Think back (wayyy back) to the days of group projects in school. There always seemed to be one person who wanted to do everything, one person who did nothing at all, and a few other folks in the middle.
But group projects could also be a minefield. Maybe someone tried to take credit for work they didn’t do. Maybe someone lied about their research and simply copied and pasted from Wikipedia. Maybe someone cheated, and the whole group’s grade suffered for it.
You see where this is going, right?
Businesses today aren’t that different from group projects in school. You share the rewards and the risks—the profits and the PR nightmares. And if someone cheated or took a shortcut, like a vendor skimping on their data privacy program?
Well, that could saddle you with the proverbial “F,” no matter how informed you were regarding the situation, because ignorance isn’t absolution in the eyes of the law, or the court of public opinion.
In the age of data, it’s up to companies to perform their vendor due diligence.
Why vendor risk management matters more than ever
Managing your vendors means striving to avoid security breaches, but that’s far from the full scope. It’s becoming a requirement across various privacy laws, from the GDPR to Texas’s Data Privacy and Security Act; numerous legislations require companies to have vendor contracts that clearly state a vendor’s obligations related to processing consumers’ personal information.
For example, in Texas, vendor contracts for qualifying companies must include:
- Instructions for processing personal information
- How and why processing occurs
- What type of data is subject to processing
- The duration of processing
- A duty of confidentiality for individuals who process the information
- An obligation to delete or return all personal information at the controller’s direction or when it has completed the services, unless data retention is required by law
The short version of this: Businesses are legally required to address vendor data processing in their contracts.
Otherwise, businesses found to violate these legal requirements can face serious legal and public relations repercussions. In Texas alone, the state can seek injunctive relief along with civil penalties up to $7,500 per violation.
Companies that ignore vendor risk management may end up paying the price
Not to keep giving you the stick before the carrot, but it’s important to understand that the risk of lax vendor management is very real:
- In 2025, Adidas and the University of Chicago Medical Center were both sued over breaches involving third-party vendors, with plaintiffs arguing the companies failed to exercise adequate oversight.
- Progressive Insurance reached a $3.25 million settlement after a call center vendor compromised customer data over two years.
- The UK-based Avast faced a $165 million fine and FTC enforcement when its subsidiary, Jumpshot, sold users’ browsing data without proper consent.
We don’t share this to call out to any specific company. Most companies have a vendor list that resembles a phone book, and keeping track of privacy and security practices can feel nearly impossible. And it’s more common to onboard vendors based on their features and pricing than their data protection policies.
The point is, vendor oversight is no longer just a nice-to-have. It’s become a business necessity, and the companies that take a proactive stance stand to save themselves a lot of headaches (and money) down the road.
A vendor assessment can protect your business
A vendor assessment evaluates how a third-party handles data privacy and security. Done properly (and regularly), a vendor assessment will:
- Identify gaps in a vendor’s ability to meet legal obligations
- Evaluate technical and organizational safeguards
- Confirm whether vendors support data subject rights (e.g., deletion, access)
- Flag vendors with histories of noncompliance or security incidents
- Ensure you have a DPA in place with clear responsibilities and breach notification terms
The assessment should also cover how the vendor is using your business data. Does it get used in a service they provide? Or are they putting it to work for their own purposes, like training their AI models or improving their algorithms? This has always been a risk, but AI has made it a much bigger one because your sensitive business data could end up training models that benefit your vendor rather than just supporting the service you’re paying for.
But here’s the thing about vendor assessments: Most companies treat them like picking group project partners on the first day of class. But remember how group dynamics worked?
That reliable person got a new job and started phoning it in. The detail-oriented one transferred schools mid-semester, or someone you’d never heard of suddenly joined your group.
Vendors work the same way. They get acquired, launch new features, hire new security teams, or start using different sub-processors. The vendor you brought on (even after a thorough vetting) last year might be a completely different company today. That’s why vendor assessments can’t be a one-and-done exercise.
You need a system that keeps up with reality.
What to include in a vendor assessment program
Your vendor risks are as unique as your business model. A fintech company sharing banking data faces different risks than an e-commerce site using analytics tools.
So, before you start firing off questionnaires, take a step back. What data do you share with vendors? Which systems do they access? What regulations apply to your business? Based on how you work with vendors, identify your top priorities as you navigate the different aspects of a vendor assessment.
1. Conduct a privacy and security fit assessment
At the broadest level, confirm that your vendor has the resources, policies, and track record to handle personal data responsibly. This may include reviewing certifications, past incidents, and whether their internal practices support your legal obligations.
Questions to ask include:
- How are they using your data?
- What processes do they have in place to manage privacy rights requests?
- Have they had any recent data breaches or security incidents?
- Do they have security certifications (e.g., ISO 27001, SOC2 Type 2)?
- What commitments do they make in their privacy notice?
- Does their internal privacy and security documentation look complete and compliant with
applicable data privacy laws?
- Do they have an established data incident and breach response plan in place?
- Where cross-border transfer is involved, have they self-certified to the Trans-Atlantic Data Privacy Framework or another data transfer mechanism?
2. Adopt risk-based tiering
Not all data requires the same level of scrutiny. A low-risk vendor that only processes aggregated analytics may require only a lightweight review. A vendor that processes health data or supports targeted advertising? That’s high-risk and requires deeper diligence.
(Just ask the Pennsylvania Department of Health, whose vendor agreed to pay $2.7 million for allegedly failing to process health data properly during the height of the COVID-19 pandemic.)
Classify vendors as low, medium, or high risk based on:
- Volume and sensitivity of data processed
- Regulatory exposure (e.g., handling data from EU or California residents)
- Access to systems or customer records
If you have limited resources, it may be smart to focus on rigorously reviewing high-risk vendors.
3. Get a data protection agreement in place
Some data protection regulations require the inclusion of specific details in vendor agreements related to data processing.
Key details in your vendor agreements may include:
- Your right to monitor compliance with the contract
- Their role in assisting you in compliance, particularly in honoring individual rights requests
- The obligation to comply with applicable data protection laws
- The requirement to notify you if they can no longer meet contractual obligations
- Their security obligations
- Obligations around further sharing, such as using sub-processors
See the full list in our free third-party risk management guide.
Third-Party Risk Management Guide
Check out our Third-Party Risk Management Guide for tips and practical guidance you can implement right away.
4. Secure how data is shared with a secure transfer mechanism
If you’re sending personal data to a vendor, make sure you’re doing it the right way.
That might mean:
- Access-controlled cloud environments
- Encryption
- Redacted datasets
- Required VPN access
As a general rule, always limit data access to only what’s necessary for a predetermined use.
5. Complete ongoing monitoring and reassessment
Vendor risk management isn’t a “set it and forget it” exercise. Regulations evolve. So do vendors.
Reassess vendors:
- Annually, or
- After a significant change, such as a business merger or acquisition, security incident, new processing activity, change in scope, change in regulation, or change in jurisdiction, or
- When a new feature is rolled out, such as AI (though it isn’t limited to that), OR
- When they have a new use case arise, such as a product or solution that wasn’t used in the past
For high-risk vendors, schedule regular check-ins or reviews.
You can’t outsource accountability (but you can get a helping hand)
Unlike those school group projects, you get to set the rules for how your team operates. Maybe you inherited some vendors, maybe corporate mandated others, but you still get to decide what standards they need to meet and how closely you monitor their work.
A strong vendor assessment program is how you make sure everyone, whether you picked them or they were picked for you, actually meets your standards.
Need help building one? Red Clover Advisors designs third-party risk management programs that scale with your business.