Although most companies view the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR) as an inconvenience, employers should view CCPA compliance as a tool for strengthening risk management. Those who are beginning to roll out data privacy controls over third-party venues should also consider reviewing and implementing controls in other compliance areas, like IT security and anti-bribery, making the CCPA process more efficient and powerful and building a structure that addresses regulatory and reputational risks. The process of building a compliance program begins with a simple assessment of which third parties are in or out of scope, then collecting information about these partners before sending them the relevant questionnaires to assess and quantify the risks. Remediation is the final step, including further research and training, redrafting contracts or interacting directly with the parties to convey requirements.
