Understanding contractual obligations
I recently wrote about signing master service agreements (MSAs) with large corporations, skipping blithely over an important phrase that’s included in ALL of them:
Giant Corporation may audit Supplier (that’s you) records to verify Supplier’s statements and compliance with this Agreement, including but not limited to privacy or security requirements.
What privacy and security requirements are they talking about? That depends on the company you’re contracting with. I’ve had to comply with either or both for quite a few Fortune 500 companies. Sometimes the requirements are basic. I’ve seen (and signed) data security agreements that amount to “I promise not to be an idiot and make everyone change their passwords once in a while.”
At the other end of the spectrum, there are policies that are complex and reach into your operation in ways you didn’t expect.
Complying with your Customer: An Example
Let’s take Microsoft as an example, since their privacy program is widely known and publicly accessible.
Microsoft has what it calls its Supplier Security & Privacy Assurance (SSPA) standards. These standards are codified in the Data Protection Requirements (DPR), a 21-page document that is more or less readable by a normal person but addresses use cases of data security and privacy at a granular level. There are lots of requirements about data security and data privacy, but also designation of responsible parties, employee training, subcontract language, record retention, website cookies, disaster preparedness, business continuity, company policies – things you may not have considered before and have certainly never had to show (and attest to) to a client.
Anyone who has done any business directly with Microsoft in the last ten or so years has been subject to the SSPA and the DPR. There are companies (I’ve talked to several) who worked with Microsoft for years without realizing the requirements, until one day they got a friendly emailing saying they’d be unable to invoice Microsoft without proof of compliance.
If you handle or process consumer data, or “high business impact” data (which can include design files) for Microsoft, you not only need to comply with the DPR, but you’ll need to be audited and certified by a third party. With an experienced SSPA auditor (shout out to Connor Consulting) this can be a straightforward process, but the first time you undergo an audit, it will be someone at your agency’s full-time job for a few weeks or maybe longer. It may require setting some standards and doing some planning and thinking about some concepts you haven’t thought about before. The best part: the 3rd party audit can cost upwards of $10,000 (yes, it costs YOU $10,000 for the privilege of doing business with Microsoft).
Compliance as an Investment in your Customer Relationship
Of course, big corporations have deep pockets and building a good relationship with one or more large brands can not only stabilize your company financially but also build your reputation, visibility, team and you get to put their logo on your website, right? (Reality check: that MSA you signed probably doesn’t technically allow you to name them as a customer but cease and desist orders for this kind of thing are not common.) The cost of an audit and other compliance costs (carbon disclosure is another one gaining traction) can certainly be a good investment in a long-term partnership.
However, when dealing with large companies, no matter how good your relationship is with your every-day contact, it’s inevitable that you’ll encounter one (or more) of their colleagues from procurement, legal or finance who is interested in how compliant you are with their policies.
This doesn’t need to be a scary conversation. While there are always exceptions, most companies want their partners to succeed and try to support them in these efforts, but they are going to want results and they are going to have a timeline. Without a doubt, the best way to handle this kind of compliance is openly and honestly. No amount of stalling or obfuscating is going to work in the long run and those are good ways to get a reputation in the procurement department as a “problem child”. As you try to sell in to other divisions of your Fortune 500 client, the procurement department can be your champion (ideal), neutral about you (fine) or flat out sabotage you if they’ve decided you don’t respect them and their rules. If your philosophy is to catch more flies with honey than with vinegar, being responsive and professional to compliance inquiries is a good way to drip a little of that honey into the procurement/finance/legal machine too.
Getting Help with Contractual Compliance
If you’re working with large corporations, these relationships and processes aren’t always easy to manage. In some cases, it can be like having another client that doesn’t generate revenue! This is a good example of something a long-term outsourcing relationship can help with. If you’re working with an outsourced accounting service on your Accounts Receivable, the AR specialist may already have relationships inside or knowledge about the inner workings of your large corporate clients, and they certainly will understand the concepts behind your procurement-client’s questions. If they’re managing your back-office, they can manage your back-office relationships, too.