Third-Party Diligence for Regulatory Compliance

Proactive counsel know the arrival of the GDPR and CCPA is just the tipping point as several other states in the US have already introduced similar bills that continue expanded obligations for companies that will depend on thoughtful vendor management. For example, Texas, staying true to form, has introduced two privacy bills, one which could leapfrog the CCPA and go into effect in 2019. Yet most companies do not even have an up-to-date inventory of their vendors, which is square one on the path to protecting enterprise data and entrusted personal information.

Vendor risk profiling is a legal and regulatory compliance issue - not just an IT problem. Effective management requires companies to have an understanding of the specific types of data shared, processed, or managed by each vendor. It can also include requiring your vendors to have certain security precautions in place at the time of contracting in order to properly protect certain sensitive or regulated data.

Before determining the level of diligence required for each of your vendors, and the associated level of risk they pose to your company, you must first determine what data elements of your data inventory each of your vendors have theoretical access to, even if they do not use such data in the course of performing the contracted services.

Vendor risk management is a central concept of any enterprise cybersecurity strategy that is designed to (i) ensure the confidentiality, integrity, availability of data; (ii) protect privacy interests for entrusted personal data; (iii) demonstrate reasonable operations to boards, insurers, government regulators, and external interested parties; and (iv) mitigate commercial risk to the enterprise.” - Lewis Dolezal, Corporate Counsel, Scotts Miracle-Gro


  1. Do you know which of your vendors touch your company’s data?

  2. Do you know the specific types of personal or regulated data disclosed to each vendor?

  3. Do you know how your vendors protect and manage your data?

  4. Can your vendors comply with data access requests under the GDPR and CCPA?

  5. Do you have the right contract terms in place with vendors that access your data?

The ACC Vendor Risk Service, Powered by Jordan Lawrence, is the only solution that enables legal teams to surface which vendors are relevant to data privacy and cybersecurity regulations by documenting the categories of sensitive and personal data accessed by each vendor. Learn more.


Contact Us

© 2019 Jordan Lawrence. No legal representation made.

Jordan Lawrence is not a law firm and does not provide legal advice.