transfer for enhanced comprehension of unique security needs. Establish a continuous improvement framework for regular security protocol updates. Ensure technology alignment for future security needs and define clear escalation protocols. Promote cross-functional collaboration involving legal, IT, and business units. This approach fosters a robust partnership prioritizing data security and privacy, navigating negotiations effectively for enduring success.
-
In contract negotiations with vendors, it's crucial to recognize that data protection laws often contain mandatory provisions. These legal requirements set limits on the scope of negotiation. A prime example is the use of standard contractual clauses (SCCs). While parties can negotiate specific fields, the core text remains obligatory. This ensures compliance with the overarching data protection framework. Similarly, under GDPR Article 55, the competence of a supervisory authority is not subject to negotiation. The authority's role and powers are predefined and must be respected. This highlights a fundamental aspect of privacy and data protection negotiations: while there is room for discussion, the boundaries are firmly set by law.
-
Negotiation is an art. When we are clear about our defined goal, we can achieve our objective through a certain style of negotiation. For example, we can utilize barter negotiation with the vendor, give them what they expected, and request that our demand be realized. In a win-win negotiation, we are treating our vendor with fair and respectful business treatment.
-
In negotiations, it’s important to leverage expertise and bargaining power effectively while also ensuring that the other party feels they have achieved some favorable terms, thus fostering a mutually beneficial outcome. It’s essential to identify the deal-breakers from the outset and communicate clearly that there’s no room for compromise on these specific points, thus respecting the time and efforts invested by both parties. Avoiding unnecessary prolongation of discussions on matters that are unequivocal in order to gain time can lead to reputational damage.
Finally, you need to review and update your data security and privacy arrangements with your vendors regularly. You can do this by conducting periodic audits, surveys, or meetings to assess the vendors' performance and compliance, and identify any gaps or issues. You should also keep track of any changes in your or the vendors' business needs, operations, or environments, and update your contracts, agreements, or terms accordingly. By reviewing and updating regularly, you can ensure that your data security and privacy standards and practices remain relevant and effective.
-
In this dynamic world, nothing is permanent and hence even your processes and policies must change with the changing times. Every experience, every audit, every feedback must be accepted with openness and the policies must be subject to constant review and enhancement. This will ensure the business scales safely with equal regard for compliance.
-
Regular review and updating of data security and privacy arrangements with vendors is a critical practice. Conducting periodic audits, surveys, or meetings allows for a comprehensive assessment of vendors' performance and compliance, helping identify and address any gaps or issues promptly. Keeping track of changes in business needs, operations, or environments is equally important. This vigilance enables the timely updating of contracts, agreements, or terms to reflect evolving requirements accurately. By committing to this regular review process, organizations can ensure that their data security and privacy standards stay relevant, effective, and aligned with the dynamic nature of the business landscape.
-
If you are based in Europe, remember to conclude an order processing agreement with all suppliers who access your customers' data (e.g. payment service providers, providers of newsletter software or marketing automation tools...). This is required by law. In addition, you must indicate in your data protection declaration which companies you exchange such data with and to what extent.
-
Previamente a una negociación es indispensable llevar a cabo un proceso previo. Este proceso previo es el de investigación. En el caso que se le solicite información y/o documentos al cliente ó proveedor, se le requiere firmar un documento de autorización de uso de datos. Si no se lleva a cabo el proceso previo señalado con anterioridad, se realiza una negociación con riesgo y sin claridad de la otra parte.
-
Establish clear lines of communication to address issues promptly and maintain transparency. Include measurable performance indicators to evaluate the vendor's performance and ensure continuous improvement. Schedule regular reviews to discuss progress, address concerns, and provide feedback for improvement.
-
Standard answer will be a standard NDA with additional clauses to suit extra sensitive projects. Non conventional answer is to develop exclusivity or a form of it within the market; so for example setting up vendors under a tight limited Framework, where there is a business incentive allowing more scope for negotiating better parameters and more chances for compliance on the back of a clearer Framework, that cements a long term business partnership with mutiple vendors - contracted on the same terms and conditions. A vendor that discloses can immediately be taken off the Framework as additional protection.
-
In a rapidly changing world, it is extremely important to include the clause which apprise any possible change in a timely manner. Additionally, the overall responsibility of each action till the change is communicated, accepted, processed and implemented including potential risk assessment and mitigation measures is critical.
-
Para obter engajamento da cadeia de fornecedores é importante começarmos com uma campanha de comunicação e conscientização eficaz, sobre os propósitos e razões pelos quais precisamos assegurar a proteção dos dados, os riscos e impactos de mercado se não formos bem sucedidos. Após, transformar o conteúdo do comunicado em cláusulas contratuais para formalizar o engajamento.
-
First thing on your to-do list should be mapping your own data security system, according to the applicable rules. Once you get a full picture, you have a clearer idea of what you need to ask from vendors regarding data security and privacy. Here are a few things to consider when negotiating with vendors: - Are they in the same jurisdiction than yours? If yes, it makes it easy to align according to applicable rules. - Is he a take-it or leave-it vendor? You might not have the same flexibility to negotiate according to the size and reputation of your vendor. - When choosing your vendor, review first his policies regarding data security and privacy to get a rough idea of where they stand. - When negotiating, set clear responsibilities.
-
1. Negotiating is an art that is developed through the 3 P’s: Practice Patience Prudence 2. Modern negotiation practices are flexible and allow a win win 🥇 outcome. 3. During a negotiation process never forget to look for what is fair, but overall for what is right.
Rate this article
More relevant reading
-
IT OutsourcingWhat steps can you take to ensure third-party vendors enforce data privacy policies?
-
Data EngineeringWhat are the best ways to protect data privacy when working with third-party vendors?
-
Data GovernanceYou want to protect your data privacy. What steps can you take to ensure it’s secure?
-
Telecommunication ServicesWhat are the best practices for securing data privacy in telecommunication services?