Commercial operational and legal and compliance tips when assessing vendors

Updated: Oct 4, 2023

The last few months have seen a wave of changes in the way in which organisations are working. Many are now using their offices less and are instead relying on staff working remotely and using third party suppliers to provide services such as software, systems and solutions. Whilst these services are a necessity and are certainly beneficial for the future, we have seen that organisations are engaging with suppliers without conducting proper due diligence, entering into contracts without negotiating terms and conditions and failing to manage their relationships effectively.

At Aria Grace Law, we advise organisations of all sizes on their commercial and compliance matters, and we have put together some key considerations for you to think about when assessing third party suppliers.

Commercial, Operational and Legal Considerations

• What is the need for the service? How does it fit with your business?
• What are the risks? What is the impact if the supplier fails to deliver?
• Does the supplier have the capability to provide the service?
• Who is the supplier? Check public records, review their website, look at reviews and news.
• Does the supplier have a good reputation? Do they comply with laws and regulations?
• Check if they have a code of conduct.
• Does the supplier have a good governance structure?
• Does the supplier have any conflicts of interest?
• Does the supplier have a robust data protection program?
• What is the cost of the service? What is the payment structure?
• What is the term of the contract? What are the termination rights?
• What are the service levels? What are the remedies for breach?
• What are the warranties and indemnities?
• What is the limitation of liability?
• What is the governing law and jurisdiction?
• What is the dispute resolution mechanism?

Compliance Considerations

• Does the supplier have a compliance program?
• Does the supplier have a whistleblower policy?
• Does the supplier have a code of ethics?
• Does the supplier have a data protection policy?
• Does the supplier have a data breach policy?
• Does the supplier have a data retention policy?
• Does the supplier have a data security policy?
• Does the supplier have a data privacy notice?
• Does the supplier have a data processing agreement?
• Does the supplier have a data transfer agreement?
• Does the supplier have a data sharing agreement?
• Does the supplier have a data protection impact assessment?
• Does the supplier have a data protection officer?
• Does the supplier have a data protection representative?
• Does the supplier have a data protection register?
• Does the supplier have a data protection audit?
• Does the supplier have a data protection training program?
• Does the supplier have a data protection compliance program?

What should you do next?

If you are assessing a third party supplier, we recommend that you create a checklist of the above considerations and populate it with the information you gather. This will help you to make an informed decision about whether to engage with the supplier and what terms to negotiate.

If you are already engaged with a third party supplier, we recommend that you review your contract and relationship with them to ensure that they are complying with their obligations and that you are protected in the event of a breach.

If you would like to discuss any of the above or need assistance with your commercial or compliance matters, please contact us on compliance@aria-grace.com .