Vendor management

Stine Mangor Tornmark
Written by
Stine Mangor Tornmark
November 24, 2022
Vendor management systems

For companies, vendor management is important. Today, companies are building and operating their businesses, services, products and platforms on other companies’ tools, software, services, platforms, in the cloud and by using other companies’ hardware. 

Companies are also having their offices cleaned by cleaning companies, food delivered by their caterers and so on. 

All the companies delivering these services, offerings, platforms, software are vendors. Often the word “suppliers” are used instead of vendors. In this article, we use the word “vendor” to describe these types of companies. 

Many vendors handle sensitive data or critical data. Other vendors might process data on behalf of companies. Companies processing data on behalf of your company are called a data processor. Data processors are also vendors. 

When companies are using data processors, they are legally required to vet them. More about that later in the article. 

In this article, we’ll describe what’s vendor management, how vendor management works, why having a vendor management system is important, what features vendor management systems should have and much more. 

What’s vendor management?

Vendor management means that you have an overview of your vendors and manage them. We have previously wrote about vendor management systems, but we decided to go more in depth in this article, because managing your vendors includes a long list of activities:

  • keeping costs under control
  • knowing who your vendors are
  • what types of vendors you have and the vendor categories
  • knowing what vendors are used for what services
  • mitigate risks and increase compliance 
  • collaborating with your vendors
  • having insights into business critical infrastructure and which vendors are business critical

As part of your vendor management you should have all contracts stored and saved in connection with each vendor that you use. 

Vendor information

You should also have all relevant business information available for each vendor. Vendor information you should have is:

  • full company name, including the entity type for example GmbH, Inc. etc. 
  • business address 
  • corporation number 
  • contact information of primary vendor contact such as name, email address and title 

A good vendor management setup means that you will be able to save money, improve deliveries and services from your vendors, improve collaboration internally, mitigate risk, increase compliance, comply with e.g. GDPR, avoid delivery failures and increase your ESG and CRM frameworks. 

How does vendor management work?

Vendor management starts from before a supplier contract is signed. 

Vendor management begins by identifying the needs you and the business have. Once identified, the next is to shortlist potential vendors who meet those needs. 

A good place to start is by looking at all the vendors you already have engagements with. 

You use the vendor management platform to assess your current vendors and you might be able to use the system to assess and choose the vendor that meets your needs the best. 

The system you use should give you the ability to upload contracts, add contact details information, find out details about the locations of your vendors, security certifications etc. 

Negotiating the contract is the next step in the process. You should review the order form, terms, DPA, security information and find out more about the vendor. 

After the signing of the contract, you should be able to upload the signed contracts, add details related to the value of the contract, renewal terms, how the internal business owner is, who in legal reviewed the contract etc. 

During the vendor management lifecycle, regular assessments of your vendor’s performance is required. Vendor vetting is also legally required for specific vendors. 

Why is vendor management important?

Vendor management is important because it can: 

  • mitigate business risks, 
  • save costs 
  • increase collaboration with both your vendors and within the business
  • optimize usage of your current suppliers, 
  • gain insights into which vendors are used by which departments and whom within the organization is responsible for a specific vendor
  • identify vendors not complying with GDPR 
  • delegate responsibilities with the organization for the different areas that the vendor is impacting, e.g. privacy, security, legal etc.  

Vendor management system - Privacy hub

Vendor types

There are many different types of vendors, e.g. data processors, third party vendors, business critical systems, manufacturer, retailers, services, consultants, freelancers,  independent vendors.

Especially when it comes to data processors there are a lot of requirements when it comes to vendor vetting. This is due to article 28 of the GDPR which states that data processors must meet specific requirements related to organizational and security requirements. 

What’s a vendor management system?

A vendor management system is sometimes called vendor management software

Vendor management systems let you get an overview of the vendors your company is using. The contact details of these suppliers should be in this system, so you can easily compile and find information about specific vendors and generate reports. 

You can use the vendor management software to control costs, mitigate vendor management risks, see who in the organization owns the different vendors, what vendors are used by which departments and what systems are business critical. 

The vendor management platform should also let you store the contracts, order forms, NDA, data processing agreements and security certificates, e.g. ISO 27001:13, SOC 2 Type 2. 

When you have these insights by the click of a button, it will help reduce risks involved in managing the supply chain. 

The software should enable you to track various types of business vendors, including data processors, joint data controllers, third parties.

GDPR and vendor management

As we mean data processors are vendors that process personal data on your company’s behalf.  Here are some examples of data processors you might use: 

Slack: You use Slack to communicate internally and a lot of data is in that tool, for example email addresses, happy birthday notes, pictures, titles, conversations etc. So Slack is a data processor and also a vendor. 

Zendesk: Zendesk is often used by your customer support team to communicate with customers and users. in that system you will have information about customer complaints, emails, addresses, contact information and information about employees. So Zendesk is also a data processor and a vendor. 

Hubspot: Hubspot is often used by your sales and marketing team. It’s the system where you have all data about your customers, prospects, marketing efforts, newsletter sign-ups and much more. So Hubspot is a critical system and a business critical vendor - and a data processor.

Your data processors are required to comply with article 28 of the GDPR and so are you as the data controller. This means that you need to have the following things in place with these vendors: 

  • a data processing agreement 
  • documentation that your vendor complies with GDPR 
  • has appropriate organizational and technical measures in place to protect your data 
  • a transfer agreement in place if the processor is located outside the EU which Slack is. This could e.g. by SCCs (standard contractual clauses), 
  • security certificates or other documentation to give you insights into their security 
  • an overview of the all sub processors they use to deliver the services to you.

Openli collects and stores this information on the vendors’ own privacy profile.

Business responsibilities

You also need to do a risk assessment, including a transfer impact assessment, of all your data processors. It can be difficult to do a transfer impact assessment and a guide can be useful

The GDPR clearly states that you as the data controller need to review your vendors on a regular basis and make sure that they live up to the DPA. So regular vendor vetting and management is even more important. 

Remember, if a vendor has a data breach the potential risks and fines are high and reputational damages just as high. As the data controller that risk is yours. 

So a vendor management system can help mitigate those risks and help you with vetting your data processors.  

Checklist for vetting your vendors

Vendor management checklist

If you are ready to vet your vendors that process personal data, here are points for you to consider. What to look for and how to check your vendors’ GDPR compliance: 

  1. Is there a DPA (data processing agreement) signed between you and your vendor? 
  • Yes = Good
  • No = Get a DPA signed 

  1. Do you have copies of your vendor’s security certificates?  
  • Yes = Good 
  • No = You need to have documentation on file and show that you have reviewed it. A suggestion; search online, write to your vendor or your account manager. 
  • When you obtain the documents, make a comment in the vendor management system under “security” or similar section to show that you have assessed it.

  1. Is your data leaving the EU? 
  • No = good 
  • Yes = you need to carry out a transfer impact assessment and you need to have e.g. SCCs, BCRs or similar documentation on file to show that it can lawfully leave the EU. 

  1. How many sub processors do your processors use? Do they use many? 
  • Yes = Review the list and check out which processors they use 
  • No = Good. This means that your data isn’t shared with a lot of other companies 

  1. Are the SCCs updated?
  • by the end of December 2022, all SCCs need to be updated. So you need to check if your vendor is using the new SCCs (module 1, 2, 3 or 4) 

  1. What type of data is processed by the vendor - ordinary or sensitive?
  • Sensitive = you need to be more careful and have higher expectations in regards to security etc. 
  • Ordinary = assess the vendor as described here 

  1. Data retention & deletion. Do you know when data is deleted and the retention periods?  
  • Yes = add the information if its not already added in your vendor management tool
  • No = focus on getting insights into when you / the vendor delete the data