When a vendor collects data under an outdated contract that does not align with current organizational practices, the preferred response is to update the contract. This approach ensures that the vendor’s data practices align with the current privacy standards and requirements of the organization, maintaining compliance and protecting data subjects. Terminating the contract or destroying the data may be extreme steps that could disrupt business operations or lead to data loss. Continuing the existing contract without any updates leaves the organization exposed to non-compliance risks.