Effective risk management involves four basic measures: (1) framing the risk; (2) assessing the risk; (3) responding to the risk; and (4) monitoring the risk. Building or enhancing a third-party risk management (TPRM) program to address third parties’ compliance with data protection and privacy regulations should include each of those steps. Privacy and information security go hand in hand. Information security involves protecting data confidentiality, integrity and availability, and a third party that processes personal identifiable information must have those controls in place. As such, it is possible to conduct privacy and security assessments simultaneously – or even combine them. This checklist, derived from our previous in-depth coverage on managing third-party vendor privacy and data security risks, is intended to serve as a guide for the first two measures of an effective TPRM program – framing and assessing the risk. See “A Checklist for Fund Managers to Ensure Adequate Vendor Management” (Sep. 9, 2021); and “How Fund Managers Can Develop an Effective Third-Party Management Program” (Sep. 21, 2017).