Pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation”), controllers must only use processors that provide sufficient assurances regarding their capability to implement appropriate technical and organizational measures, ensuring that all processing activities are performed and secured in line with the legal requirements.
In this regard, PRIOR TO engaging the services of a processor, the controller must perform a thorough assessment of the processor’s capabilities to process the entrusted personal information in a secure and confidential manner, in accordance with the provisions of the General Data Protection Regulation (GDPR).
Webster University's Privacy and Information Security Global Third-Party Suppliers/Vendor Management Policy makes it mandatory for all new procured services, software and/or applications delivered by third-party service providers/vendors to undergo a preliminary risk evaluation initiated as part of the purchase requisition process and, among others, identify the key security, privacy and contractual requirements the third party will be required to meet.
