Lusha’s Guide on How to Choose a Data Vendor
Considerations for Choosing a Data Vendor and Granting Them Access to Your Systems
Part 1: Selecting a Data Vendor
Are you a privacy professional or in-house counsel at a company whose internal teams are looking for a data vendor? Lusha is here to help you ask the right questions and provide insights to help guide your selection of the perfect data vendor for your company.
Before committing to a data vendor, privacy professionals, and in-house counsel must conduct a thorough analysis of the data vendor to ensure that the data vendor is safeguarding compliance and mitigating its risks. Here is a comprehensive list of considerations to keep in mind when procuring a data vendor:
1. Vendor’s Privacy and Compliance Team:
Considering that there are competitors in the data-sharing industry that don’t have an in-house team of privacy professionals, it is important to ask the data vendor whether they have a hands-on, in-house team that is ready to deal with privacy issues as soon as they arise.
Their team should consist of a designated Data Protection Officer (DPO), and the size of its team should be proportional to the number of customers that it has. Additionally, the in-house privacy team should all hold IAPP certifications, proving that the individuals can manage, analyze, handle, and access data as part of their role expectations. This provides insights into the company’s approach to compliance.
2. Contractual Compliance Assurances:
Make sure to ask the data vendor if it can provide you with representations and warranties ensuring that it is able to compliantly provide you with the data it is selling. Sharing personal data with you must comply with all relevant privacy laws that the data vendor is subject to, particularly GDPR and CCPA.
As an example, you can refer to Lusha’s standard Master Subscription Agreement, which states in Section 7.4 that we possess all necessary authority and permissions to provision our customers with access to the data.
3. Certificate from an Independent Auditor:
An audit from an impartial European auditor provides an objective assessment of the data vendor’s compliance with relevant data protection regulations. So, it may come as a surprise that many data vendors have not undergone this assessment.
You can ask the data vendor to provide you with a certificate that proves their compliance, such as the ePrivacy Seal (a German auditor who awarded Lusha with its certificate). If they cannot provide this for you, it will be important to seek further clarification regarding their compliance claims.
4. Article 14 Notification:
Article 14 of the GDPR requires data vendors to notify data subjects that their data is being processed by data vendors and being sold.
Before purchasing contact data, it is important to ensure that all data subjects identified as from the European Economic Area (EEA) have been appropriately notified as per Article 14 of GDPR. You can also push the data vendor to provide you with representations and warranties that they have met this requirement.
5. Article 19 Opt-Out Process:
Upon a data subject’s decision to opt out, Article 19 of the GDPR requires that the data vendor inform any recipient of the data of the opt-out request.
Privacy professionals should verify that their data vendor of choice will proactively notify your organization if a purchased prospect requests opt-out, aligning with Article 19 of GDPR. Many data vendors do not have the technical infrastructure to provide this service, and some only do it if you connect to their API (which may arise other privacy issues, as detailed below).
Customers should also be aware of the fact that some data vendor’s will remove purchased contacts from your internal systems if the contact chooses to opt out. You’ll want to make sure that you are in control of removing the contact since you may have already established a legal basis to continue processing their data.
6. CCPA Data Compliance:
California, among other states in the USA, requires that data vendors register as data brokers. You can request that your data broker provide you with representations and warranties confirming that the vendor has registered as a data broker in California under CCPA.
Additionally, if the data broker is claiming that they are compliant with the CCPA, you can ask them to show you their certificate from a third-party auditor. TRUSTe, Lusha’s auditor, provides an attestation that can be shared with customers looking for proof of CCPA compliance.
7. ISO 27701 Accreditation:
Many data vendors have acquired ISO 27701 certifications, but finding a data vendor that has their ISO 27701 certificate accredited by an international body. Accreditation is an audit by recognized international bodies for reliability (such as the ANAB, which accredited Lusha’s certificate). Accreditation suggests that the company’s privacy & security processes have been verified and are in place.
8. UK Data Compliance and Scrubbing:
The TPS & CTPS (UK’s do not call lists) can create costly fees for companies that call individuals registered on the lists.
For UK data purchases, inquire whether the vendor is an “official cleaner” of the TPS & CTPS to help your company mitigate litigation risks. Many data vendors are not official cleaners. They, therefore, have no obligation to scrub their data in a timely manner. Make sure the data vendor is consistently refreshing their data and allows you to remove personal data belonging to individuals on the TPS & CTPS.
9. Data Usage Post-Termination of the Agreement:
Individuals own their data, not the companies who are selling it. That’s why, even after our relationship has ended, Lusha allows its customers to continue using the data they have purchased.
You can ask data vendors to provide you with contractual assurances that the vendor will not prevent you from using the data that you have purchased after the contract has terminated. Some companies even go as far as to take legal action against their customers for continuing to use data post-contract termination.
10. Data Processing Agreement and Controller Status:
Data vendors and their customers should enter into a Data Processing Agreement in order to ensure that their employee and CRM data remains protected.
It is also important to verify that the data provider establishes your organization’s status as an independent controller when purchasing data. You will want to ensure that your company is not a processor or joint controller with the data vendor. This could lead to your company taking on liability for the data vendor’s actions.
Part 2: Granting Access to Company Systems to Data Vendors
Our guide for choosing a data vendor would be incomplete without a checklist for evaluating the decision to grant access to your company systems or request data enrichment services. The checklist below can help ensure that your internal systems are safeguarded in the process:
1. Data Processing Agreement and Controller-Processor Relationship:
As mentioned above, Data Processing Agreements are essential in ensuring that the data you share with the data vendor is protected. A robust Data Processing Agreement will define your company as the Controller and the data vendor as the Processor regarding company data. It will also outline the safeguards that the data vendor must provide you to protect your data.
2. Data Sharing and Selling Restrictions:
Read the fine print of the agreement you’re signing. Some data vendors will try to use the data you share with them to add it to their own database.
You can ask data vendors for contractual assurances that data your company provides it will not be shared or sold to third parties. You can use Lusha’s promise in Section 6.6 of our Master Subscription Agreement as an example of wording to request from the data vendor.
3. Purpose-Limited Data Usage:
Data Processing Agreements should clearly state that the data accessed from your company’s systems will be used solely for the agreed-upon service. To further confirm that this obligation is met, you can request that the data vendor provide you with an ISO 31700 (privacy by design) certification. The ISO 31700 proves the data vendor’s adherence to privacy principles.
4. Security Certifications:
Security certifications, such as SOC II and ISO 27001, serve as evidence that a data vendor has implemented strong security measures to protect the confidentiality, integrity, and availability of the data that they handle.
You can request that the data vendor provide you with copies of all the security certifications that they possess to guarantee the security of your data during processing.
5. EU Data Localization:
Certain customers prefer data storage in Europe due to its stringent data protection laws. Customers have greater control over their data, and the likelihood of a data breach is reduced because European data centers need to adhere to high-security standards.
Ensure you are mitigating your company’s risk by requesting that your company’s data be stored within the EU.
These guidelines and checklists will help privacy professionals and in-house counsel choose the right data vendor. You’ll be able to safeguard your company data, ensure compliance with regulations, and mitigate risks associated with granting access to company systems.
Explore More: Webinars on Choosing the Right Vendor
For a more in-depth exploration of vendor selection, we invite you to watch two insightful webinars we hosted on this topic. These sessions, featuring industry experts, provide valuable guidance and practical tips to enhance your decision-making process.
In this informative panel discussion, hosted by IAPP in collaboration with Lusha, Assaf Gilad and other industry experts delve into the essential factors to consider when choosing a data vendor. The discussion covers critical aspects such as compliance, data quality, and vendor reliability, offering valuable insights to help you make well-informed decisions for your business.
Compliance Webinar: The Safe and Compliant Way to Purchase Prospect Data
Lusha’s legal experts discuss compliant methods for acquiring prospect data. The webinar covers data procurement dos and don’ts, protecting against legal risks, ensuring GDPR and CCPA compliance, and securing data access. Gain the knowledge to acquire prospect data confidently and safely.
We'll help you understand if Lusha can solve your business needs.
