Vendor Risk Assessment

Pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation”), controllers must only use processors that provide sufficient assurances regarding their capability to implement appropriate technical and organizational measures ensuring that all processing activities are performed and secured in line with the legal requirements.

In this regard, PRIOR TO engaging the services of a processor, the controller must perform a thorough assessment of the processor’s capabilities to process the entrusted personal information in a secure and confidential manner, in accordance with the provisions of the General Data Protection Regulation (GDPR).

Webster University´s Privacy and Information Security Global Vendor Management Policy makes it mandatory for all new procured services, software and/or applications delivered by third-party service providers/vendors to undergo a preliminary risk evaluation initiated as part of purchase requisition process and, among other, identify the key security, privacy and contractual requirements the third-party will be required to meet.

Webster University Procurement Policy outlines the overall framework for purchasing or acquiring goods or services for the campuses of Webster University located in the United States. The policy acknowledges the need for internal controls while recognizing our entrepreneurial heritage.

This policy works in unison with the following:

  • Accounts Payable Policy,
  • Travel & Expense Policy,
  • Purchasing Card Policy and Procedures,
  • Privacy and Information Security Global Third-Party Suppliers/Vendor Management Policy.

Data Protection Impact Assessment