Finding the right compliance partner is like online dating, except the stakes are higher and there are more lawyers involved.
Our first attempt was a complete disaster. The company looked great on paper—slick website, impressive client testimonials, pricing that seemed too good to be true. And it was.
Turns out they were farming out the actual work to contractors in three different countries. Their data handling protocols were basically “we’ll figure it out as we go.” Their approach to GDPR compliance was crossing their fingers and hoping European regulators wouldn’t notice.
We fired them after two months.
After that, we treated vendor selection like we were hiring a new CEO. Background checks, reference calls, financial audits—the whole nine yards. If they couldn’t handle our questions during the sales process, how were they going to handle an actual regulatory exam?
Our legal team went nuts with the contracts. We’re talking 50-page agreements that covered everything from who owns what data to what happens if the vendor gets bought out by someone else. We defined service levels down to the minute. We even had clauses about what to do when regulations change mid-contract (because they always do).
The jurisdiction stuff gave me nightmares. Our vendor is based in Delaware but has offices in London and Toronto. We’re in California but operate everywhere. Figuring out which laws applied where cost us more in legal fees than I want to think about.