Privacy Risk Is Not a Line Item

When I started looking into how to build a third-party risk program that actually made sense for privacy, I figured something would already exist — a guide, a framework, something practical.

It didn’t.

Most of what I found was security-heavy — certifications, technical checklists, or contracts. Privacy, if it showed up at all, was usually buried at the bottom with a one-line question: “Is PII or PHI involved?” If the answer was no, the review moved on.

The problem is — even privacy lawyers have to pause before answering that question. Definitions vary, and context matters. So how are employees with no privacy background supposed to get it right? They’re forced to make judgment calls on something that even experts debate.

Sometimes someone will even try to turn a DPIA into a vendor assessment form — which sounds efficient, but creates its own set of problems. I’ll break that down in my next article.

Privacy risk definitely isn’t something you can squeeze in at the end. And most TPRM programs aren’t built to handle it.

Where Things Break

A lot of companies rely on SOC 2 reports or penetration testing reports and assume that’s enough. If a vendor says “we’re compliant,” the conversation moves on.

But those same vendors are collecting personal data, transferring it internationally, bringing in sub-processors, and using the data in ways that don’t always get disclosed.

And no one’s really asking the privacy questions. Not early enough, not clearly enough, and not consistently.

That’s the gap I kept running into — and why I started writing.

Privacy Risk Isn’t Just a Checkbox

It’s not something that fits under security or legal. It’s its own thing. And it touches way more than people think.

It changes how you scope vendors. What you ask them. When you get involved. And what you can actually enforce later if something goes wrong.

But in most orgs, privacy teams get brought in too late — or not at all. By then, the vendor’s already signed. Or live. Or both.

What I’m Working On

I’m writing a book about building privacy-first third-party risk programs — something that actually reflects how privacy works in the real world, not just how it's supposed to work on paper.

The book’s still in progress. But as I write, I’m putting together a framework based on real decisions teams are making — and the questions that actually matter when it comes to vendors and data.

I’m also thinking about building out some tools and templates to go with it — things I wish I had when I was trying to piece this all together. If that’s something you’d want to see, let me know in the comments. I’m still figuring out what’s most useful.

Privacy risk can’t be stapled on at the end. It has to be part of how vendor relationships are built from the beginning — not just in assessments, but in contracts too.

It’s important to evaluate those risks early and work closely with the commercial legal team reviewing contracts. That’s how you make sure the right protections are in place.