Try   HackMD

Vendor diligence forms for privacy + security

Last updated: 2023-03-01
URL for this page: https://hackmd.io/@investinopen/vendor-privacy-security
URL for this site: https://hackmd.io/@investinopen/how-we-work


What is this?
An internal guide for IOI staff to ensure the privacy and security of IOI's data accessed and/or processed by external vendors. Examples of external vendors include language translators, software developers, etc. Both the guide and the vendor questionnaires were designed by legal experts hired by IOI in 2022.

Who should use this?
Any IOI staff member who is in the initial stage of hiring an external vendor for a piece of work, particularly one involving data or personally sensitive information.

Please use this guide to select the most appropriate questionnaire for your vendor. Templates for each questionnaire are stored in IOI's Google Doc template gallery in Google Workspace (internal access only). Create a new questionnaire from the template gallery, then ask your vendor to complete the questionnaire document and return it to IOI.

What types of data will vendor process?

There are a few basic types of data that a Vendor may process for IOI, as follows:

1. No personal data

Vendor will not process any Personal Data. Vendor does not need to complete any diligence questionnaires.

2. Basic personal data

Vendor will process basic Personal Data (e.g, any information that directly or indirectly identifies a person or a device that is not Sensitive Personal Data as defined immediately below, such as name, email, address, phone number, unique device identifiers, IP address, and any information tied to any of these pieces of information).

Will vendor require an online connection or other integration with IOI’s network or other systems to perform its services?

  1. If no, please have the Vendor complete the Vendor Security Assessment (lite). This assessment is appropriate for vendors that only process limited types of personal data on IOI’s behalf and that do not have direct access to IOI’s systems.
  2. If yes, please have the Vendor complete the Vendor Comprehensive Privacy and Security Questionnaire. This Questionnaire is appropriate for vendors that process more sensitive information or have access to IOI systems.

3. Sensitive personal data

Vendor will process Sensitive Personal Data (e.g., health and wellness information, financial account information, social security numbers, government IDs, race, ethnicity, genetics information, biometrics information, children’s data, political views, religious beliefs, sexual orientation, trade union membership).

4. Personal Data of IOI employees/contractors

Vendor will process Personal Data of IOI employees or contractors (e.g. HR data).

5. Personal Data from Europe, Switzerland, UK

Will vendor process personal data of individuals located in the European Economic Area, Switzerland, or the United Kingdom?

  1. If no, there is no need to complete Appendix 1 – Data Transfer Questions.
  2. If yes, will the vendor process personal data only in one of the following jurisdictions?  European Economic Area, United Kingdom, Switzerland, Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Uruguay.
    1. If yes, there is no need to complete Appendix 1 – Data Transfer Questions.
    2. If no, and the vendor will process the personal data in other locations besides those named above, require vendor to complete Appendix 1 - Data Transfer Questions.

Questionnaires for vendor

Vendor Security Assessment (lite)

This assessment is appropriate for vendors that only process limited types of personal data on IOI’s behalf and that do not have direct access to IOI’s systems.


Vendor Comprehensive Privacy and Security Questionnaire

This Questionnaire is appropriate for vendors that process more sensitive information or that have direct access to IOI systems.

Appendix 1: Data Transfer Questions


See also


This page first published: 2023-03-01

tags: about-us process onboarding