Vendor Risk Management – GDPR as a Global Benchmark 

The management of vendor risk from a data protection standpoint has been significantly affected by privacy laws globally, demonstrating the key relevance attributed by legislators and policy makers to the privacy and security assessment of vendors and third parties. Implementing strong VRM strategy is becoming an increasingly important job function for Privacy professionals around the world. So, where should you begin? 

Download the Ultimate Guide to VRM for Privacy Professionals to learn more about the importance of VRM for privacy professionals. 


The General Data Protection Regulation (Regulation (EU) 2016/679, ‘GDPR’), as entered into force in 2018, has acted as a benchmark in this regard, paving the way for several other privacy frameworks to come. 

The GDPR brought along a set of new obligations for both personal data controllers and processors. 

Probably most important is the liability shift introduced by the legislation – organizations are now accountable for their vendors and must always demonstrate that they put all reasonable consideration into choosing those that comply with the GDPR. 

Amongst other requirements, the GDPR makes written contract between controllers and processors a general requirement, rather than just a way of demonstrating compliance with the law. Furthermore, the GDPR’s Article 28 outlines a robust set of mandatory minimum terms that must always be present in every data processing agreement. 

Other mandatory requirements introduced by the GDPR are the obligation for processors to a) assist controllers with the handling of data subject requests; b) maintain record of processing activities; c) implement data security measures; d) notify data breaches; e) engage sub-processors only under specific conditions; f) cooperate with regulators; g) appoint a data protection officer (DPO) and/or EU representative in certain situations. 

Another very important change affecting the overall obligations under the GDPR is the fact that the data processors have direct statutory obligations for certain data protection matters, and statutory liability (including the possibility to incur regulatory fines) for breach of their respective obligations under the GDPR. In addition, the data processors (along with the data controllers) are also liable for direct damage compensation claims brought forth by data subjects. Such claims can be also pursued through class action lawsuits, as the GDPR envisions. 

The legal requirements provided by the GDPR have been further specified and interpreted by the European Data Protection Board (‘EDPB’) guidelines, especially the ones on the concepts of controller and processor in the GDPR, as well by the guidance issued on the matter by EU Member States supervisory authorities. The European Commission also published standard contractual clauses under Article 28 of the GDPR, providing organizations with a template model for data processing agreements to be signed with vendors. 

Download the Ultimate Guide to VRM for Privacy Professionals to learn more about the importance of VRM for privacy professionals. 

Beyond the GDPR 

Following the benchmark set by the GDPR, several other countries followed the example of the European legislator and, when approving new comprehensive data protection laws, addressed the data protection obligations of organization establishing legal relationship with external vendors. 

Among the countries that introduced such requirements, among others: 


Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) (LGPD) entered into force on 18 September 2020 (while its enforcement provisions entered into force on 1 August 2021). 

The LGPD, differently from the GDPR, does not mandate the signature of a data processing agreement between controller and processor, but merely requires processors to carry out processing according to the instructions provided by the controller. The signature of a legally binding act is not however prohibited and could provide for stronger guarantees in the relationship with the vendor. 


The California Consumer Privacy Act of 2018 (as amended) (CCPA), together with its implementing regulations, when addressing requirements for organizations engaging vendors, refers to ‘businesses’ and ‘service providers’ (and not to controller and processor). The CCPA in particular states that a vendor is allowed to process information on behalf of a business and receive a consumer’s personal information for a business purpose only pursuant to a written contract, which will have to present certain specific guarantees. 

Vendor management processes under CCPA will however be affected by the entry into force of the California Privacy Rights Act of 2020 (CPRA) in 2023, that will in particular specify the content of the agreement to be signed between business and service provider. 

In general, organizations doing business in the US will have to consider the potential application of not just CCPA, but also of the newly introduced legislations in Virginia and Colorado (see sections below). Vendor management process could therefore be standardised and harmonised considering the different rules based on different US privacy legislations. 


China’s recently approved Personal Information Protection Law (PIPL) represents the 1st comprehensive data protection framework in the jurisdiction, and will enter into force on November 1st 2021. When it comes to vendors management, the PIPL introduced significant requirements for the actors involved in the process, such as (i) obligation to sign an agreement with vendor outlining specific information on the processing activity, (ii) obligation for the vendor to handle personal information in line with the agreement, (iii) specific obligations for joint controllers, (iv) requirements for sub-processors engagement. 


The Colorado Privacy Act (CPA) was signed into law on July 2021, becoming the 3rd US State to approve a comprehensive privacy legislation. The CPA will enter into force in July 2023, and, among its provisions, includes requirements and obligations for the processing of personal information in the relationship between controllers and processors. 

South Africa 

South Africa’s Protection of Personal Information Act, 2013 (Act 4 of 2013) (POPIA) was promulgated into law on 26 November 2013. However, a relevant period of stasis followed while a commencement date was decided upon. The Information Regulator announced, on 1 July 2021, that its enforcement powers under POPIA are into effect from 1 July 2021, following the conclusion of the 12-month transition period for compliance as provided under Section 110 of POPIA. 

When it comes to vendor relationship management, POPIA establishes that vendors must operate on the basis of a contract or mandate stipulated with the controller, as well as other specific obligations in relation to data security, breach notification, data transfers etc. 


The Consumer Data Protection Act (CDPA) was signed into law on 2 March 2021 and will enter into effect on 1 January 2023. 

From a vendor management standpoint, CDPA introduced specific obligations for vendors’ cooperation with controllers, as well as mandated the signature of a contract regulating the data processing procedures performed by the processor on behalf of the controller. 

Key VRM & Privacy Considerations for Professionals: 

To view the remaining 30 pages of the guide: Download the Ultimate Guide to VRM. In the guide, you will have access to information on the following: 

  • Terminology and Requirements  
  • New obligations under the GDPR 
  • Controller, processor and joint controllers 
  • Responsibility of the controller and processor  
  • Transfers of personal data outside the EU  
  • Adequacy Decisions  
  • Appropriate Safeguards  
  • Derogations  
  • Contractual terms  
  • Joint Controller Contractual Terms  
  • Article 28 Obligations  
  • Controller and processor identification 
  • Collaboration between privacy and security processor  
  • Enterprise vendor risk management (VRM) needs 
  • Vendor auditing and documentation 
  • Vendor review cadences 
  • Vendor review cadences for privacy  
  • Data processing contracts and vendor records  
  • Integration and synergy areas  
  • Formalize management of risk 
  • Vendor risk management lifecycle at your enterprise 


Further cybersecurity reading:       

Next steps on cybersecurity:         


Follow OneTrust on LinkedIn, Twitter, or YouTube for the latest on VRM.