When offboarding a vendor who handled sensitive personal data, what is the compliance officer's primary obligation?