For every vendor that touches personal data, document what data they receive, why they receive it, what contracts require, and how they’ll help you handle rights requests, breaches, and deletion. Privacy reviews should be a standard part of vendor intake.
The Evidence Question to Ask Yourself: Could you show, for any vendor, what data they get, what they do with it, and how they help with rights requests and deletion?
