Vendor risk assessment GDPR requirements — a practical framework covering processor scope, controls, sub-processors, transfers and ongoing oversight.