7 Important Considerations for Defensible Vendor Diligence

To effectively meet your obligations, legal must define the universe of third-party vendors and service providers and establish a process that documents the steps you've taken for data privacy remediation and compliance. Companies struggle to maintain an inventory of the third parties they share personal data with, so it’s no surprise they can’t adequately monitor the privacy and security practices of their third parties.

An average of 63 percent of a company’s personal and sensitive data is disclosed to or managed by third-party service providers and vendors spanning a wide range of functions, including claims management, human resources, law firms, legal services, payroll, accounting, marketing, customer services, software development, engineering, and many more.

"Only 34 percent of respondents say they have a comprehensive inventory of all their third parties." - Ponemon Institute
"69% of respondents cite a lack of centralized control over the management of third-party party relationships." - Ponemon Institute

Legal must establish and maintain a vendor risk profiling process to identify which vendors are relevant to data privacy and cybersecurity regulations. Vendor risk profiling also helps you discover which vendors may not currently fall under a regulation, but still pose a high risk to your company.


  1. Eliminate spreadsheets and manual processes. Relying on spreadsheet questionnaires is not sufficient and won’t pass regulatory scrutiny. This approach is resource-intensive, error-prone, and limits your ability to assess all third parties at the appropriate levels.

  2. Risk profile every third party not just your largest. Any third party, including legal service providers, with any level of access to your systems or personal data represents a risk. Your vendors’ failures will be your failures.

  3. Identify which third parties are processing personal data. Not all third-party relationships are the same. Conduct a vendor risk profile routinely on all third parties to understand and document each relationship and identify which third parties are applicable to the regulatory requirements.

  4. Assess third parties against relevant standards. All third parties that surface as relevant to regulatory compliance should be risk assessed annually against the regulatory guidelines and recognized security frameworks to identify and remediate risks to personal data.

  5. Assess legal service providers against the ACC model controls. Legal service providers have some of your most sensitive information including personal data. The ACC Model Information Protection and Security Controls for Outside Counsel provide a best practice standard for evaluating their information security practices.

  6. Make it easy for your third parties to respond. Using the right technology, processes, and assessment standards enables accurate, timely responses from your third parties. You’ll be able to systematically document your compliance efforts and address risks before they turn into violations.

  7. Establish a recurring assessment process. Compliance with the data protection regulations is ongoing. Third-party relationships evolve. Ensure you have a repeatable, well-documented process for routinely assessing third-party compliance and personal data risks for ongoing compliance.

The ACC Vendor Risk Service is the only solution that enables legal teams to identify which vendors touch your company’s personal data and are potentially relevant to data privacy and cybersecurity regulations. The ACC Vendor Risk Service, powered by Jordan Lawrence, provides proven assessment standards and efficient automation so you can rapidly risk profile all your vendors and establish a repeatable, ongoing compliance process.

Learn More


Contact Us

© 2019 Jordan Lawrence. No legal representation made.

Jordan Lawrence is not a law firm and does not provide legal advice.