Onboard new third-party processors and service providers.
Check if the vendor has permission to use sub-processors under GDPR Article 28.