Solution 05 of 08 VDR

Vendor & Third-Party Risk Management

NDPA Section 29 · CRISC · CDPSE

The Problem SAC Solves

Organizations share personal data with dozens of vendors — cloud platforms, payroll processors, HR systems, marketing tools, logistics partners — without structured data processing agreements, documented due diligence, or transfer risk assessments. Under NDPA Section 29, the controller remains fully accountable for processor compliance.

What Regulators Expect

Data Processing Agreements for all material processors (NDPA Section 29)
Vendor due diligence records — privacy posture assessment
Sub-processor notification and approval records
Cross-border transfer risk assessments (NDPA Sections 43–44)
Annual vendor review cycle documentation
Data sharing register — all third-party relationships mapped

SAC Intervention

SAC audits the organization's vendor landscape, prioritises vendors by data risk, executes the DPA program for material processors, and installs a vendor risk management framework that maintains ongoing compliance as the vendor estate evolves.

What You Receive

Vendor data landscape map
Vendor risk prioritisation matrix
Data Processing Agreement template
DPAs executed for material processors
Vendor privacy assessment questionnaire
Sub-processor register
Cross-border transfer assessment (per jurisdiction)
Annual vendor review protocol

Expected Outcome

A compliant vendor estate — every material data sharing relationship governed by a DPA, every processor assessed, every transfer risk documented and managed.

A compliant vendor estate — before scrutiny, not under it.

SAC is an NDPC-Licensed DPCO operating under NDPA 2023. Every engagement is conducted by a named principal — not delegated to a junior analyst. A 20-minute diagnostic conversation costs nothing and carries no obligation.

Commission Vendor Risk Assessment All Solutions

NDPC/DCP/01784 IIM ATO #d193ed82f32a4eb64 ISACA DTEF Certified Facilitator FCA · CISA · CDPSE · CRISC CAC RC 2638736