DiscordGithubDocsLogin

Vendor Due Diligence: An Important Aspect of Privacy Law Compliance

Published on November 24, 2025 by Donata Stroink-Skillrud in MainWP Blog under Privacy, Tips & Tricks, WordPress Business, WordPress Security
Heads up: This page may include affiliate links. Read the full disclaimer.
A digital illustration showing green-and-gray security icons, documents, folders labeled “Vendor” and “Customer,” locked servers, a shield with a checkmark, and a magnifying glass on paperwork. The left side features a dark panel with the article title “Vendor Due Diligence: An Important Aspect of Privacy Law Compliance” and the MainWP logo.

You have your privacy obligations down pat – you know which privacy laws apply to you, your Privacy Policy is up to date with the latest laws, you don’t track website visitors without consent, and you have a process for replying to privacy rights requests. But have you ensured that your vendors are in compliance too? When you share your customer data with a vendor, you are also responsible for making sure that the vendor processes that data in accordance with privacy and legal requirements. Unfortunately, this is an often overlooked step in privacy compliance and can land your company in hot water with regulators and clients if not performed correctly. In this article, we will discuss why vendor due diligence should be conducted and what it should look like so that you have a blueprint as to how to manage this requirement. 

What is vendor privacy due diligence?

Vendor due diligence is generally defined as a comprehensive process for evaluating third party vendors. Vendor due diligence can encompass determining the risk of using the vendor, gathering information about the vendor, looking at reviews, and more. In this article, we will discuss the privacy aspects of vendor due diligence but keep in mind that other standard processes of vendor due diligence will still need to be performed (e.g. determining whether the vendor is financially stable).

Why should you conduct vendor privacy due diligence?

The fact is that it is almost impossible to have a modern website without sharing personal data with vendors. For example, if someone subscribes to your newsletter and their email is added to your email marketing software, such as ActiveCampaign, you are sharing personal data with them. When someone submits a contact form, a copy of that form will be stored in your website’s backend, sharing that data with your CMS. If you ship products to your customers, their addresses will be shared with your shipping provider, such as FedEx or UPS. And, of course, when you have the Meta Pixel or Google Analytics, your website visitors’ data will be shared with those vendors as well. Sharing personal data is not some terrible practice; it’s a very common part of having a website. 

When it comes to sharing data with your vendors, performing privacy due diligence is crucial, as: 

  1. Privacy laws may require you to perform this due diligence. Privacy laws such as GDPR and the CPRA require businesses to ensure that their vendors process data in compliance with these laws and require contracts that ensure the protection of data to be in place. Failure to follow these requirements can cause a business to be fined for non-compliance; 
  2. Failure to perform due diligence can leave you stuck with vendors who do not help you with privacy rights requests. For example, if you receive a request from an individual asking you to delete their data, you may also be required to ask your vendors to delete their data as well. A vendor that does not respect privacy rights may fail to delete the data, therefore leaving you non-compliant as well; 
  3. A vendor that does not respect privacy may cause great embarrassment to your company and may lead to customer complaints. For example, if you share your customers’ data with an email marketing tool to send email marketing, and the company sells this data, your customers may find out that their data was sold because you allowed your vendors to sell it. In turn, when customers receive a myriad of spam emails and calls, they may blame your company, as you initially shared it with the vendor that sold their data. 

When should you perform vendor privacy due diligence?

Vendor privacy due diligence should first be performed prior to your company engaging with a new vendor. This means that your employees should be informed to let you know prior to using any new tools or vendors, and that they should allow for the proper allotment of time for you to perform the vendor due diligence prior to using that vendor or tool. Once the initial compliance check is performed, the vendor due diligence should be reviewed and updated once per year. 

Evaluating the risk of the vendor

The first step in vendor privacy due diligence is evaluating the risk that the vendor may pose to your company. This is the first step, as it will help determine what level of due diligence you should apply to the remainder of the process. A vendor that is very low risk (e.g., it will not have access to any personal data) will need less due diligence, monitoring, and safeguards as opposed to a vendor that is high risk (e.g., the vendor has access to sensitive personal data such as social security numbers). 

The risk criteria that you will want to consider will depend on the nature of your business. However, below are examples of questions that you should consider asking when determining the risk a particular vendor may pose: 

  1. What is the business impact of this vendor and the work that they will perform?
    • Nominal impact: The vendor has very little impact on the business. For example, the vendor is used to water the plants in your office. 
    • Significant but non-critical impact: the vendor has a significant impact on your business, but this impact is not critical. For example, your internal communication tools, such as Slack, would have a significant impact as it could disrupt collaboration and slow productivity, but you can still service customers. 
    • Mission-critical impact: the vendor’s failure would directly impair your ability to deliver your core products or services. For example, your payment processor is critical to your ability to receive payments from your customers. 
  2. What is the total contract amount? 
  3. What is the total contract term? 
  4. What is the vendor’s access to information? This is usually broken down into three tiers:
    • The vendor has access to non-confidential company information only; 
    • The vendor has access to company information (whether confidential or publicly available) and non-personal data; 
    • The vendor has access to personal data. 
  5. What is the regulatory risk that a vendor poses to your company? Vendors can introduce regulatory risk if they have access to personal data, they or you operate in a regulated industry (e.g., banking regulations), or they perform a legally significant function such as tax processing. 
  6. What is the risk to the safety of employees or vendors through your use of this vendor? For example, does the vendor pose a high potential for injury or illness, such as machinery or equipment that the vendor would provide to you? 
  7. What is the operational risk of the vendor? Could the vendor pose mission-critical risk to your company? 

Once you have determined the answers to the questions above, you can classify the vendor as a low-risk, medium-risk, or high-risk vendor and apply the appropriate amount of vendor due diligence due to the risk level. 

What general information should you compile regarding the vendor? 

The second step in vendor due diligence is compiling general information about the vendor, such as: 

  1. Vendor relationship manager (name and title): This is the person at your company who is going to be responsible for managing the relationship with the vendor; 
  2. Vendor name; 
  3. Vendor address; 
  4. Vendor contact information; 
  5. Service(s) that will be performed by the vendor or product(s) that will be provided by the vendor to your company; 
  6. Contract start date; 
  7. Contract expiration date; 
  8. Contract renewal dates and times; 
  9. Date of next due diligence review; 
  10. Date the initial due diligence was performed. 

Vendor privacy due diligence

Once you have gathered the general information about the vendor, it is time to perform the vendor privacy due diligence review. To perform this review, you should ask the following questions: 

  1. Must the services performed or the products provided by the vendor meet any regulatory requirements? 
  2. Can the vendor create regulatory risk for your company? 
  3. To what extent will the vendor handle proprietary data of the company? 
  4. To what extent will the vendor handle personal data (whether of your customers, potential customers, other vendors, or employees)?
  5. What is the risk of the vendor mishandling this data? 
  6. Which countries does the vendor transfer data to? If the vendor does transfer data to other countries, do these transfers take place under a valid mechanism? 
  7. Does the vendor have a compliant Privacy Policy? 
  8. Does the vendor have a compliant Data Processing Agreement (if applicable)?
  9. Does the vendor apply proper security measures to the data shared with the vendor? 
  10. Which privacy laws does the vendor comply with? Do the privacy laws that the vendor complies with match up with the privacy laws that your company is required to comply with? 
  11. What is the vendor’s general reputation in the industry? 
  12. What do the vendor’s reviews (whether employee or customer reviews) look like? 
  13. Has the vendor been subject to any lawsuits and/or regulatory inquiries? 
  14. Has the vendor been subject to any privacy complaints or fines? 
  15. Has the vendor been subject to any data breaches? 
  16. Is the vendor willing to sign a contract with your company guaranteeing data protection?

This part of vendor due diligence is essentially a fact-finding mission. While most of this information can be obtained online, sometimes, you may need to contact the vendor to request additional information. It is important to note that you should not take the vendor’s marketing materials at face value and should conduct your own research through independent sources. For example, every company will say that its customers love them and that they have the best customer service. However, it is up to you to verify these claims through independent review websites to see what their customers actually say about their service and support. 

When conducting vendor due diligence, the following sources will be very helpful: 

  1. The vendor’s website. This is where you will find their Privacy Policy, Data Processing Agreement, and list of security measures; 
  2. Websites such as Indeed. This is where you will find employee reviews – these can be extremely helpful in determining whether the company is stable. For example, this may be the only source that will tell you that the company has had three rounds of layoffs this year; 
  3. Websites such as Google, TrustPilot, and the Better Business Bureau – this is where you will find reviews from their customers and any complaints; 
  4. Google. You can search [company name] and “lawsuit” or “data breach” or “privacy breach” or “fine” to learn more about any regulatory issues; 
  5. LinkedIn. You can learn more about the company’s employees on LinkedIn by going to the company’s LinkedIn page and clicking “people”. You may find that the company employs individuals who have been sanctioned by the US government or who have had shady dealings with others (true story – this has actually happened when I was conducting vendor due diligence); 
  6. PCI Security Standards Council listings (if applicable)
  7. EU-US Data Privacy Framework Certification list (if applicable). 

It is important that you verify any information that the vendor provides to you through third-party sources and common sense investigations. While this may seem daunting at first, once you start performing vendor due diligence, it can even be fun (yes, for real) as you are investigating claims, verifying information, and, essentially, digging to discover the truth. 

Through years of conducting vendor due diligence, I have learned that even the most trustworthy companies can be hiding some seriously concerning information. For example, I have found that a very reputable shredding company would dump unshredded documents in public parks. I have also found that a company that publicly supports a social cause employs individuals who directly oppose and sabotage that cause. I have also found a company that claims that it was formed in a particular country, but was actually formed in a completely different country that is subject to sanctions. Performing vendor due diligence can help you ensure that your vendors are who they actually say they are, that they will actually perform the services or deliver you the goods that you paid for, and that they will not cause any regulatory or reputational harm to you. Happy digging! 

Donata Stroink-Skillrud

Donata Stroink-Skillrud

Donata Stroink-Skillrud is an attorney licensed in Illinois and a Certified Information Privacy Professional. She is also the legal engineer behind Termageddon, a SaaS that has generated thousands of Privacy Policies and successfully kept them up to date with changing legislation. Donata is also the Chair of the American Bar Association's ePrivacy Committee and Vice-Chair of the Chicago Bar Association's Cybersecurity and Privacy Committee. Donata is also the past Chair of the Chicago Chapter of the International Association of Privacy Professionals along with being Privacy Liaison for MainWP.

Leave the first comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Share

Manage Unlimited WordPress Sites from One Dashboard!

  • Privacy-first, Open Source, Self-hosted
  • Easy Client Management
  • 15+ & 30 + Premium Add-ons
  • Bulk Plugins & Themes Management
Get Pro Now

Categories

Important Updates

Interviews

Privacy

Roundup

WordPress Business

Tips & Tricks

MainWP News

How To's

Recent Posts

Search MainWP.com

[searchwp_form id="1"]