Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


GDPR: Understanding the Impact on Third Party Risk - Part 2

4 min read
Featured Image

Last week we released important information about understanding the impact GDPR has on third party risk. I have even more to tell. In this part 2 we’ll look a little deeper into chapters 2-4 and, specifically, some of the steps that your information security and third party risk management teams can adopt in order to address the growing concern around the new regulation.

As a refresher, GDPR stands for General Data Protection Regulation. This regulation has an effective date of May 25, 2018. The goal is to boost data privacy for European citizens. Noncompliance will be met with stiff penalties which will range from 4% of a firms’ global revenue or 20 million euros, whichever is greater. We have previously identified that there is a strong connection between data privacy and third party risk management for organizations globally. Ensuring that your organization is GDPR ready will require a concerted effort and involve many lines of business to satisfy the requirement. The clock is counting down. 

Data Privacy Impact Assessment

Under Article 35, data controllers, aka the institution, should work in liaison with their Data Privacy Officer and perform what is a called a Data Privacy Impact Assessment (DPIA). As with traditional vendor oversight, taking inventory of the existing vendor panel provides a high-level view of the vendors you are working with.

In many respects, taking stock of the many data elements you are collecting on consumers is a primary function of being GDPR compliant. After all, the concern of data elements is the reverse engineering of hacked data points. If the data is controlled in a manner which provides anonymity, the concern is if the data can be linked to other data points and the identity of the data subject, aka the individual, become a known entity. For this reason, you should take inventory of the type of personal data you are collecting.

A key requirement here is to also understand if your elected data processor, aka the third party, is collecting additional data on the data subject. If there are additional data points which you are not aware that the third party is collecting, then the risk of identification of the data subject will potentially increase. Hence the purpose of the DPIA, which is to highlight just how big a risk the storage and access to the data subject information could represent not only to the personal welfare of the individuals’ own privacy rights, but also the considerable, financial and reputational risks that a data breach could present itself to your organization.

Under GDPR, should the amount and type of data collected be assessed as detrimental to the privacy rights of the individual, the completion of the DPIA is a requirement in order to be considered GDPR compliant.

GDPR Operational Adherence is Key in Establishing Trust with the Data Subject

Under GDPR, the individual has rights over and above the initial transparency rights of being informed that their data will be collected. So, while it's important that potential individuals are able to opt in with clear and transparent disclosure language, there's also a data portability requirement. Under GDPR, the individual is allowed to request and receive any data which has been collected on them. Under this right is also the right to be forgotten. This means that per the request, the data must be purged from all systems and also be provided back to the individual in a readily available and easily readable format.

Given the vast amount of data and consumers involved and impacted by GDPR, a gap analysis should be performed to ensure that the potential volume of requests can be handled in a timely fashion. Make no mistake, this is not as simple as receiving a customer inquiry. Transactional audit logs detailing inbound requests and the steps taken to satisfy the right to be forgotten may be reviewed during a GDPR compliance examination. Since the regulation is so new, we’re unable to say how deep initial examinations may go but given the stiff penalties set as part of this regulation, it suggests that regulators will undoubtedly look deeper into the adoption of GDPR compliance. Additional information regarding the individual right, referenced as the data subjects, can be found under Chapter 2, Articles 12–23.

As a practical step in addressing GDPR compliance, each organization believed to be impacted should take inventory of not only their vendor partners, but ascertain their global business footprint exposure, perform the DPIA and perform a thorough review of GDPR while incorporating the regulation into their overall compliance management system.

GDPR is sure to impact your vendor risk management policy, program and procedure documents. Download our infographic series so that you can revisit and amend them to include necessary GDPR precautions.

Vendor Management Policy Program Procedures Umbrella Infographic Series

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo