This is a complicated area in the GDPR because it deals with the relationship between controllers and processors (vendors).
Controllers must perform due diligence when selecting a processor to demonstrate that the processor can be trusted to abide by the GDPR. After selection, a contract must be drawn up that defines the relationship and established the rules under which the vendor must process the controller´s personal data. After the contract is signed, the processor must adhere to the processing rules and keep the controller informed if there are any data subject requests, incidents or any other issues that need clarification with the controller.
The main challenge in establishing the relationship is all about geographical locations. The GDPR splits the world into two parts: the EU and third countries. EEA countries like Norway are a halfway house but they are still treated like third-countries when it comes to vendor management.
Which vendors are used?
Many companies have a serious challenge in discovering which vendors they use. The usual method is standard analysis undertaken by speaking to internal experts and building a list.
Are vendors compliant?
When the list is ready, each vendor needs to be checked to ensure that it is operating under the GDPR. The usual method for this is to contact the vendor and ask for proof.
Is there a GDPR data processing agreement in place with each vendor?
Each vendor should have signed a data processing agreement that sets out the terms under which the vendor must process the personal data it is given. The data processing agreement must also take into account whether the vendor is based in the EU or a third-country.
A complex task with a practical solution
The above is a lot of work and can take a long time. In addition, you will need to collate information and make sure that it is in a single place and easily accessible.
The WeControl.io platform helps you through the process of managing your vendors.
WeControl.io Vendor Management
Part of the WeControl GDPR ecosystem is dedicated to vendor management. WeControl.io Vendor Management includes:
- Finding the vendors you use in your web sites.
- Enabling you to manually enter vendors.
- Checking the vendors found or that you entered against our GDPR rated list of vendors.
- Enabling you to question, record and verify each vendor’s GDPR readiness status.
- Managing a central list of your vendors.
- Guiding you through the process of setting up data processing agreements.
- Enabling you to generate data processing agreements from templates.
- Enabling you to use tailor-made data processing agreements.
- Linking your vendors, GDPR readiness status and data processing agreements.
WeControl.io vendor management is quick and easy to use
Everything is controlled from the Manage Vendor Compliance function shown on your WeControl dashboard.
The four sections allow you to:
- Find, create and manage vendors.
- Record due diligence using a comprehensive question and answer process
- Build, manage and e-sign your vendors’ data processing agreements
- Create and manage your own data processing agreement templates
Find vendors easily
Click the add/scan website link, enter the URL you want to scan, WeControl returns and records all the vendor packages used in the site.
If you want to add vendors that are not used in your web services, you can easily add them manually. Simply click the Add manually link and fill in the fields.
Quickly perform vendor due-diligence
Click the selection due-diligence link to see a list of your scanned and manually added vendors. Select each one that processes your personal data, contact them, ask the due-diligence questions, click the correct response and save. That’s all you need to do.
Easily create a data processing agreement
Click the data processing agreements link then click the create data processing agreement button. From here, simply answer the questions and WeControl.io will generate a data processing agreement template from our template library containing text that has been reviewed by lawyers. You may then tailor the content and save it.
Assign and e-sign a vendor data processing agreement
Click the data processing agreements link to see a list of your vendors and any associated data processing agreements. To assign a data processing agreement to a vendor, use the links in the rightmost column. You can either upload a document or use one of the data processing agreement templates you created. If you use a template, you will be automatically directed the e-signature process where both you and the vendor can sign.
After a data processing agreement is assigned, you can replace, sign and download it.
Help and training
As with all elements in the WeControl.io platform, there are resources and training for all aspects of vendor management to help you through each step.