Third-Party Risk · GDPR Article 28

Vendor privacy risk software that knows what every processor does with your data

Assess processors, track data processing agreements and evidence Article 28 due diligence from one governed vendor inventory — including the shadow AI and shadow IT nobody registered.

Due diligence records, recurring reviews, DPA evidence and an audit-ready Third-Party Risk Register — linked to the systems and data each vendor can actually touch.

Acompli vendor risk register screen showing Article 28 vendor due diligence, supplier risk breakdown and diligence status.
Suppliers
Third Parties
Locations
Systems
One governed processor recordDue diligence, DPAs, reviews and evidence stay connected.
Acompli Third-Party Risk Brochure — page 1
View Brochure
The Article 28 vendor lifecycle

Vendor inventory and vendor risk assessments

Acompli helps teams maintain a vendor inventory and trigger vendor risk assessments based on data access, criticality, processing purpose, system dependency, AI use, transfer exposure or renewal date.

StartVendor inventory

Suppliers, systems and locations in one connected inventory

Maintain structured records for the organisational entities commonly referenced in privacy work. Those records are not kept in isolation — they can be reused across assessments, risk workflows, and Article 30 records.

Wherever they appear, those records keep links back to the underlying entity and its source context.

Connected records. Clear exposure.

IT Systems

Structured records for systems involved in processing personal data, with operational and ownership context.

Third Parties

Processors and external parties recorded once, then referenced across due diligence, assessments, risk, and RoPA.

Locations

Geographic and operational context linked to supplier and system records within the same structure.

Records

DPAs, assessments, risks, reviews and audit evidence linked to the supplier relationship.

Always in context Every vendor, system and location is linked to the evidence and risks that matter.

Article 28 control record

What a defensible processor record has to prove

This diagram shows the actual processor file behind the product: role, DPA status, sub-processors, transfers and review cycles all need evidence and downstream links.

Technical infographic showing Article 28 control areas, evidence required, system links and downstream uses for processor risk management.

Vendor change impact

A supplier change should cascade to every affected record

Vendor updates do not stay isolated. New sub-processors, hosting changes, DPA updates and AI features can affect RoPA, DPIAs, transfer reviews, vendor risk and the data map.

Technical infographic showing how supplier changes create governance impacts and reopen affected records across vendor risk, RoPA, data mapping, TIA, DPIA and AI governance.

Ireland & UK · GDPR Article 28 & Article 30

GDPR vendor management software for Article 28 oversight

GDPR vendor management is the Article 28 lifecycle in one record: due diligence before onboarding, a data processing agreement on file, recurring reviews, sub-processor oversight, transfer checks and evidence the DPC or ICO can inspect. Acompli turns those facts into a structured vendor inventory and Third-Party Risk Register.

Each vendor record stays linked to the systems, processing activities, data access, contracts, transfer safeguards and risks behind the relationship. When a supplier changes, the affected RoPA, assessment and risk records can be reviewed from the same evidence trail instead of reconciled from a spreadsheet.

Key takeaways

  • Vendor risk is privacy risk when third parties process, access or influence personal data.
  • Article 28 requires controllers to use processors that provide sufficient guarantees and to keep suitable processor contract evidence.
  • Acompli links vendor records to systems, data access, RoPA, DPIAs, contracts, risk reviews and evidence.
  • Shadow AI and shadow IT should be treated as third-party risk signals when tools process or access personal data.

Last reviewed: 24 June 2026. See whether a RoPA is a legal obligation in Ireland and the UK (Article 30 explainer) · See the Schrems II Transfer Impact Assessment guide.

What matters

Third-party risk work has to stay connected to the processor record

Procurement tools and security-rating feeds can help, but they do not replace the privacy record. A defensible processor record needs the contract, due-diligence evidence, transfer safeguards, sub-processors and review decisions in one place.

  • Processor register: role, data access, DPA status and review date.
  • Sub-processors: prior-authorisation trail and onward transfer context.
  • Transfers: non-EEA suppliers linked to safeguards and any TIA.
  • Connected outputs: RoPA and risk updates drafted for human review.
  • Audit export: the current evidence without rebuilding it from spreadsheets.

Which tool

Which type of vendor risk tool fits you?

“Vendor risk” software splits into different jobs. Scoring a supplier’s cyber posture is a different question from evidencing GDPR Article 28 processor obligations — the right tool depends on which one a regulator will ask you about.

Type of toolBest forWhat it doesWatch-out
Security-rating TPRMSecurity teams scoring cyber risk across many suppliersSecurity ratings, questionnaires and breach monitoringRates cyber posture, not the GDPR Article 28 processor record, the DPA or transfer safeguards a supervisory authority inspects
Procurement / contract managementProcurement teams managing the contract lifecycleStores and routes contracts, including the DPA documentHolds the contract, not the evidenced due diligence, sub-processor trail or transfer position behind each processor
Privacy-platform VRMPrivacy teams running Article 28 vendor due diligenceVendor inventory, DPA tracking and processor assessmentsOften a vendor module that sits apart from the RoPA, DPIAs and risk register
Privacy-platform-integrated (where Acompli sits)Privacy teams who need the processor record to feed the RoPA, DPIAs and riskArticle 28 due diligence and assessment-fed vendor records, linked to systems, transfers and sub-processors and human-reviewedA privacy and governance tool, not a cyber-security-rating feed

Vendor risk FAQ

Frequently Asked Questions

What is vendor privacy risk management software?

Vendor privacy risk management software tracks the third parties that process or access personal data, and the evidence that makes each relationship defensible. In Acompli, every vendor record holds its processor role, data categories and access, DPA status, technical and organisational measures, sub-processor signals and review dates - linked to the systems and processing activities the vendor actually touches.

What is GDPR vendor management software?

GDPR vendor management runs the Article 28 lifecycle: due diligence before onboarding, a data processing agreement on record, recurring reviews, and evidence the DPC or ICO can inspect. Acompli triggers a vendor risk assessment from onboarding, keeps the DPA and due-diligence evidence on the vendor record, and rolls everything into an audit-ready Third-Party Risk Register.

What is Article 28 processor due diligence?

Article 28 requires controllers to use only processors providing sufficient guarantees - due diligence is the documented check. In Acompli that record covers the processor, processing purpose, data access, technical and organisational measures, DPA status, sub-processors and review dates; completed vendor assessments feed the Article 30 register, and suppliers outside Europe are flagged for Schrems II transfer review.

What should a vendor inventory include?

Vendor name, service and owner; processor or controller role; data categories and data-subject types; systems and data access; DPA status and due-diligence evidence; transfer destinations and safeguards; review dates and open risks. Acompli imports an existing vendor list from Excel and turns each row into a governed record connected to your RoPA, assessments and risks.

How should privacy teams handle shadow AI?

Treat it as third-party risk: record the tool, what personal data or prompts it touches, who uses it and under what terms. Acompli captures shadow AI and shadow IT as vendor signals so they enter the same inventory, get a risk assessment, and either become approved vendors with a DPA on record or get retired - with the decision trail kept for the DPC or ICO.

Is maintaining a processor register a legal requirement in Ireland and the UK?

Under Article 30 GDPR — applied in Ireland (enforced by the Data Protection Commission) and mirrored in the UK GDPR / Data Protection Act 2018 (enforced by the ICO) — controllers and processors must maintain records of their processing, and processor relationships sit within that obligation. Article 28 separately requires a written contract governing every processor, and Article 5(2) accountability means you must be able to produce current, evidenced processor records on request. The small-organisation Article 30(5) exemption rarely applies in practice because processing is usually regular or involves special-category data. A processor register that is current and audit-ready is what the DPC or ICO expects to see in an investigation.

More detailed questions

Third-party risk connected

Supplier and processor oversight as part of one connected privacy workflow. Vendor records, assessments, risk, and RoPA outputs working together.