As companies plan for compliance with the California Consumer Privacy Act, those that have gone through the grind to ensure they are compliant with the EU General Data Protection Regulation may have an advantage over those that have not.
Mercer Chief Privacy Officer Jo Davaris, CIPP/US, identified one area where GDPR veterans have a head start in determining whether a vendor should be classified as a
While internal measures are essential, Davaris recommended using outside resources as well. There's no shortage of solutions designed to help organizations properly identify their vendors, and since regulators and lawmakers have increased their subject matter knowledge, Davaris advises using every resource possible.
"After you have gone through all of those internal processes and documented databases, there are tools that show where your data is leaving and where it is going," said Davaris. "The AG, Congresspeople and the judges are getting really smart about the industry. They know about those tools too. There will be an expectation for you to do your due diligence."
Perkins Coie Partner Dominique Shelton Leipzig, CIPP/US, said the discussion about vendor relationships is still up in the air. Should companies look for a clue on which way to go, they may need to look at how those vendors classified themselves under the GDPR.
"Whether the vendor you are working with will be defined as third-party or a service provider by the AG is an open question," said Shelton Leipzig. "One area where we heard from the ACLU, as well as the California Attorneys Association, is that they have said they are looking at the categories of vendors and whether that would differ from how they categorized themselves under GDPR."
Companies should look to see whether a vendor has classified itself as either a processor or a controller in order to properly determine whether they would land as a third party or a service provider, Shelton Leipzig said.
Davaris added it's best for companies to stick with a vendor's public GDPR declaration. Should a vendor take a different course from their public position on the GDPR, Davaris advised companies to make sure the vendor states in its contract how its practices will be different in this particular instance. Companies should pay attention to those contracts, as deviations from the documents could end up shifting a vendor from one category to another. Davaris said, as an example, a vendor may want to use data to improve the services it offers. Organizations should do their due diligence before giving the green light on such a move, she said. If the decision is not in the legal text, then the dynamic of the vendor-organization relationship may change.
"If they say they want to use data to improve their services and it is not part of your contract with them, you immediately shift that service provider into a third party," added Shelton Leipzig. "You need to look at your contracts."
Training lawyers on handling those contracts is a good practice for companies to get started on as the CCPA approaches, Davaris said. Vendors are not always going to be happy with the terms a company presents to them, and lawyers will benefit from having a playbook to follow to explain a company's risk tolerance and the language it wishes to use.
The CCPA is only a few months away and compliance work will likely continue well past the Jan. 1 implementation date. The vendor relationship challenge is just one piece of a big puzzle, but Davaris said everyone should be using the final months and days of 2019 to make sure they are as close as they can be to the finish line once the new year begins.