For companies, vendor management is important. Today, companies are building and operating their businesses, services, products and platforms on other companies’ tools, software, services, platforms, in the cloud and by using other companies’ hardware.
Companies are also having their offices cleaned by cleaning companies, food delivered by their caterers and so on.
All the companies delivering these services, offerings, platforms, software are vendors. Often the word “suppliers” are used instead of vendors. In this article, we use the word “vendor” to describe these types of companies.
Many vendors handle sensitive data or critical data. Other vendors might process data on behalf of companies. Companies processing data on behalf of your company are called a data processor. Data processors are also vendors.
When companies are using data processors, they are legally required to vet them. More about that later in the article.
In this article, we’ll describe what’s vendor management, how vendor management works, why having a vendor management system is important, what features vendor management systems should have and much more.
Vendor management means that you have an overview of your vendors and manage them. We have previously wrote about vendor management systems, but we decided to go more in depth in this article, because managing your vendors includes a long list of activities:
As part of your vendor management you should have all contracts stored and saved in connection with each vendor that you use.
You should also have all relevant business information available for each vendor. Vendor information you should have is:
A good vendor management setup means that you will be able to save money, improve deliveries and services from your vendors, improve collaboration internally, mitigate risk, increase compliance, comply with e.g. GDPR, avoid delivery failures and increase your ESG and CRM frameworks.
Vendor management starts from before a supplier contract is signed.
Vendor management begins by identifying the needs you and the business have. Once identified, the next is to shortlist potential vendors who meet those needs.
A good place to start is by looking at all the vendors you already have engagements with.
You use the vendor management platform to assess your current vendors and you might be able to use the system to assess and choose the vendor that meets your needs the best.
The system you use should give you the ability to upload contracts, add contact details information, find out details about the locations of your vendors, security certifications etc.
Negotiating the contract is the next step in the process. You should review the order form, terms, DPA, security information and find out more about the vendor.
After the signing of the contract, you should be able to upload the signed contracts, add details related to the value of the contract, renewal terms, how the internal business owner is, who in legal reviewed the contract etc.
During the vendor management lifecycle, regular assessments of your vendor’s performance is required. Vendor vetting is also legally required for specific vendors.
Vendor management is important because it can:
There are many different types of vendors, e.g. data processors, third party vendors, business critical systems, manufacturer, retailers, services, consultants, freelancers, independent vendors.
Especially when it comes to data processors there are a lot of requirements when it comes to vendor vetting. This is due to article 28 of the GDPR which states that data processors must meet specific requirements related to organizational and security requirements.
A vendor management system is sometimes called vendor management software.
Vendor management systems let you get an overview of the vendors your company is using. The contact details of these suppliers should be in this system, so you can easily compile and find information about specific vendors and generate reports.
You can use the vendor management software to control costs, mitigate vendor management risks, see who in the organization owns the different vendors, what vendors are used by which departments and what systems are business critical.
The vendor management platform should also let you store the contracts, order forms, NDA, data processing agreements and security certificates, e.g. ISO 27001:13, SOC 2 Type 2.
When you have these insights by the click of a button, it will help reduce risks involved in managing the supply chain.
The software should enable you to track various types of business vendors, including data processors, joint data controllers, third parties.
As we mean data processors are vendors that process personal data on your company’s behalf. Here are some examples of data processors you might use:
Slack: You use Slack to communicate internally and a lot of data is in that tool, for example email addresses, happy birthday notes, pictures, titles, conversations etc. So Slack is a data processor and also a vendor.
Zendesk: Zendesk is often used by your customer support team to communicate with customers and users. in that system you will have information about customer complaints, emails, addresses, contact information and information about employees. So Zendesk is also a data processor and a vendor.
Hubspot: Hubspot is often used by your sales and marketing team. It’s the system where you have all data about your customers, prospects, marketing efforts, newsletter sign-ups and much more. So Hubspot is a critical system and a business critical vendor - and a data processor.
Your data processors are required to comply with article 28 of the GDPR and so are you as the data controller. This means that you need to have the following things in place with these vendors:
Openli collects and stores this information on the vendors’ own privacy profile.
You also need to do a risk assessment, including a transfer impact assessment, of all your data processors. It can be difficult to do a transfer impact assessment and a guide can be useful.
The GDPR clearly states that you as the data controller need to review your vendors on a regular basis and make sure that they live up to the DPA. So regular vendor vetting and management is even more important.
Remember, if a vendor has a data breach the potential risks and fines are high and reputational damages just as high. As the data controller that risk is yours.
So a vendor management system can help mitigate those risks and help you with vetting your data processors.
If you are ready to vet your vendors that process personal data, here are points for you to consider. What to look for and how to check your vendors’ GDPR compliance: