• Company
  • Privacy Tech

Understanding Vendor Assessments


What is a Vendor Assessment?

Organizations use a Vendor Assessment to evaluate how a third-party vendor manages the personally identifiable information (PII) the company shares with that organization. The assessment is used to understand whether or not vendors are implementing and maintaining appropriate security and privacy controls.

A Vendor Assessment is typically used as part of an overall program that establishes guidelines to ensure that an organization’s vendors comply with that organization’s required information security policies and procedures. Organizations will seek a security and privacy review of active and potential vendors, and vendors must demonstrate that they have practices in place to securely manage data.

What are the benefits of doing Vendor Assessments?

Third-party vendors are a high risk area for privacy breaches and pose potential risks in improper usage and sharing the protection of confidential personal information. Organizations provide third-party providers with personal information in a variety of manners. Some do so intentionally by specifically giving the information to the third-party. Others do so in effect by placing the vendor in a situation where they have access to the information. Organizations may also share information unintentionally with a vendor.

Vendor Assessments are used to understand a vendor’s business continuity plans, regulatory compliance, and data security safeguards. After collecting and analyzing survey responses, an organization can determine the level of risk involved in giving vendors or third parties access to that organization’s internal systems and data. Collecting this information from vendors enables an organization to ensure that its vendors are consistently compliant with required security policies and procedures.

How does WireWheel support Vendor Assessments?

Using WireWheel’s Privacy Operations Manager, organizations can conduct multiple vendor assessments. The platform maintains a record of all the assessments completed for the organization. Vendor Assessments can be triggered manually or through automation.

For organizations that have several vendors, automating Vendor Assessments can save time and effort, resulting in better resourcing and reduced costs. One way this can be achieved is by automatically initiating a follow-up assessment based on a response submitted during an internal privacy impact assessments. When someone confirms involvement of third party vendors, an vendor assessment can be triggered.

WireWheel also provides organizations the ability to initiate a follow-up assessment within a template based on the vendor data collected in an internal privacy impact assessments. The privacy impact assessment captures  the vendor information and WireWheels uses that data to auto trigger vendor assessments especially multiple ones at the same time.

The follow-up vendor assessments get automatically triggered and assigned to the vendor(s) whose details are provided in the privacy impact assessments.

Common Types of Vendor Assessments

Wirewheel has designed templates for standard vendor assessments based on requirements from privacy laws including the EU’s GDPR, California’s CCPA/CPRA:

Third Party Assessment – This assessment is designed to conduct a security review of active and potential vendors. Vendors must demonstrate that they have practices in place to securely manage data. This enables the organization to ensure that its vendors are consistently compliant with required security policies and procedures.

Data Seller Vendor Assessment – This assessment is meant to ensure compliance by data sellers who offer their own collected first party data for purchase or aggregate first party data from other companies. This enables an organization to make sure that the data they are selling is going to be used properly by the people they are selling the data to. The questions in this reseller assessment are based on leading industry frameworks and legislation including NIST, ISO27001, IAB TCF, GDPR, California’s CCPA and CPRA, Colorado’s CPA, Virginia’s CDPA and Utah’s UCPA. The focus of this review is to ensure the legal, ethical, and secure use of data for marketing purposes.

High Risk Assessment – This assessment is designed to ensure that sensitive personal information is properly stored and protected.  California’s CPRA, Colorado’s CPA, and Virginia’s CDPA require assessments for data processing activities that “present a heightened risk of harm to a consumer”.  These include processing personal data for targeted advertising, sale/share profiling, and the use of sensitive data.


With more and more regulations requiring Vendor Assessments, leveraging a tool like WireWheel’s Privacy Operations Manager can help companies ensure that companies are handling personal information properly.