Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


How Your Third-Party Risk Management Program Should Respond to Privacy Laws

9 min read
Featured Image

Keeping up with current privacy laws is a bit like playing 'whack-a-mole.’ As soon as one state law has passed and you understand the basics, another state proposes one of its own. And to make things even more complicated, these laws go by different names. Some use the term "privacy" in the law, while others use "data protection." So, what does all this mean for third-party risk management 

Rather than reviewing each privacy law in detail, we've gathered some best practices to help you stay updated in this rapidly changing environment. 

Common Attributes of Current Privacy Laws

California was the first state to enact a comprehensive privacy law, originally titled the California Consumer Privacy Act This later became amended to the California Privacy Rights Act. which went into effect on January 1, 2023. Other states have since followed California by signing their own privacy laws, including Colorado, Connecticut, Indiana, Iowa, Tennessee, Utah, and Virginia. Generally, each law describes the consumer's rights and the organization's obligations when collecting data.  

Here are a few common attributes that are found in each of the previously mentioned state privacy laws: 

  • Right to access – This relates to consumers’ right to access their information or categories of information collected or shared with third parties. It may also mean that consumers have a right to know which third parties or categories of third parties have access to their information. 
  • Right to delete – Under some conditions, consumers can request that their information is deleted. 
  • Right to portability – This ensures that consumers can request their information in a commonly used file format to enable easy transfer to another organization. 
  • Right to opt-out of sales – Consumers can choose whether their information is sold to a third party.
  • Notice/transparency requirement – This requires an organization to notify its consumers about how it manages data, and its privacy operations or programs.
  • Data and third parties – It's also worth noting that each law includes language around disclosing or selling personal data to third parties. These laws specifically state that an organization that collects and shares or sells personal information to a third party must create an agreement that, per CPRA, for example, "Obligates the third party, service provider, or contractor to comply with applicable obligations under this title and obligate those persons to provide the same level of privacy protection as is required by this title." 

    how tprm respond privacy laws

4 Best Practices to Implement Within Your Third-Party Risk Management Program

It can be challenging enough to comply with privacy laws when you consider all the variations that exist between different states, excluding the many organizations that fall under international privacy laws as well. When you add in requirements about your third parties' compliance, an additional layer of complexity must be addressed.  

Here are some tips that can help bridge the gap between new privacy laws and your third-party risk management practices: 

  1. Review a legislation tracker. Some states have laws in effect, some have passed and have future effective dates, others are still being debated, and a few are newly introduced. A simple way to keep up with these laws is to review a tracker, such as the U.S. State Privacy Legislation Tracker by the International Association of Privacy Professionals (IAPP).  

  2. Consider external research. When a new state privacy law is proposed, signed, or amended, it may help to research using a trusted legal site that explains some of the highlights. Many law firms specializing in privacy law will regularly release blogs or other educational content that's easy to digest for the average reader. It's preferable to review a site that publishes content on each law rather than one that only focuses on a single state or region.  

  3. Examine your vendors' policies and notices. Ensure you understand how your vendors’ policies and notices compare to applicable laws. Here are some helpful questions to consider:

    • What information is being shared or accessed by the vendor? 

    • How is the vendor protecting that information? 

    • Does your vendor’s definition of terms such as sensitive data or personally identifiable information (PII) align with the law? 

    • Does your vendor’s control environment meet the law’s expectations?  

  4. Review your exit strategy. An exit strategy should be in place with any vendor accessing your organization’s or customers' data. This ensures that data security and privacy is maintained, even if you’re transitioning to a new vendor or bringing the outsourced activity in-house. The exit strategy should include details about how the vendor will return or destroy any data they have after the engagement has ended. It should also require that the vendor provides assurance that they haven’t intentionally or unintentionally shared any sensitive data with their third or fourth parties.  

Although we’ve focused on US-based privacy laws, let's not forget about global laws such as the General Data Protection Regulation (GDPR). Many regulators often look to each other for best practices when creating guidance, so it’s helpful to familiarize yourself with these other global privacy laws, which can potentially impact guidance in the US. Understanding some basic principles of state and international privacy laws will help you create a safer environment for your organization and vendors. 

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo