GDPR: vendor privacy compliance

The KPMG privacy video series is designed to help your organization think through the priorities of GDPR and align your privacy compliance efforts without disrupting business.



View all episodes of the "KPMG Privacy" video series.




  • Welcome and thank you for watching KPMG’s privacy video series, and the third of three videos dedicated to sustaining GDPR.
  • Vendor management is an area of concern for most organizations, as they work to improve their privacy program, but, see a potentially large gap with vendor GDPR compliance.
  • First, determine who will own Vendor Privacy Compliance.
  • We recommend developing a RACI matrix reflecting
    multi-stakeholder responsibilities.
  • Also remember to define the organization's risk appetite related to vendors and understand implications.
  • Develop a vendor intake questionnaire to enable prioritizing of vendors into high, medium and low risk.
  • For each risk level, determine appropriate level of due diligence, including what to do when the vendor contract is complete.


  • Coordinate with legal to address contractual GDPR language.
  • Coordinate with IT security-for-privacy to address technical controls.
  • Coordinate with risk stakeholders to address vendor compliance reviews.
  • Agree with stakeholders the ramifications for vendor
  • Do not forget to continue to adjust and monitor risk levels and privacy governance based on lessons learned throughout the contract period


  • Thank you for your attention as we wrap up our section on sustaining GDPR
  • Please stay tuned for the final set of videos in these series, focused on realizing value from your GDPR program.
  • Thanks for watching.


Related content

Steven Stein

Steven Stein

Principal, Cyber Security, KPMG US

+1 312-665-3181
View more

Strategy and governance

Cyber security: it’s a business issue, not just an information technology issue.

Get the latest updates from KPMG Cyber Security Services.


Explore KPMG Cyber Security careers