First GDPR, Now CCPA: Manage Your Vendors So They Don’t Put You at Risk

5 minute read

May 2019

One year ago, organizations of all sizes were scrambling to comply with the pervasive General Data Protection Regulation (GDPR). The dark underbelly of data privacy had just been revealed, and departments were working together to secure their organization and ensure vendor compliance to avoid hefty fines.

On May 25, 2018, GDPR regulations were imposed, intending to give European Union residents and citizens greater control, enacting strict rules on how personally indefinable information (PII) is collected, stored and used. Over the course of the year, companies of all sizes felt the impact of GDPR. While many companies took a lackadaisical approach to GDPR compliance in the early part of the year, the same companies jumped into action once the EU flexed its proverbial muscle.

However, the time has shown that this is just the beginning. As organizations take a deep breath and collectively reminisce on the last year since GDPR went into effect, there is still one major box to check off, especially for US-based organizations.

Case in point: the California Consumer Privacy Act (CCPA).

Several organizations may be feeling like Bill Murray in Groundhog Day as they start to prepare for CCPA, however, it is good practice as the country – and the globe – moves towards more stringent data privacy laws. In the years to come, vendor compliance with regulations like CCPA and GDPR will become a crucial aspect of third-party risk management.

What the California Consumer Privacy Act Entails

According to the Californians for Consumer Privacy, the organization responsible for the creation of CCPA, the law is looking to accomplish the following goals:

  • The right to know what information large corporations are collecting about consumers
  • The right to tell a business not to share or sell consumer personal information.
  • The right to protections against businesses that do not uphold the value of consumer privacy.

Failure to comply with the regulations set in place can be pursued via consumer lawsuits (for data breaches) or monetary fines set by the California Attorney General at up to $2,500 per violation. 

In short – the CCPA is allowing consumers to take back control of personal data that is collected, stored, distributed and sold without their knowledge. Ensuring vendor compliance is critical to the organization’s operations as it directly affects operations, reputation, and most importantly, consumer data protection.

Where to Start with CCPA Compliance

At a high level, CCPA is similar to GDPR in that it is putting the consumer first, ensuring that each individual has explicit rights to any data that is collected by external parties.

There are nuanced differences between the two, however basic guidelines for GDPR can also be applied to CCPA. While there are more than six months until the law goes into effect, companies cannot wait until the last minute to comply – even more so if their vendors have access to personal data belonging to Californians. Here are three high-level steps to start the compliance process:

1. Risk Assessment

Conduct an organization-wide initial risk assessment to determine whether CCPA applies to your organization or your vendors.

This is the quickest and simplest step – a swift and repeatable way to determine whether any data that an organization or its vendors collect falls under CCPA. This initial risk assessment needs to at least confirm the following:

  • Do you or your vendors hold personally identifiable information (PII)?
  • Does any of the PII belong to California citizens or residents?

This assessment instrument may be as simple as a brief questionnaire. But to be effective, it must be distributed among every potential data holder to ensure that no potential reservoir of personal data is overlooked. Be sure to include all internal systems and data silos, all third parties who may hold customer and employee data, and any new third parties.

2. Data Privacy Impact Assessment

Fulfill impact assessments that reveal the nature and extent of your exposure.

In every instance where PII has been identified, an in-depth “data privacy impact assessment” is necessary to determine what types of personal data is stored, how that data is collected and used, and what controls are currently in place. Internal enterprise assessments and external vendor assessments, for each vendor, are both needed to guarantee that compliance measures are being taken inside and outside of the organization. The assessment should address the following issues:

  • Data Issues: The types of PII (names, addresses, SSN), where this data is stored, how it is used and how is it deleted
  • Access Issues: The individuals, departments and systems that have access to this information
  • Control Issues: The current policies and procedures for data collection, use and compliance; and how controls are checked and documented

With these assessments, organizations can identify the gaps in data practices for both themselves and their vendors to answer the question…where do potential vulnerabilities remain? 

3. Policies & Procedures

Establish and monitor policies and procedures to maintain CCPA compliance over time.

Enterprises need to document intent by creating and enforcing data policies and procedures for themselves and for their partnerships with third parties. Components to an initial compliance program should include:

  • People: If not already in effect, organizations should create a distinct data compliance role responsible for data monitoring and enforcement and identify comparable roles among third parties. Once confirmed, a means of regular communications and reporting between these titles must be established.
  • Policies: Organizations need to create and document policies, including procedures for addressing the biannual California citizen data requests, and for addressing potential policy breaches. They must also confirm vendor compliance with CCPA by ensuring their third parties have appropriate policies and procedures in plce.
  • Monitoring: With GDPR, and now CCPA, all data activity must be monitored, and organizations should establish regular procedures for the monitoring and documentation of both internal and external (third-party) data activity. Other documentation should include “read & understood” certification activities to educate employees and third parties and the tracking of potential policy or personnel changes made internally or by third-party providers, that could affect CCPA.

Automated Third-Party Risk Management Can Streamline Vendor Compliance with CCPA

While many of these steps seem easy in nature – a few forms, a few checked boxes – companies that deal with several hundred vendors need more than just paper forms to ensure vendor compliance throughout their vendor population.

If an organization has over 200 vendors, an initial two-question assessment can go from an hour-long process to days…or even weeks. Paper-based policy documentation resists efficient management – and may expose organizations to unnecessary risk. Automating manual processes with Third-Party Risk Management software can not only ease the burden of this new regulation, but also save valuable time and money for an organization.

January 1, 2020 may seem far away, but the time is now to comply. Contact ProcessUnity to learn how you can simplify and streamline your organization’s CCPA compliance process. 

Related Articles

About Us

ProcessUnity is a leading provider of cloud-based applications for risk and compliance management. The company’s software as a service (SaaS) platform gives organizations the control to assess, measure, and mitigate risk and to ensure the optimal performance of key business processes. ProcessUnity’s flagship solution, ProcessUnity Vendor Risk Management, protects companies and their brands by reducing risks from third-party vendors and suppliers. ProcessUnity helps customers effectively and efficiently assess and monitor both new and existing vendors – from initial due diligence and onboarding through termination. Headquartered outside of Boston, Massachusetts, ProcessUnity is used by the world’s leading financial service firms and commercial enterprises. For more information, visit