Mastering Vendor Risk Management

1. What does Vendor Risk Management (VRM) mean?

In the context of the General Data Protection Regulation (GDPR), Vendor Management or Vendor Risk Management (VRM) consists of managing the risks resulting from the processing of personal data by third parties, also known as “processors” or “vendors”. Fortunately, different tools allow organizations to conduct a sound Vendor Risk Management.

1.1. Vendor Assessment

The first and obvious step is a vendor assessment. When an organization is looking for processors to help him with its activities, the controller (i.e., the organization in charge of the processing of personal data) must ensure that the processors (i.e., organizations working on the behalf of the controller) are suited for the task and that they offer a sufficient level of protection. The more efficient way to do so is by checking their certificates and/or by making them fill in a questionnaire.

1.2. Data Processing Impact Assessment (DPIA)

Prior to the processing of personal data, the controller may be obligated to conduct a Data Processing Impact Assessment (DPIA). In the context of Vendor Risk Management (VRM), this assessment will give an overview of the risks that third-party processing of personal data may pose. From this evaluation, the controller will have to decide if he wishes to pursue with this processor, or if the risks remain too high even with the security measures proposed – if the risks are too high and that the controller still wants to proceed, an authorization from the Supervisory Authority is required. Either way, (most of) the risks will be known, and new decisions will be made with conscious consideration.

Check out our blog

4 steps to execute flawless DPIAs

Conducting a DPIA before any processing of personal data would be ideal, but it can be very time consuming. The GDPR makes a DPIA necessary if the processing is likely to result in high risks to the rights and freedoms of data subjects (i.e., individuals from whom personal data is being processed). Some situations are detailed in the GDPR, but the guidelines on “DPIA and determining whether processing is likely to result in a high risk” from the Article 29 Working Party (now known as the European Data Protection Board, EDPB) acts as a reference (cf. WP248rev.01). These guidelines outline nine criteria for determining when processing is considered risky:

  1. Evaluation or scoring of data subjects.
  2. Automated decision-making with legal or similar significant effect.
  3. Systematic monitoring.
  4. Sensitive data or data of a highly personal nature.
  5. Data processed on a large scale.
  6. Matching or combining datasets.
  7. Data concerning vulnerable data subjects.
  8. Innovative use or applying new technological or organizational solutions.
  9. Preventing data subjects from exercising a right or using a service or a contract.

If two of the nine criteria are met, a DPIA is very likely to be necessary. However, a single criterion could also be sufficient to trigger a DPIA; it is on a case-by-case basis.

1.3. Data Processing Agreement (DPA)

Once a suitable processor is found, the processing must be formalized in a Data Processing Agreement (DPA). This is a requirement from the GDPR since the absence of a contract would make the processing unlawful, making the disclosure of personal data and the processing a data breach!

The purpose of a DPA is to settle the different rules the processor – and the controller – must comply with to make the processing compliant with the GDPR, but also to ensure personal data are protected and to minimize the risks for data subjects. The processor would therefore not be allowed to use the data for purposes other than the ones established in the DPA. 

In the DPA, several aspects must be mentioned to ensure a sufficient level of data protection:

1.3.1. Security measures

The processor must detail the security measures implemented/suggested to protect the personal data and its processing. Controls for the confidentiality and integrity – and the availability – of the personal data are essential since an incident related to those security principles would constitute a data breach.

💡 Did you know?

In the cybersecurity sector, the principles of Confidentiality, Integrity, and Availability are known as the CIA triad.

The measures adopted must be state of the art, as outdated technologies or unknown organizational solutions could contain significant vulnerabilities. Some examples of measures would be encryption, access control, Multi-Factor Authentication (MFA), backups, etc.

Regarding Vendor Risk Management (VRM), the implementation of these security measures by the processor would reduce the risks emerging from the outsourcing of the processing.

1.3.2. Data breach notification

Rules regarding the notification of data breaches must be laid down to ensure controllers are aware of every data breach as soon as possible so they can report it to the Supervisory Authority and, if necessary, to the data subjects concerned. Monitoring and detection solutions are crucial to avoid that data breaches stay unnoticed.

Rules regarding Data Subject Rights Requests (DSRRs) must also be laid down so the controller can handle those requests in time.

Non-conformities with these obligations of data breach notification and DSRRs handling could result in penalties, including financial fines, imposed by the Supervisory Authority. The inclusion of robust clauses in the DPA would help mitigate the risks of non-conformities and, consequently, reduce the likelihood of penalties.

1.3.3. Sub-processing

The controller must be clear whether the processor is allowed or not to engage with sub-processors (i.e., organizations working on behalf of the processor). The modalities can vary between different agreements, but the controller should have the possibility to object the sub-processing by a specific sub-processor if he estimates that it will infringe the agreement or that sufficient protections could not be demonstrated.

When sub-processing, the processor must apply in its DPAs with another organizations security measures that offers the same level of protection as those established in its DPA with the controller. The processor should also keep a register of processors – a register per controller – in case the controller needs to know with whom the personal data is disclosed or wants to check the compliance of sub-processors.

This point is important because unauthorized or unknown sub-processing could lead, among many other issues, to unmanaged risks.

1.3.4. International data transfers

The GDPR ensures a consistent protection within the European Union – the European Economic Area more precisely. However, transfers to third countries can be necessary in some situations. Some countries benefit from an adequacy decision from the European Commission, meaning that organizations established in these countries are subject to a similar level of protection. If there is no adequacy decision, the controller and the processor must ensure appropriate safeguards are in place before transferring personal data.

Similarly to sub-processing, rules must be laid down regarding international transfers of personal data to avoid unmanaged risks.

1.3.5. Accountability

Laying down all these rules in the DPA is a mandatory step, but processors need to comply with them. The GDPR establishes the principles of “accountability” as the capability for controllers and processors to prove their compliance towards the GDPR. Regarding Vendor Risk Management, it means that processors should be able to prove their compliance towards their DPA, through audits or certifications. The modalities for those verifications need to be present in the DPA to avoid confusions.

Mutual assistance modalities should also be part of the DPA. It can be related to security incidents that need to be resolved in order to avoid data breaches, the handling of Data Subject Rights Requests (DSRRs), the participation in audits, etc.

1.3.6. Other modalities

The GDPR set different requirements that need to be present in a contract governing the processing of a personal data – commonly known as a Data Processing Agreement (DPA). Additionally to those mentioned in the previous points, controllers and/or processors must add clauses about termination rights, confidentiality commitments from individuals processing the personal data, etc.

1.4. Register of processors

The GDPR already sets a requirement for a Register of Processing Activities (RoPA) where the different processing activities of personal data are described. This is for accountability matters, but also to have an overview of an organization’s activities.

While it is not required by the GDPR, keeping records of processors can be very helpful for a sound Vendor Risk Management (VRM). A bit like the RoPA, a register of processors will give a good overview of an organization’s vendors and the risks they pose. All the relevant information from the previous tools can help constitute a register with pertinent metrics. The vendor assessments and the DPIAs can provide the necessary information for a “risk score” – depending on the likelihood and the impact of disruptions coming from those vendors – while the DPAs (and the vendor assessments) can provide the contact details, the purposes of the processing, the certificates, etc.  


In a privacy and security matter, Vendor Risk Management (VRM) is a necessary process. While VRM gives a good overview of the risks posed by third parties, it is also a requirement from the General Data Protection Regulation (GDPR). Different tools allow for a sound management like vendor assessments, Data Processing Impacts Assessments (DPIAs), Data Processing Agreements (DPAs), and registers of processors. Those tools can be gathered in a single solution, making the VRM even more efficient.

Ready to master your vendor risk management?

Discover RESPONSUM – your all-in-one privacy management platform! Book a demo now and see how you can streamline and strengthen your vendor risk management process.

Liked reading this article? Spread the word!

Get the inside scoop on simplified privacy management

Get exclusive tips ‘n tricks straight to your inbox. Join +1,100 privacy professionals already subscribed and stay ahead of the game!

Written by

Amaury André

Consultant @ CRANIUM


Copyright © RESPONSUM BV

ISO certification logo