top of page
Search

Walk With Me: The Hidden Risks in the People We Trust - Third-Party & Vendor Management

As I’ve been learning more about data privacy, one topic keeps coming up in almost every discussion with our Compliance Lead and clients - a topic I didn’t realise was so important at first: third-party risk


Even if your organisation is doing everything right, you can still be exposed if the people you work with aren’t. 

 

When the penny dropped

I used to think third-party risk was something handled quietly by IT or Procurement. We sign contracts, onboard tools, outsource tasks, and assume the rest is taken care of. 

 

But sitting in compliance conversations, I started hearing stories of incidents that weren’t caused by the organisation itself but by a partner they trusted: 

  • A platform storing more data than necessary 

  • A supplier using outdated security 

  • An external consultant saving files in the wrong place 

 

I didn’t realise how often breaches start outside the organisation. And that’s when it hit me: Your privacy efforts are only as strong as your weakest vendor. 

 

What I’m learning

The more I pay attention, the clearer a few things become: 

  • Vendors don’t just offer services. Many of them process personal data. And once they have it, you’re still responsible for what happens to it. 

  • Contracts are not paperwork. Data Processing Agreements (DPAs) set the rules for how your data may and may not be used or stored. 

  • Due diligence isn’t something you do once. Vendors change systems, take shortcuts, grow too fast, their risks change, or fail to update controls. 

  • Shadow IT is real. Teams using unapproved apps or tools “just to get things done” can introduce risk without realising it. 


It turns out vendor management isn’t just technical - it’s very human. It’s about trust, visibility, and asking the right questions. 

 

Why it matters

When a vendor mishandles data, people rarely blame the vendor. They blame the organisation whose name they recognise. 


The consequences can include: 

  • Costs and fines 

  • Loss of trust 

  • Shared liability 

  • Operational disruption 

 

And “our vendor did it” won’t protect your reputation or your customers. 

 

Walk with me

This part of the journey has taught me that privacy doesn’t stop at the edge of your organisation. It extends to every partner, every tool, and every service provider you rely on. 

 

I’m still learning how organisations choose vendors, how they monitor them, and how they keep responsibilities clear. But I’m realising that strong privacy doesn’t come from isolation; it comes from oversight. 

 

If your organisation shares data with anyone (and most do), it’s worth asking: “Do they protect data the way we expect ourselves to?” 

 

As always, I’m learning as I go and I’d love for you to walk this road with me. 

Comments

The Hague, Netherlands | Johannesburg & Cape Town, South Africa

Email us
LinkedIn
Youtube

At Pétanque NXT your abundance is our aim. We are management consultants who focus on strategy and process with expertise in project and change management, using our award-winning storyboard process mapping methodology to help you make change happen.

Privacy Notice

Terms of Service

bottom of page