How do you build a vendor assessment process that can actually scale — while keeping pace with growing regulatory pressure from both GDPR and NIS2?
In this episode of Practical Privacy, Orla Dormer speaks with Natalija Bitiukova about the operational realities of managing third-party risk in increasingly complex organisations.
As vendor ecosystems grow, many privacy and security teams find themselves overwhelmed by manual reviews, inconsistent processes, duplicated questionnaires, and unclear ownership between functions. The introduction of NIS2 only adds further pressure, increasing expectations around supplier oversight, cybersecurity governance, and operational resilience.
Natalija shares practical insights into how organisations can move beyond reactive vendor reviews and design scalable assessment processes that support both compliance and business operations.
🎥 Watch the full episode
🎧 Listen on your preferred platform
Listen on Spotify
Listen on Apple Podcasts
What we cover in this episode
Rather than treating vendor assessments as isolated compliance exercises, Natalija explains why organisations need integrated, risk-based operational processes. She discusses:
- The growing complexity of vendor management under GDPR and NIS2
- Why manual assessment processes become unsustainable at scale
- The importance of aligning privacy, security, procurement, and legal teams
- How to prioritise vendors based on actual risk exposure
- Reducing friction while maintaining appropriate oversight
- Why operational clarity matters more than excessive documentation
A major theme throughout the conversation is that scalable governance depends on simplification, collaboration, and clear ownership — not simply adding more controls or questionnaires.
Key lessons from this episode
- Vendor assessment processes must be designed for scale from the beginning
- GDPR and NIS2 require stronger operational collaboration across teams
- Risk-based prioritisation improves both efficiency and oversight
- Manual workflows create long-term operational bottlenecks
- Clear governance ownership reduces duplication and confusion
- Effective vendor management balances compliance with business practicality
This episode is a practical discussion about operationalising third-party risk management in modern organisations — including the realities of scaling assessments, improving governance, and reducing unnecessary process friction.
Follow the series
If you want more real-world conversations about privacy operations, AI governance, and scaling compliance without unnecessary complexity:
- Follow Orla Dormer on LinkedIn for updates on new episodes
- Subscribe to our YouTube channel.
- Follow the podcast on Spotify or Apple Podcasts
New episodes are released regularly as part of the Practical Privacy series.
🟡 If the challenges discussed in this episode resonate, you don’t have to solve them alone. Book a demo to see how organisations like Randstad and other global companies operationalise privacy and AI governance in practice, reducing complexity while aligning compliance with how their business actually works. 👉 Book your demo here