Conducting a risk assessment of all candidate vendors is the best way to provide assurance that a

potential vendor is able to comply with privacy regulations and the organization’s data privacy policy,

because it allows the organization to evaluate the vendor’s privacy practices, controls, and

performance against a set of criteria and standards. A risk assessment can also help to identify any

gaps, weaknesses, or threats that may pose a risk to the organization’s data privacy objectives and

obligations. A risk assessment can be based on various sources of information, such as self-

attestations, documentation, audits, or independent verification. A risk assessment can also help to

prioritize the vendors based on their level of risk and impact, and to determine the appropriate

mitigation or monitoring actions.

Reference:

8 Steps to Manage Vendor Data Privacy Compliance, DocuSign

Supplier Security and Privacy Assurance (SSPA) program, Microsoft Learn