Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


 7 Practical Steps to Tackle GDPR Compliance Via Vendor Management

5 min read
Featured Image

The EU (European Union) General Data Protection Regulation (GDPR) is considered timely in the sense that all e-commerce is officially in the sights of cyber criminals. Not a day goes by without a breaking story of yet another data breach to consumers’ confidential data, however, while we may be in the habit of quoting consumer data privacy concerns, the scope of citizen data is expanded. This means items such as payroll or healthcare data falls under the GDPR jurisdiction.

With any new regulation, comes a period of research and understanding of the new requirements, but after a while paralysis by analysis can set in. We’ll move past the regulation itself, all 11 chapters and 99 articles, and offer some practical steps to design your GDPR compliance framework. Remember, leveraging other lines of business to tackle this head-on will pay dividends. This will take a concerted effort between compliance, legal, IT and third party risk management. Considering the heavy use of vendors in financial services, the GDPR requirement then adds an extra layer of responsibility to the third party risk management team. 

Areas to Review

Areas which need to be reviewed include:

  • Vendor inventory and defining location and business footprint
  • The individual’s consent protocols
  • Contract language
  • Defining vendors as data processors
  • Determining the scope of personal data and date processor access
  • Data breach notification requirements
  • Updates to policy and procedures

The 7 Steps

Where applicable, I have included the relevant chapter and article number to help guide you.

  1. Vendor Inventory – Chapter 1, Articles 1-4
    • Considering how many vendors appear on a vendor report, it’s worthwhile to review each vendor service and pay special attention to cloud storage providers, data centers, marketing firms, payroll and healthcare providers who may be accessing EU resident private data. Remember, GDPR has a global reach and is not strictly limited to if you have a bricks and mortar store in the EU. If the data is being exported outside of the EU States, then GDPR is still applicable.

  1. Data Subject (Individuals) Consent Protocols – Chapter 2, Articles 5-11
    • Individuals must be provided with clear and transparent communication regarding their consent to share their non-public information. This can be achieved either electronically, by email, or snail mail and there should be disclosure that the information is being shared with third parties, aka your vendors. As the primary source of the data collection, you are considered the data controller. Your responsibilities and liabilities under GDPR are equally tied to the strength of your vendor GDPR policy framework.

  1. Contract Language
    • Please consult an attorney on the technical verbiage of updating and reviewing the applicable vendor contract language. However, if your vendor is storing data on your behalf then you must ensure that they understand the GDPR requirement and the liabilities, potential monetary fines and other recourse which they would be responsible for. Language should also specify the right to audit on GDPR compliance, breach notification requirements and protocols/point of contacts.

  1. Defining Vendors as Data Processors – Chapter 4, Articles 24-43
    • Since the vendor is storing, accessing or processing data subject to NPPI, it’s important that information security, privacy policies and other controls are reviewed regularly. Information access audit logs should also be reviewed to ensure who in the vendor organization is accessing the subject data and that control data is provided by request.  This can be an additional process to current ongoing monitoring activities since purely performing this on an annual basis does little to address and mitigate unauthorized access to the data.

  1. Defining the Scope of Subject Data – Chapter 2, Articles 5-11
    • Unlike the US, the data considered private by the EU is expansive and goes beyond the typical name, address, SSN and NPPI access. Data which can identify a subject also falls under this category and may include the IP address, email, medical information and even biometric data points. Due to this expansion on what qualifies as private data, I recommend that you detail each data point and confirm with the data processor exactly which data topics are being stored.

  1. Data Breach Notification Requirements - Chapter 4, Articles 33-34
    • Under GDPR, there is a 72-hour window in which data breaches must be reported to authorities. Given that there is compelling evidence of mistrust between companies and third party vendors who may be reluctant to inform their clients of a data breach, under GDPR you simply must. To this end, it’s vital that data breach notifications be included in your contractual language to stress the GDPR requirement. Besides GDPR, it also makes good business sense and is a best practice.

  1. Update Policy and Procedures - Chapter 4, Article 35 and Articles 37-39
    • GDPR is effective May 25, 2018. If you determine you fall under this regulation based on your global business model, then you must update your policy and program. As you can see from the above outline, this impacts legal, compliance and third party risk. The detrimental impact can be viewed as regulatory pressure, monetary fines and reputational loss of customer trust. The update to your internal policy and program should also extend to that of your third party vendors. Depending on how large either organization is, the amount of private data it’s collecting will determine if a data privacy officer is required to formally manage information and data security. This makes a strong case to intimately understand your vendors’ adherence to compliance around this regulation.

As you can tell, GDPR isn’t only impacting European citizens and does not exclude third party risk management. It’s important to review the regulation thoroughly to best understand how the release will affect you and your organization as the data collector. I encourage you to make changes where needed due to this recent update. It could potentially save your organization from a large fine equivalent to 20 million euros or 4% of global revenue, whichever is larger.

To improve your information security, reference our infographic on the CIA Triad. Download now. 

Creating an Effective Vendor Contract Management System eBook

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo