Vendor Risk Management and Your Data

The Virginia Consumer Data Protection Act (VCDPA), which goes into effect January 1, 2023, provides new data protection rights for Virginia residents, while imposing affirmative duties on Virginia businesses related to the collection and use of consumer data. The VCDPA brings needed attention to consumer rights and business obligations related to consumer data. Yet privacy rights related to vendor management are still often overlooked and poorly managed.Despite the most thorough and thoughtful Privacy Program, if a company does not properly perform vendor risk management, then it is putting consumer data at risk. This is both a bad business practice and noncompliant with the VCDPA.

VCDPA Vendor Management Obligations

The VCDPA imposes vendor risk management obligations including express contract protections related to a vendor’s data processing of a company’s information. In practice, proper vendor management involves data privacy compliance, demonstrated compliance, and ensuring that every vendor down the supply chain is complying with relevant obligations (often imposed by contract).The VCDPA also imposes specific obligations for data controllers and data processors. (Determining whether you are a Data Controller or Data Processor, or some combination, can be difficult, so consult with counsel.) Data processors have the duty to adhere to the instructions of the controller and assist in compliance under the law including:
  • responding to consumer rights requests;
  • assisting the controller regarding the security of processing and notification of security breaches; and
  • providing necessary information to enable the controller to conduct and document data protection assessments.
If the vendor is in another jurisdiction–which is often the case–then assessing compliance and the adequacy of the vendor data protection can be more complicated. Although the VCDPA does not impose data transfer restrictions, best practices include a careful consideration of data transfers from or to a vendor. Assessing the adequacy may be based on EU adequacy decisions, standard contractual clauses, binding corporate rules, and other safeguard mechanisms.Whether your company is a data controller or data processor, you have specific obligations under the VCDPA. Moreover, ensuring compliance by the vendors that hold your company’s sensitive data is as important as securing your internal company systems.

Where to Start?

Taking the first step in this process can often be the most difficult, because you may not know where to begin. But it starts with a thorough audit and review of your Company’s current vendors and processes. Appropriate remediation, documentation, and reporting may follow. Once the review and audit is conducted with current vendors, your Privacy Program going forward will involve solid vendor vetting and management practices on the front-end of every vendor relationship.This cycle should involve close partnership with your trusted privacy professional partners. Contact our office today for more information on how we can partner with your Company in the vendor risk management process.