vendor-privacy-management-skills

Cloud service provider privacy assessment framework. Covers ISO 27018 cloud privacy controls, CSA STAR certification, SOC 2 Type II evaluation, shared responsibility model mapping, data residency verification, and cloud-specific privacy risk analysis.

GDPR-compliant Data Processing Agreement drafting per Article 28(3). Covers all 8 mandatory provisions including subject matter, duration, nature and purpose, data types, categories of data subjects, controller and processor obligations, and sub-processor cascade requirements.

SaaS vendor data processing inventory management. Covers shadow IT discovery, API-based data flow detection, processing purpose mapping, contract status tracking, and continuous inventory reconciliation for cloud service providers.

GDPR Article 28(2) sub-processor approval workflow management. Covers prior specific and general authorization mechanisms, change notification procedures, objection windows, flow-down obligation enforcement, and sub-processor chain risk monitoring.

Vendor breach notification cascade management per GDPR Article 33(2). Covers processor-to-controller notification without undue delay, escalation paths, coordinated multi-party breach response, liability allocation, and regulatory notification coordination.

Vendor certification acceptance criteria and equivalence mapping. Covers ISO 27701, SOC 2 Privacy, APEC CBPR, EU Code of Conduct evaluation, certification scope analysis, gap supplementation requirements, and cross-framework equivalence assessment.

Ongoing vendor privacy compliance monitoring program. Covers annual reassessment procedures, continuous monitoring signals, contract renewal privacy triggers, performance metrics, KPIs, and vendor governance reporting dashboards.

On-site and remote vendor audit procedures per GDPR Article 28(3)(h). Covers audit planning, evidence collection methodologies, finding classification, remediation tracking, and audit report generation for processor compliance verification.

Pre-contract vendor privacy due diligence per GDPR Article 28(1). Covers risk questionnaires, technical controls assessment, certification review, data flow analysis, and documented sufficiency decisions for processor engagement.

Vendor privacy risk tiering methodology for processor management. Covers scoring factors including data volume, sensitivity, transfer locations, certifications, breach history, and control maturity with weighted risk calculation and tier assignment.

Vendor termination data return and deletion procedures per GDPR Article 28(3)(g). Covers data extraction formats, deletion certification requirements, transition planning, residual data handling, and post-termination verification.