Evaluating Vendor Trust Pages and Privacy Policies

BLOG 5 MINS | September 1, 2020
Vendor Trust Pages and Privacy Policies: 10 Key Considerations When Evaluating a Vendor

You can learn a lot about a vendor by reading their privacy notice or trust page. However, sometimes it’s difficult to sort through the noise and extract what matters most to you and your business. In this blog, we’ll outline the top attributes or priorities to look for when evaluating a vendor’s privacy notice or trust webpage. What makes a good privacy and trust program, and what are the red flags?

1. Does the vendor even have a privacy policy?

  • An organization without a publicly available privacy notice has failed to demonstrate even the most basic level of data protection safeguards. This should be the biggest and most obvious red flag when evaluating new vendors.

2. When did the vendor last update the privacy policy?

  • For instance, is the policy’s last update current with any newly released privacy laws, such as post-CCPA Regulations?  If the last update occurred before the enactment or effective date of a particularly important or new law, then you should reevaluate whether you want to work with this vendor.

3. Does the vendor’s privacy policy address the following?

  • Personal Information processing details:
    • Types of personal information collected (the what)
    •  How the vendor collects personal information (the how—e.g., directly from users or indirectly via tracking, etc.)
    • Purpose of collection/processing (the why) – what are the processing activities?
    • Lawful bases for processing personal information (for instance, the GDPR and the LGPD requires a lawful basis)
    • Country location(s)) that processing activities occur (the where)
  •  Compliance:
    • Identification of the applicable data protection laws is a positive, but note that some laws require specificity. For example, many websites have CCPA-specific sections.
  • Sharing or Disclosures of Personal Information:
    • The entities to which the vendor shares or discloses personal information (e.g., service providers)
    •  The reason(s) (e.g., processing or legal reason) the vendor shares or discloses personal information
    • The lawful basis (e.g., consent or legitimate interest) on which the vendor relies to share or disclose personal information
    • A big plus is a vendor that has a separate page identifying its service providers (subprocessors) by name, location, and specific service provided, such as the cloud service provider
  • International Transfers:
    • Whether the vendor transfers personal information to other countries
      • The countries to which the vendor transfers such information
      • How the vendor ensures such transfers are secure and lawful (for instance, the GDPR requires a lawful transfer mechanism, e.g., Standard Contractual Clauses or Binding Corporate Rules)
  • Storage or Retention of Personal Information:
    • Whether the vendor stores or retains personal information and its retention period
  • Individuals privacy rights and controls—the ability to exercise control of personal data via privacy settings
  • Government/Law Enforcement Data Access Request Policy:
    • Does the vendor have a policy for responding to government access requests for personal data and does it provide a Transparency report?
  • Data Protection Officer or Privacy officer identity
  • Contact information

4. Does the vendor’s privacy policy or trust page address the security measures or controls in place?

  • Does the vendor identify with specificity the technical and organizational measures it has implemented to safeguard personal data?
  • Does the vendor provide an ISO certification (e.g., ISO 27001) or SOC report (e.g., SOC 2 Type II report), or other documentation (e.g., a CSA CAIQ or SIG questionnaire)?
  • Does the trust page have any security whitepapers?
  • Does the vendor have a status page showing any incidents or downtimes?

5. Does the vendor have a separate cookie notice or policy section?

  • Whether the vendor uses cookies, if so, what type
  • Whether the vendor enables individuals to configure cookie settings and options
  • Must allow individuals to set options/preferences

6. Overall, does the vendor’s privacy or trust page embody the following attributes?

  • Concise
  • Transparent
  • Intelligible
  • Clear and plain language
  • Easily Accessible
  • Presented in writing or other means
  • Free of charge

7. Does the vendor’s privacy policy include any supporting data protection documentation?

  • Approved GDPR code of conduct
  • Approved GDPR certification mechanism
  • Privacy Whitepaper
  • Transparency Report (regarding government data access requests)
  • ISO 27701 certification
  • ISO 27018 certification
  • BS 10012 certification

8. Can you determine whether the vendor adheres to any of the following Privacy by Design principles?

  • Proactive not reactive, preventative not remedial
  • Privacy as the default setting
  • Privacy embedded into design
  • Full functionality, positive sum, not zero-sum
  • End-to-end security, full life-cycle protection
  • Visibility and Transparency, maintain openness
  • Respect for user privacy, keep it user-centric

9. Does the vendor demonstrate adherence to widely-accepted privacy principles (e.g., the OECD’s Privacy Principles or the GDPR’s privacy principles)?

  • Collection Limitation Principle
  • Data Quality Principle
  • Purpose Specification Principle
  • Use Limitation Principle
  • Security Safeguards Principle
  • Openness Principle
  • Individual Participation Principle
  • Accountability Principle

10. Does the vendor offer a data processing agreement/addendum (DPA), or is it willing to enter into one?

What are the Red Flags?

Basically, red flags depend on whether the vendor handles your personal data and the level of sensitivity of the data, as well as the volume.  In general, anything missing from the above attributes should raise red flags. That said, major red flags, among others, include:

  • No privacy policy or an outdated one
  • No clear description of the personal information collected and processed and the reasons for doing so
  • No description of individuals’ privacy rights and how to exercise them
  • No contact information
  • No information on security measures

What Makes a Good Privacy and Trust Program?

In general, a good privacy and trust program will demonstrate all of the attributes above.  Specifically, you should be able to confirm that the vendor demonstrates, on a holistic level, the following (which are noted above): Privacy by Design Principles and OECD Privacy Principles.

Note, the latter attributes are a way to assess the vendor overall, as they incorporate privacy and security, as well as individual rights.

Evaluate your Vendors Privacy and Trust Program Now

While these key considerations can help you evaluate the privacy and trust of your current or potential vendors, the process can be costly and time-consuming. The OneTrust Vendorpedia Third-Party Risk Exchange offers organizations a community of shared vendor risk assessments, as well as privacy policy and trust page research on 70,000+ third parties, to help streamline due diligence for your third parties.

Want to try it out? We’re offering an extended free trial that includes access to 10 free and completed vendor risk assessments.

Onetrust All Rights Reserved