Peter M.J. Gross

Peter M.J. Gross

February 22, 2022

Vendor Due Diligence for Data Privacy

Companies that want to become data-sharing masters must manage that data carefully. When performing due diligence on a new data provider, it’s not enough to review representations and warranties while hoping for the best — Chief Data Officers (CDOs) must ask detailed questions to understand how external data sources operate. 

There are five key areas to consider when reviewing data providers.

Sourcing Practices 


Find out whether a provider has automated processes in place for collecting data, and understand their policies and practices for automation.
 

The provider may be using government records, publicly available sources, third-party records, or information collected from individuals, which each have their own implications for managing consent and implementing privacy policies. 

Even publicly available data can provide sensitive personal information that may be subject to regulatory oversight. Ask whether providers regularly receive data subject requests and whether and how they are prepared to respond to them. 

Lawful Purpose


Consent processes may be influenced by the data provider’s
lawful reasons for processing personal data. Whenever a provider claims that its collection of personal data is supported by a lawful reason, then that claim should be reviewed. 

Consent Policies


If a provider’s lawful basis for processing personal data is based on consent, Ask questions to examine that process: 

  • Is the consent language clear — does the provider explain what they are collecting and sharing and why?

  • Has the provider clearly described an individual’s legal rights under relevant jurisdictions?

  • Do individuals actively provide their consent, or is consent assumed by default? Do individuals need to take additional steps to prevent their data from being collected?

  • Can an individual withdraw consent, and how does the provider respond to that request?

The actual mechanisms for acquiring consent also matter. Individuals should give consent freely and affirmatively, after being informed of their rights, as opposed to assuming that they have given consent based on their participation in a survey or registration for a service.

When data providers are reviewed for inclusion in the Demyst platform, the main considerations are whether consent was obtained, whether that consent was informed and freely given, and what process was used to obtain it. 

Reviewing and Renewing Relationships


Data privacy regulations are continuing to be updated, and due diligence needs to be an ongoing process that responds to these regulatory changes. And data providers should be able to explain how they are adapting their business processes to comply with changing regulations.

Any company onboarding new data sources must not only inspect the provider’s current data collection practices, they must also review those practices at regular intervals in the future. 

Data Supply Chains


When a data provider aggregates data from other sources, or relies on other organizations to collect its data, then those collection practices should be considered.

It may not be possible to trace collection practices all the way back to the source of the data, but asking a provider about its own due diligence processes can reveal unexpected risks in the data supply chain. 

This Is No Substitute for Legal Advice


The due diligence process will be different for each data provider; data privacy regulations involve too many variables for a simple checklist. Extra care is necessary when dealing with topics like sensitive personal information, criminal information, and information pertaining to children. 

Ultimately, companies onboarding new data providers will need to make their own risk assessments after receiving legal advice from qualified attorneys. And they will need to update those risk assessments as their business relationships continue. 

This is what the future will look like for external data — any organization that wants to benefit from greater insights data must either make substantial investments in data capabilities or work with a partner who already has those capabilities. 

The Demyst platform works with data providers that meet stringent qualifications while reducing the friction associated with external data procurement, testing, and deployment. Certified providers in the Demyst data ecosystem are asked more than 150 questions for a detailed understanding of their privacy policies. 

Browse the catalog to learn more about the data sources available through Demyst.

Don't settle for half the story

Demyst gives you access to all of the data you need. Evaluate thousands of data attributes from hundreds of possible data connectors all pulled into your own custom-built APIs for instant data deployment.