Pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council
of 27 April 2016 on the protection of natural persons with regard to the processing
of personal data and on the free movement of such data, and repealing Directive 95/46/EC
(“General Data Protection Regulation”), controllers must only use processors that provide sufficient assurances regarding
their capability to implement appropriate technical and organizational measures, ensuring
that all processing activities are performed and secured in line with the legal requirements.
In this regard, PRIOR TO engaging the services of a processor, the controller must
perform a thorough assessment of the processor’s capabilities to process the entrusted
personal information in a secure and confidential manner, in accordance with the provisions
of the General Data Protection Regulation (GDPR).
Webster University's Privacy and Information Security Global Third-Party Suppliers/Vendor
Management Policy makes it mandatory for all new procured services, software and/or
applications delivered by third-party service providers/vendors to undergo a preliminary
risk evaluation initiated as part of the purchase requisition process and, among others,
identify the key security, privacy and contractual requirements the third party will
be required to meet.