Regulations like the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) have triggered a convergence of third party risk management and data privacy. The complexity of navigating the nuances of each regulation and the operational challenges for third party relationships has generated considerable dialog within the Shared Assessments Program Privacy working group. As participants networked this past year to share ideas, best practices and pain points, the committee initiated a set of Privacy White Papers to help industry peers navigate and provide checklists to map their progress.
Monitoring the ongoing changes to interpretation of CCPA has felt like a moving target for organizations working to develop readiness plans or incorporate CCPA into their existing third party risk management program. For GDPR, the focus has shifted from readiness and preparedness to maintaining compliance and addressing themes from enforcement actions. While similar in some aspects of data privacy obligations, there are differences between the two regulations as it relates to third party risk management.
CCPA Overview
Terminology matters. Maps typically have legends to help users with directions, and distance markers to gauge the length of the journey ahead. Defining readiness and compliance plans has felt overwhelming due to conflicting terminology and different enforcement dates. Terminology in third party relationships can differ by the type of data privacy regulation or jurisdiction. CCPA shifted the terminology by defining business model relationships by what they are “not” vs. what they “are.” A starting point for third party risk management is to understand the business model and type of engagements with third party relationships.
Vendors that provide tangible goods are easier to exclude from some of the CCPA consumer privacy scope but are still important in your supply chain due diligence process. The category of who the set of service providers that may need to assist a business’s effort for CCPA readiness and compliance is based not only on the data collected or discloses, but the type of service being formed.
Within the California Consumer Privacy Act (CCPA) Implications for Third Party Risk Management white paper, we outline each of the key components of CCPA, with comparisons to GDPR, to assist organizations with gaining a clear understanding of the obligations of each party.
Operational Challenges
Data privacy regulations start with a basic understanding of the type of personal information that has been collected, used, processed or disclosed. Within CCPA and GDPR that are different obligations between parties including the types of disclosures that may be required under each jurisdiction.
Both sets of privacy regulations have defined different requirements for responding to an individual’s data access requests. Managing the data governance and data inventories for what data is in the control of the business or the outsourcer, and what is in the control of the service provider or data processor is a critical component in assessing the risk of the third party relationship.
Integration into Third Party Risk Management Programs
Charting a map forward for any new compliance program requires guideposts, landmarks and milestones along the way. As organizations conduct readiness and compliance plans for addressing each regulation’s unique requirements, they will identify deliverables that may need to be incorporated into their third party risk management program’s policies, standards, and procedures. Within the White Paper and Guidelines, the team has identified key fundamental areas of focus that may include:
GDPR provides a very prescriptive approach to what is required in the data processor contract and in the Article 28 obligations. The GDPR White Paper will summarize these requirements as it relates to data privacy oversight in third party relationships with background information and checklists to incorporate into existing programs to maintain compliance.
CCPA created a new fork in the road for third party risk management – by outlining the concept of a certification process to take steps to affirm that a particular entity is classified as a service provider. That process is not just a “once and done” process, but an ongoing process to confirm ongoing understanding of the obligations the service provider must adhere to, and the restrictions and limitations for the use of the data of California residents. As part of the release of the White Paper, the Shared Assessments Working Group outlined a sequence of steps to define and structure a vendor certification process using the tools in your own TPRM program and within the Shared Assessments Program Toolkit and thought leadership papers.
While a compass is an old school tool to keep you charted on your course, leveraging lessons learned and best practices from third party risk practitioners are your virtual peer “GPS” resources in today’s dynamic landscape.
The Shared Assessments Program Privacy working group has released two sets of resources to help organizations understand the Third Party Risk Management Program implications of each of these important privacy regulations. The Privacy Guidelines and Tools are designed to assist organizations in their planning for identifying, tracking and monitoring data collection, retention and use in Third Party Relationships. These insights have been summarized into the following resources:
UNDERSTANDING THE THIRD PARTY PRIVACY TOOLS
The Privacy Guidelines are being made available as thought leadership resources to both members and non-members. They supplement and work in conjunction with the Shared Assessments Third Party Privacy Tools, a component in the Third Party Risk Management Toolkit.
The Third Party Privacy Tools within the TPRM Toolkit provide an Implementation Guide which is a primer for understanding how to address privacy risk in third party relationships. The Privacy tools include templates to scope and evaluation a third party privacy assessment with privacy controls based on specific privacy jurisdictions. The Privacy Tools include the Target Data Tracker (TDT) a tool that can be used to document key information about data classification, data governance, locations, and fourth party relationships throughout the vendor management lifecycle.