Vendor Risk Assessment — Evaluating Privacy Policies in Due Diligence

Effective overview last updated: January 2026

Why Vendor Privacy Policies Matter in Due Diligence

When your organization shares data with a third-party vendor, you inherit their privacy risk. A vendor's data breach becomes your data breach — at least in the eyes of your customers and regulators.

This is why privacy policy review has become a standard part of vendor risk assessment. Several compliance frameworks require it directly or indirectly:

• SOC 2: If your audit includes the Privacy trust services criteria, you need to demonstrate that you evaluate how vendors handle personal information. Even under the Security criteria alone, understanding a vendor's data practices is relevant to your risk assessment.
• GDPR: Articles 28 and 29 impose specific obligations when you engage a data processor. You must ensure the processor provides "sufficient guarantees" around data protection. Reviewing their public privacy policy is one way to assess whether those guarantees hold up.
• HIPAA: Business associate agreements are required, but the vendor's public-facing privacy practices should not contradict those contractual commitments.
• General risk management: Even outside regulated industries, understanding how a vendor collects, stores, shares, and retains data is fundamental to evaluating whether they are a responsible custodian of your data.

A vendor's privacy policy is a public commitment. It tells you what they believe their data practices are — or at least what they are willing to state publicly.

What to Look for in a Vendor's Privacy Policy

When reviewing a vendor's privacy policy as part of due diligence, focus on these areas:

Data Collection Scope

What data does the vendor collect, and from whom? Pay attention to whether they collect data beyond what is necessary for the service they provide. A project management tool that collects biometric data or precise geolocation should raise questions.

Data Sharing and Third Parties

• Who does the vendor share data with?
• Do they share data with advertising networks, analytics providers, or data brokers?
• Is sharing limited to what is necessary for service delivery, or is it broad and permissive?

Data Retention

Look for specific retention periods. Policies that say "we retain data as long as necessary" without defining what "necessary" means give the vendor unlimited discretion. This matters when your own retention policies require deletion after a set period.

Security Commitments

Does the privacy policy reference encryption, access controls, or security standards? While a privacy policy is not a security whitepaper, vague or absent security language can signal that the vendor has not thought carefully about data protection.

Sub-Processors

Many vendors rely on their own vendors (sub-processors) to deliver services. Check whether the policy discloses sub-processors and whether the vendor takes responsibility for their sub-processors' data handling.

International Data Transfers

If your organization is subject to GDPR or similar regulations, confirm whether the vendor transfers data outside the EEA and what transfer mechanisms they rely on (Standard Contractual Clauses, adequacy decisions, etc.).

Red Flags in Vendor Privacy Policies

Not every imperfect privacy policy is a dealbreaker, but certain patterns should trigger deeper investigation:

• Overly broad data collection: The policy claims the right to collect categories of data that have no clear relationship to the service being provided.
• Vague sharing clauses: Language like "we may share data with our partners and affiliates" without specifying who those partners are or what data is shared.
• No retention limits: The policy provides no timeline for data deletion or states that data is retained "indefinitely."
• Claiming ownership of customer data: Some vendors assert broad licenses or ownership rights over data you provide. This is a significant contractual and privacy risk.
• No mention of sub-processors: If a vendor provides a complex service but claims to handle everything in-house with no disclosures about third parties, the policy may be incomplete.
• Unilateral change clauses: Policies that say "we may update this policy at any time without notice" remove your ability to rely on current commitments.
• No data subject rights process: For vendors handling personal data subject to GDPR or CCPA, the absence of a clear process for data access, deletion, or opt-out requests is a gap.

Public Privacy Policies vs. Contractual Commitments

A common source of confusion: the vendor's public privacy policy and the contractual agreements you sign (DPA, MSA, BAA) are separate documents that can contradict each other.

When They Conflict

The public privacy policy might say "we share data with advertising partners," while the DPA you signed says "data is processed only for the purposes specified by the customer." Which one governs?

Typically, the contractual agreement takes precedence between the parties. But the public privacy policy still matters because:

• It reflects the vendor's actual operational practices — the DPA says what they promise you, but the privacy policy may reveal what they actually do across their business.
• Regulators and auditors may review the public policy as evidence of the vendor's general data handling posture.
• If the vendor's privacy policy permits practices that the DPA prohibits, it raises questions about whether the DPA commitments are actually being implemented.

What to Do About Conflicts

• Flag the discrepancy and ask the vendor to explain it.
• Request that the vendor update their public privacy policy to be consistent with contractual commitments, or provide written confirmation of which controls apply to your data specifically.
• Document the conflict in your vendor risk assessment file. Even if you proceed with the vendor, the record matters for audits.

Privacy Policy Review Within a Broader Vendor Risk Assessment Program

Reviewing a vendor's privacy policy is one input into vendor risk assessment — not the entire program. A thorough evaluation also includes:

• Security questionnaires (SIG, CAIQ, or custom)
• SOC 2 or ISO 27001 reports — these audit controls, not policy language
• Penetration test results or vulnerability scan reports
• Data Processing Agreements and contract terms
• Incident history and breach disclosures
• Insurance coverage (cyber liability)

The privacy policy is uniquely useful because it is public, unmediated, and reflects the vendor's own characterization of their practices. It is also the document most likely to be seen by your customers and regulators, which makes inconsistencies between the policy and your contract a practical risk.

Standardizing Vendor Privacy Policy Reviews for Procurement Teams

For organizations evaluating dozens or hundreds of vendors, ad hoc reviews do not scale. Procurement and compliance teams benefit from a repeatable process:

1. Create a review checklist covering the areas above: data collection, sharing, retention, security, sub-processors, international transfers, and data subject rights.
2. Tier your vendors by data sensitivity. A vendor that only processes anonymized usage metrics does not need the same scrutiny as one handling customer PII or PHI.
3. Set review triggers. Review the privacy policy at onboarding, at contract renewal, and when the vendor notifies you of policy changes (or when you discover changes independently).
4. Document findings consistently. Use a standard format so that results are comparable across vendors and accessible during audits.
5. Assign ownership. Decide whether privacy policy review sits with legal, security, procurement, or a dedicated GRC team — and make sure someone is accountable.

Common Mistakes

Even organizations with mature vendor management programs make these errors:

• Reviewing the DPA but not the public privacy policy. The DPA governs your relationship, but the privacy policy reveals broader practices. Both matter.
• Assuming SOC 2 certification means the privacy policy is compliant. SOC 2 audits controls and processes — they do not audit the accuracy or completeness of a vendor's public privacy policy. A vendor can pass a SOC 2 audit and still have a privacy policy full of gaps.
• Not re-reviewing after vendor policy updates. Vendors change their privacy policies. If you reviewed it two years ago at onboarding and never looked again, your risk assessment is based on outdated information.
• Treating all vendors the same. A vendor handling encrypted backup data has a different risk profile than one processing end-user PII. Scale your review effort to the risk.
• Relying solely on the vendor's self-reported questionnaire answers. The privacy policy is an independent data point that can validate — or contradict — what the vendor claims in a security questionnaire.

How Privacy Policy Review Helps

We review vendor privacy policies against SOC 2, GDPR, HIPAA, CCPA, ISO 27001, and PCI DSS requirements and flag specific concerns — from vague data sharing clauses to missing retention disclosures. For procurement teams evaluating multiple vendors, this provides a consistent, documented baseline that slots directly into your existing vendor risk assessment workflow.