The Shared Assessments Program issued “CCPA Privacy Guidelines & Checklists,” the security and risk industry’s first comprehensive set of best practices and tools to help organizations comply with the California Consumer Privacy Act (CCPA). Concurrently, Shared Assessments issued its updated “GDPR Privacy Guidelines & Checklist.”
Complying with the still-evolving CCPA statute has proven challenging for many organizations. Senior thought leaders from 10 firms have come together with Shared Assessments’ Privacy working group to outline the key components of CCPA, providing comparisons to GDPR, to assist organizations in gaining a clearer understanding of the obligations under these rules.
Confusion has arisen regarding several key aspects of this statute, such as classification requirements of providers and other third parties and processes required to manage and respond to consumer requests.
Even the CCPA’s definition of what is considered a “sale” has created new and confusing compliance requirements, because any exchange involving “valuable consideration” is a potential sale, whether or not monetary value is involved.
“Regulations like the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) have triggered a convergence of third party risk management and data privacy,” notes Linnea Solem, Founder & CEO of Solem Risk Partners.
“The complexity of navigating the nuances of each regulation and the operational challenges for third party relationships has generated considerable dialog within the Shared Assessments Program Privacy working group.
“As participants networked this past year to share ideas, best practices and pain points, the committee initiated a set of Privacy White Papers to help industry peers navigate and provide checklists to map their progress.”
“CCPA Privacy Guidelines & Checklist” provides detailed, actionable insight on:
- Operational challenges around data collection, use, and disposal.
- Thresholds and timelines for compliance with the regulations.
- Exemptions and industry distinctions, such as amendments and provisions specific to finance, healthcare and retail sectors.
- Data governance and vendor data inventories, anonymization and aggregation.
- Best practices for navigating the complex technology and marketing/advertising digital ecosystems.
- Detailed requirements and steps for integrating CCPA obligations into ongoing third party risk management (TPRM) programs and aligning programs to CCPA mandates using the Vendor Risk Management Maturity Model.
CCPA checklist and tools
The CCPA and GDPR Guidelines and Checklists can be used alone and also work in conjunction with the Shared Assessments Third Party Privacy Tools, a component in the Third Party Risk Management Toolkit.
These resources provide an Implementation Guide which is a primer for understanding how to address privacy risk in Third Party relationships. These resources are designed to be used by organizations of all sizes to assist with the project management and educational needs for addressing Third Party risk.
The Checklists help practitioners to quickly assess the state of and next step actions for vendor inventories, data classifications and governance measures, location management, program governance, policies and procedures, contract development and adherence, and risk assessment processes.
“It’s worth noting that the CCPA presents substantial new challenges even for those organizations in compliance with the European Union’s General Data Protection Regulation (GDPR), which did not address issues of online data privacy that are central to CCPA,” said Santa Fe Group CEO David J. Perez.
“Such ongoing, rapid shifts in the regulatory landscape are exactly why the intelligence ecosystem of Shared Assessments has proven invaluable to organizations and risk professionals worldwide, who rely on its best practices, tools and research to ensure program compliance and navigate change.”
New edition: GDPR implications for third party risk management
Shared Assessments has also just released its updated “GDPR Implications for Third Party Risk Management.” This guide and best practices checklist provide important new insight into integrating GDPR requirements into TPRM programs, and an update on the operational challenges for risk management.
Longer term, as more states promote similar legislation, experts expect to see further expansion of the current regulatory checkerboard of rules surrounding data governance and management, breach notifications, and online digital privacy regulations.
And as these evolve, Shared Assessments and its contributors – the privacy, risk and policy experts at leading organizations around the world – continue to provide invaluable guidance that its members and the professional risk management community rely upon worldwide.