Home

ShowMe-TellMe ยท Third Party & Privacy Risk Appraisal
๐Ÿ”— Third Party & Privacy Risk ยท US & Global

ShowMe-TellMe

“If you can’t show it, you can’t prove it.”

A structured appraisal platform that reveals the true state of your third party relationships and privacy risk posture โ€” with AI-powered scoring, actionable insight, and evidence you can stand behind. Built for organisations operating under GDPR, CCPA, HIPAA, and beyond.

Access Your Dashboard Get in Touch
Scroll
The Risk Landscape

The cost of not knowing
is greater than the cost of finding out.

Organisations that lack visibility into their third party relationships and privacy risk exposure face escalating regulatory, operational and reputational consequences. Whether you’re operating under GDPR, CCPA, HIPAA or a growing patchwork of state-level US privacy laws โ€” your risk doesn’t stop at your own front door, and neither does your accountability.

$20M+
FTC civil penalty exposure per violation under US federal privacy enforcement actions
ยฃ17.5M
Maximum UK ICO fine under UK GDPR โ€” up to โ‚ฌ20M or 4% global turnover under EU GDPR
72hrs
Mandatory breach notification window under GDPR โ€” 30โ€“72 hours under most US state laws
56%
Of data breaches originate from or involve a third party vendor or supplier
60%
Of SMEs that suffer a significant breach close within 6 months
โš–๏ธ
Regulatory Risk
GDPR, UK GDPR, CCPA/CPRA, HIPAA, and an expanding wave of US state privacy laws all hold you accountable for how your processors and sub-processors handle personal data โ€” regardless of what a contract says. Gaps in vendor due diligence, data processing agreements, or impact assessment coverage leave you directly exposed to regulatory investigation and enforcement on both sides of the Atlantic.
๐Ÿ”—
Third Party Risk
Every supplier, contractor, or SaaS platform with access to your data or systems is an extension of your risk surface. Without structured oversight โ€” onboarding, contractual controls, ongoing review โ€” you cannot evidence due diligence, only claim it. Regulators in the US and UK expect documented proof, not assertions.
๐Ÿ“ฐ
Reputational Risk
A breach originating from a third party is still your breach in the eyes of regulators, clients, and the public. In regulated sectors, the reputational damage from a supplier-linked privacy failure frequently outlasts the financial penalty.
The Process

From exposure to evidence
in three clear steps.

01
Assess
Work through a structured set of data points across privacy and third party risk categories. Answer honestly โ€” the platform is designed to surface reality, not reward optimism.
02
Score
Each answer is evaluated by AI against the SMTM rubric, returning a score of 0โ€“3 with detailed gap analysis, recommended actions and a quick win for immediate progress.
03
Act
Receive a full appraisal summary โ€” heatmap, executive report and prioritised recommendations โ€” giving leadership the visibility to make informed, evidenced decisions on third party and privacy risk.
What We Assess

Eight domains. Third party and privacy risk, fully covered โ€” across GDPR, CCPA, HIPAA and beyond.

ShowMe-TellMe evaluates your organisation across eight core pillars of third party and privacy risk โ€” giving you a complete, evidenced picture of where you stand and where your exposure lies, whether you operate under GDPR, UK GDPR, CCPA/CPRA, HIPAA, or a combination of frameworks.

๐Ÿ”—
Third Party Governance
Vendor onboarding, due diligence, contractual controls, ongoing oversight, sub-processor management and exit provisions.
๐Ÿ—„๏ธ
Data Management & Privacy
Data lifecycle, consumer/subject rights, retention, deletion, cross-border transfers, AI and inference โ€” mapped to your legal basis and obligations under GDPR, CCPA/CPRA, HIPAA, and applicable state laws.
๐Ÿ–ฅ๏ธ
Infrastructure & Access Control
Patch management, third party system access, user devices, data isolation and storage security across your supply chain.
๐Ÿ”’
Physical & Environmental Security
Facilities access, server controls, information destruction and external privacy controls โ€” including those operated by suppliers on your behalf.
๐Ÿ›ก๏ธ
Incident & Breach Management
Alerting, incident response, breach notification obligations, third party incident protocols and regulatory reporting โ€” covering GDPR Article 33, CCPA, HIPAA Breach Notification Rule, and US state-level requirements.
๐Ÿ“‹
Policy & Contractual Framework
Core policy documentation, data processing agreements (DPAs), data sharing agreements, privacy impact assessments, service provider contracts under CCPA, and evidence of implementation across jurisdictions.
โš™๏ธ
Privacy Engineering & Secure Development
Privacy by Design, secure development lifecycle, threat modelling, third party integration standards and developer competence.
๐Ÿ—๏ธ
Privacy Architecture & Technical Governance
API and integration privacy controls, data minimisation at interface level, authentication and protection against third party API abuse.
Third Party Risk

Your risk doesn’t stop
at your door.

Every supplier, contractor and partner with access to your data or systems is an extension of your risk profile. Under GDPR, UK GDPR, CCPA/CPRA, and HIPAA, you remain accountable for how third parties process personal data on your behalf โ€” regardless of what a contract says, and regardless of where in your supply chain a failure occurs.

ShowMe-TellMe places third party risk at the centre of your appraisal โ€” covering onboarding, oversight, contractual controls, sub-processor and service provider chains, and ongoing review โ€” so you can evidence due diligence to regulators in the US, UK, and EU, not just assert it.

Talk to Us About Third Party Risk
๐Ÿข
๐Ÿ”—
๐Ÿ”—
๐Ÿ”—
๐Ÿ”—
Why ShowMe-TellMe

Built for organisations that need
more than a vendor questionnaire โ€” wherever they operate.

๐Ÿค–
AI-Powered Scoring
Every answer is evaluated by AI against a structured rubric โ€” delivering consistent, objective scoring with detailed improvement guidance.
๐Ÿ“Š
Visual Clarity
Heatmaps, band ratings and completion percentages give leadership an instant view of risk across every category and goal.
๐Ÿ“„
Evidenced Reports
Generate a full executive summary โ€” structured, professional and PDF-ready โ€” suitable for board reporting, regulatory review, client assurance, or responding to FTC, ICO, or state attorney general enquiries.
๐Ÿ”
Secure by Design
Role-based access, encrypted API keys, audit logging and session controls ensure your appraisal data is protected at every layer.
Know What to Look For

The black art of data privacy:
dark patterns in permissions.

Organisations โ€” and their suppliers โ€” routinely use design and language to obscure, manipulate or obstruct meaningful consent. These aren’t edge cases. They are systemic, frequently unlawful, and directly relevant to your risk posture. Click any pattern to understand the mechanism, the regulatory exposure, and what good looks like.

Consent manipulation
Pre-ticked boxes
Opt-out disguised as opt-in
Consent bundling
Unrelated purposes tied together
Cookie walls
Pay or consent ultimatum
Confirm-shaming
“No thanks, I hate deals”
Architecture tricks
Purpose creep
Data reused beyond stated scope
Default-on
Sharing on unless you find the off
Silent consent
Continued use = agreement
Daisy-chaining
Consent passed through vendors
Friction by design
Roach motel
Easy in, hard out
Labyrinth settings
Buried 6 menus deep
Fake LIA
Legitimate interest as a shield
Deletion friction
Obstacles to erasure requests
Obfuscation
Notice fatigue
Policies no one can read
Vague categories
“Improve your experience”
Privacy theatre
Compliant form, empty substance
Retroactive drift
Policy updated, data already used

Regulatory risk

Click any pattern to read the detail

Get in Touch

Ready to see where you stand?

Whether you’re looking to run your first appraisal, assess your third party risk exposure, or discuss how ShowMe-TellMe can support your privacy compliance programme under GDPR, CCPA, HIPAA or beyond โ€” we’d love to hear from you.

๐Ÿ’ฌ
Quick Response
We aim to respond to all enquiries within one business day.
๐Ÿ”’
Confidential
Your enquiry is treated in confidence. We don’t share your details with third parties.
๐ŸŽฏ
No Obligation
We’re happy to answer questions and discuss your needs without any pressure or commitment.