Let’s talk about vendors: the good, the bad, and the complicated. 

If you’re reading this page, you probably use them. You probably have thought long and hard about how they can expand your business services, streamline your operations, and make you more competitive.  

High five! You should be thinking about those things. But those issues are only half of what you need to be concerned with.

What else should be on your radar? Vendor risk management. 

What is vendor risk management? The basic basics.

When you’re talking about a vendor risk management system, you’re talking about everything that falls under the scope of mitigating the risks posed by incorporating third-party vendors into your business operations. 

The goal is to reduce the risks to your data security and privacy practices and prevent business disruption, compromised data, and financial and reputational damage.

As with any complex, nuanced issue (and data security and privacy is definitely that), you need to have a fully comprehensive plan and process that:

  • Assesses and tracks vendor relationship and contracts
  • Monitors data and how it flows to vendors
  • Identifies and reduces risks
  • Evaluates vendor performance
  • Tracks compliance requirements and metrics

Easy-peasy, lemon squeezy, right? (Actually, most people’s first response is “difficult, difficult, lemon difficult.”)

But whether this sounds like a challenge you’re excited for or not, you need to know how your third-party vendors treat your data, your customers’ data, and where they stand on the whole “let’s stay compliant” game. 

Who are vendors?

Vendors don’t just fit neatly into one little box and neither do vendor relationships. And depending on the regulatory frameworks that you need to comply with, definitions can vary. The California Consumer Privacy Act views vendors differently than the General Data Protection Regulation does. (Even terminology is different – under GDPR, vendors are known as “processors” while CCPA calls them “service providers.”)

But for our purposes right now, the term “vendor” encompasses a huge variety of relationships, services, and agreements. They can be:

  • Short-term or long-term relationships
  • Involve formal contracts or verbal agreements
  • Be paid or unpaid
  • With small mom-and-pop outfits, independent contractors, multinational companies, and more

Vendors don’t just provide IT or software services, either. When we’re talking about data privacy, security, and compliance, we’re looking at any past, present, or future business arrangement between an organization and another entity, by contract or otherwise. Let’s look at a few examples: 

  • Your IT provider who maintains your company wide servers (you know, the ones that are used every single day and store all your information.)
  • Your marketing agency that manages your email marketing campaigns
  • Your HR provider who helps you run your payroll services 
  • Your Software-as-a-Service (SaaS) provider who offer a free trial of a customer management solution

These are just a few examples of vendors that you might come into contact with in the course of doing business. Your job in developing a vendor management program is to establish a process for overseeing everything about your relationship with them. 

(Okay, so it may not be you specifically. But you’ll want to have someone who oversees vendor relationships as part of their job, i.e., a vendor manager.)

How do your vendors impact data security and privacy?

Before we dive into how to build a solid vendor management process, let’s look at why, why, why it’s so critical to have one in place. What risks come with the vendor territory anyway. 

Because it’s not good enough to just know that there are vaguely intimated “risks.” Knowing what’s really at stake helps you address vendors and extend your data privacy obligations along your entire supply chain.  

Vendor risk comes in a few different flavors. They pose:

  • Operational risk
  • Data security risks
  • Financial risks
  • Legal and regulatory (i.e., compliance) privacy risks 
  • Reputational risks

Unfortunately, these risks can have a cascading effect. One leads to the other. That’s why vendor evaluation should be taken seriously from start to finish. (And beyond.)

Where to start when developing a vendor management program

One of the best ways to mitigate cybersecurity and privacy risks posed by third-party vendors is to implement a Vendor Risk Management Program. 

A vendor privacy management program should reflect how much security your data demands and how risk tolerant your organization is. For optimal results, your program should start before your vendors are even onboarded as you determine what services and activities you’re needing vendors for in the first place. Lead with privacy and privacy will follow. 

Identifying your vendors and the scope of relationships

Do you know who all your vendors are? You probably have a list. But does that list account for everyone you have a vendor relationship with? 

Now is the time to do a deep dive and come up with “The Exhaustive List of All Your Vendor Relationships.” This information is pulled from previously performed data inventory work – but if that hasn’t been done, now is 1000% the time to do it. 

Want to know more about how to organize a data inventory? Check out our downloadable data inventory template.

This should cover the main points of vendor information – the Who, What, When, Where, and Whys of these relationships. But the real kicker is that your list shouldn’t stop at just your vendors. It really needs to include your vendors’ vendors, also known as subprocessors.   

Why is this important? Via your third-party vendor, subprocessors vendors end up with access to your data – and your clients’ data. And if they experience issues, it can impact your business operations and your clients’ security. These problems can be as temporary as a service outage or as impactful as a data breach. 

Either way, you need to know that these vendors are doing their part to stay compliant.  

No risky business

Risk needs to be spelled out when you’re putting together a vendor management process. Not all risk is created equal. In fact, some level of risk is unavoidable. The goal isn’t to avoid all risks but to determine what the risks are and then build appropriate internal controls in response to them.

Here are the categories that you can rate vendors, based on levels of risk:

  • Critical risk: These vendors are (for lack of a better phrase) mission-critical to your business operations. If they can’t deliver the contracted services, it could shut everything down. 
  • High risk: These vendors either:
    • Have access to customer data and there is a high risk of information loss
    • Are relied upon by your organization to a high degree
  • Medium risk: These vendors either:
    • Have limited access to customer information
    • Losing these vendors would be disruptive to your business operations
  • Low risk: These vendors don’t have access to customer data. If you didn’t have their services, it wouldn’t disrupt your business.

Vetting and due diligence

If you’re considering bringing on a new vendor, you’ll want to vet them. And not just by doing a quick Google search or checking the company’s LinkedIn page. You want to be consistent and consistently thorough. (See above.) 

Your process should follow a standardized checklist for each and every potential vendor. Your checklist should include:

  • Getting references
  • Implementing regular vendor risk assessments
    • Critical and high-risk vendors should provide you:
      • Evidence of security controls such as information security policies, disaster recovery test results, proof of insurance, financial statements, etc.
      • Evidence of ability to ensure continuity of service 
      • Evidence of incident management program that meets industry compliance and best practice standards
  • Internal documenting and reporting procedures

These requests should be accepted and – dare I say – welcomed by the vendor. If they aren’t willing to extend this, then you’ve reached the “Stop, Do Not Pass Go” place on the board.

Contracts: Creating and reviewing

Your vendor contracts and agreements are big pieces of your vendor management puzzle. Your contracts should do the following to ensure a mutually beneficial, mutually protected relationship. 

Cross border transfer

We know that data has a serious case of wanderlust. It can move pretty quickly from vendor to vendor in the blink of an eye. And before you know it, it’s made its way over to the EU. (Or vice versa.)

When data travels like it, you need to be aware of what’s known as “cross border transfers.” Your contract should include provisions for how your vendor manages this process and what steps they have in place to manage the specific requirements that might be triggered.

Data protection addendum: Defining terms and relationships

As per your working relationship, what are personal data and sensitive information? Who are the data owners and who is the third-party in your written agreement? Establishing this helps you both understand how you’ll work together.

You’ll also need to define the purpose and duration of the agreement between you and the third party. It needs to be clear what you’re asking the third-party to comply with regarding privacy program management and risk mitigation. 

Confidentiality and accessibility

Your contract needs to put forth what data is being collected and, importantly, who has access to it. The goal? Ensure strict limitations to accessibility and minimize what personal data is disclosed. To help with this, you should detail the purpose of disclosure to ensure clarity for both parties.

Audits and support

Your contract should cover any requirements for audits and support needed from the third-party. Much like minimizing data disclosure, your contract should strive to include only strictly necessary measures for audits. Are on-site audits, for example, essential for you to meet your goals? If not, it may be better to not contractually require them. 

Your contract should also detail what kind of help your vendors will provide for fulfilling individual rights requests and in cases of data breaches.  

End of contract obligations

No vendor relationship lasts forever. Your contract needs to spell out what happens to data when you part ways. Do they return it? Destroy it? What about subprocessors? Make sure to be thorough here to protect your customers. 

Reviewing contracts

You need to build contract review into your processes. This is a job that should be handled across teams, so make sure to bring in your legal counsel, procurement team, and leadership on these discussions. 

You should develop a contract management system that tracks the things you need to know for privacy protection. Keep in mind, though, that free or low-cost vendors may not meet the threshold for legal review. Account for this possibility in your process.

As with your security questionnaires, your contracts should be reviewed annually. When reviewing contracts, make sure the following is in place:

  • Vendor is committing to keeping system, data security, and privacy as per best practices and the industry standards
  • Vendor is meeting confidentiality and privacy requirements
  • Vendor is committing to notify you of security breaches, incidents, and potential vulnerabilities 
  • Vendor is committing to independent audits and assessments and to providing you access to audit documents

Ongoing Work

Having a vendor management process isn’t just about what you do when you bring on new vendors. It’s just as important to know how you are going to go about managing vendors, from initiating relationships to terminating them. Here are the best practices for this ongoing work. 

Data mapping/data inventory

Your vendors have access to your data. But do you know exactly what they have access to and how it moves from your system through theirs? Data inventories offer a snapshot of this process that is invaluable for understanding risks. 

Vendor assessments

Questionnaires. They’re not just for BuzzFeed. The privacy industry gold standard best practice is to require that your vendors regularly self-audit their security practices. 

Your questionnaire should, at the minimum, cover the following:

  • Vendor’s business relationships
  • Data handling and security practices
  • Incident management and response plans
  • How data will be used and stored
  • Cross border requirements
  • Individual rights capabilities
  • Privacy notice disclosures

When completed, the questionnaire should allow you to better identify the overall risk the vendors pose and provide documentation of your due diligence. 

And take note: this section is put under “Ongoing Work” because it’s exactly that. These questionnaires aren’t one-and-doners. They are essential for helping with continually monitoring your vendors and preventing all of the worrying things that happen when your data is compromised.

As such, you should be sending these out annually to your vendors to monitor vendors, track new risks, and prevent security threats from reaching your business and your customers.

Vendor performance management

Privacy and data security are key, but let’s pause for a moment to look at performance management. Your vendors provide services that you need, but are they providing them at the level you need them? Are they meeting your expectations, the milestones you establish, are they living up to your service-level agreements and KPIs?   

Your vendor and supplier management process is an opportunity to gather this information and analyze it. 

Working with your team

To encourage transparency, encourage building partnerships across your organization to allow for visibility of vendor activity. 

When it comes to data security and privacy, you should be investing in team training. It’s a best practice, but may also be required. Does everyone in your organization understand the potential risks that vendors pose? The prevalence of free vendors can be a weak link for your team and a solid privacy training program can bring everyone onto the same page.

Sunsetting relationships

No relationship – business or otherwise – lasts forever. Whether you’ve outgrown a vendor, they’ve gone out of business, or they’ve failed to live up to compliance standards, you need to put processes in place for all end-of-relationship contingencies. 

This should cover your contract (see above for details!) but also your internal processes and decision-making steps. Natural terminations can be easier to navigate, but ending relationships because of noncompliance can be trickier. Your process should detail the whys and hows of these situations. 

Have a backup plan.

Sometimes vendors seemingly fall off the face of the earth. In these cases, you need to have backups, especially if they’re a critical service. Being able to pivot quickly and with confidence helps you maintain your standard of service. 

Relaxed restrictions with long-term vendors can be a big risk. Whether you’re five days into a vendor relationship or five years, you need to approach them with the same level of care. 

One key way to reduce risk is to only give vendors access to what data they need to get their job done and no more. This approach dovetails nicely with compliance mandates to minimize data. Data minimization is one of the most efficient ways to reduce your risk factors and maintain a high degree of consumer trust. 

Red Clover Advisors has been making data privacy practices simple and straightforward for clients since Day 1. Whether you’re a fresh startup that wants to prioritize privacy and compliance training from the get-go to an established business needing to reshape your approach, our approach provides your team with information that is practical and actionable.

Take your company beyond compliance. Reach out to our team at Red Clover Advisors today to start with your free consultation.

When privacy policies make it into the news, it’s rarely because people are raving about them. Bad privacy policies are talked about, lambasted for being incomprehensible, unfriendly, and, frankly, unreadable. (Just take a look at The New York Times’ “We Read 150 Privacy Policies. They Were an Incomprehensible Disaster” to see just how excruciatingly unreadable they can be.) 

In the worst cases, privacy policies make headlines when their data practices and privacy notices don’t align. (At the extreme end, Facebook paid a hefty fine due to privacy notice violations) 

Or maybe you’ve thought a lot about privacy policies. You care about your customers and staying in line with laws and now you can cross this off your to-do list. Compliance – achieved!

But compliance is more complex than that. It’s not a bag of popcorn that you pop in the microwave and in 2 minutes, *ding*, it’s done and ready. Compliance is like a sourdough starter. (Yes, even privacy consultants do pandemic baking!) You’ve got to pay attention to environmental conditions, make adjustments to keep it happy, and treat it like the living, breathing being that it is. 

So let’s get started.

CCPA Privacy Policy Requirements

The California Consumer Privacy Act (CCPA) became enforceable on July 1, 2020, and a major element of it is keeping your privacy policy and privacy notice up to date. Let’s talk about how we make that happen.

Privacy policies and notices are essential for communicating how your organization thinks about personal information and data security. They facilitate compliance. They define terms, how data is handled, and communicate this critical information. 

Privacy notices should be like snowflakes

No two should be alike. Every company is on its own mission when it comes to data. That website your customer just visited? It’s got its own mindset at work. 

It’s not an overstatement to say this is a great opportunity. Own your privacy notice! Your privacy notice is an opportunity to show your customers the specifics of your data collection plans. Transparency builds trust, after all. 

How to get your privacy notice right

Communicating with your customers is critical when it comes to your data collection, so let’s focus on how you get your privacy notice done so well, they thank you for putting it together. (Hey, a privacy consultant can dream, can’t she?) 

Putting it together well is a statement of your brand, your values, and a chance to connect with your customers. Some things to keep in mind:

  • Make sure your brand voice and tone extend to your privacy notice. Whether you’re no-nonsense, cheeky, approachable, or authoritative, make sure it carries over.
  • Use sections and hyperlink between them to increase readability and usability
  • Visual elements can be valuable – consider a graphic summary to deliver the content to your audience in a way they’ll quickly understand.

Getting it right means starting with a good privacy program. Learn more about what goes into one.

And remember, privacy regulations change over time. Although CCPA just became enforceable, there’s a new privacy regulation on the horizon – the California Privacy Rights Act (CPRA). This act will bring new requirements to bear on privacy practices and notice obligations will definitely be affected. What works today may need to change tomorrow. That’s why your business benefits from really integrating privacy into your brand values – it makes adapting to new conditions considerably easier when you have that infrastructure in place. 

Don’t make your customers look for it:

Keep these following line items in mind when determining if your privacy notice is ready to go:

  • How are your customers getting your privacy notice? You’ve got some options. You can make it available via a web form or cookie banner on your websites or a just-in-time pop up on your mobile app. 
  • However you choose to implement it, it needs to be available to users “at or before the point of collection.” That means no surprise notifications after the fact! 
  • Your privacy notice can’t just be “available.” It needs to be conspicuous. The standard location is the footer or within the hamburger menu on a mobile app. 
  • Make sure you include it for every personal data collected – this includes digital technologies like Facebook and Google Pixels. 

What does your notice need to tell people?

Under CCPA, there are some specific line items that you have to cover in order to be in compliance.

Privacy notice checklist

Let’s take a look at the content requirements for a CCPA compliant privacy notice. Your privacy notice has to include the following information. 

Categories of information

Your privacy notice should disclose how and when you collect the following information:

  • What categories of personal information your business has collected?
  • What categories of information have you sold?
  • What categories of personal information have you disclosed for business purposes?
  • What categories of third parties have received your customers’ personal information?

These disclosures should be relevant to the last twelve months of data collection. 

Individual rights

Your privacy notice needs to contain a description of your customer’s rights to disclosure, access, opting out and nondiscrimination. The biggest one is opting out – your notice should provide your customers the opportunity right then and there to opt out of the sale of their personal information. 

Contact methods

Consumer requests have to come in somehow! Your business needs to have two or more ways to allow your customers to contact you and exercise their CCPA rights. If your business is:

  • Online only: An email address, as well as a webform for “Do Not Sell.”
  • Physical only: A toll-free number and mailing address
  • Physical and online: Toll-free number and website. May also include mailing address, email address, or other. 

Have your contact methods well established and your team trained on how to respond is a big win for your business. There’s no clearer way to communicate to your customers that you value your relationship with them than by making things easy. 

How are you communicating this information?

Remember, you’ve got to get this information in front of your customer’s eyes AT OR BEFORE the point of collection. (I know, I already said this, but it’s really important!)

Another really important piece? The “Do Not Sell My Personal Information” piece. You’ve got to have a visible, easily identifiable button on your website with this title that links to a webpage that allows people to opt-out of the sale of their personal information. This link has to be available:

  • On your homepage
  • In your privacy policy
  • And in any California-specific description of consumers’ privacy rights

Here are some other points to remember

Privacy compliance is a lot of work. It’s complex. There are a lot of moving parts. It can feel like a puzzle where all the pieces keep changing shape. 

But it’s far from impossible. Especially when you have someone who can help you keep track of the pieces and who can remind you who’s going to be looking at this very puzzle later: your customers.  

How, you might ask, do you keep that in mind? Here are a few starting points:

Map your data

Data mapping – it’s not just for the General Data Protection Regulation (GDPR). Data mapping is a vital practice for any privacy-forward company. If you’ve already done data mapping for GDPR, great – you’ve got a head start, although you’ll still need to review and document if you’re selling data as per CCPA

If not, you’ll need to put together an inventory that documents your collection and sale and disclosure of personal information. 

Data mapping is multifunctional, but for our purposes today, you need it to be shipshape to build accurate privacy notice disclosures AND to provide accurate responses to your customer’s information requests.  

Stay up to date

Privacy notices are dynamic, living documents. It needs to be updated every twelve months to comply with CCPA and it needs to be current with what you’re doing with the data you’re collecting. 

That means, if you’ve shifted strategies and you’re collecting new categories of information, sharing/selling it with new vendors, or using it for different purposes, you’ve got to disclose these changes. 

And that’s not all. Got a new marketing campaign? Rolling out a new product feature? These totally normal business activities are relevant to your privacy notice. 

If you don’t, you risk violating your own notice and your mission to be transparent.

(Don’t forget, your privacy notice may live across multiple digital properties. Keep it updated at each location.)  

Make everything really easy to find and understand

You should make your privacy notice as easy to find as possible and your notice should be in a format that’s easy to read across all devices. As per CCPA accessibility rules, privacy notices and privacy policies be “reasonably accessible to consumers with disabilities,” and should be available to be printed out as a separate document. 

And (I know, I’ve said this already) it needs to be accessible where people will see if BEFORE information is collected and written in plain, straightforward language. No legalese or iambic pentameter, please.

Getting all the pieces of compliance can be challenging. Sometimes it takes a village to get your team trained, your policies in place, and help shift your business in a consumer privacy-oriented direction. But that’s what gets us up in the morning and excited for the day. Drop us a line and let us know how we can help you.

The California Consumer Privacy Act (CCPA) has been on the horizon for a long time. It was passed on June 28, 2018, but the lead time on finalization and enforcement has been a slow road. 

However, the wait is over – enforcement has become enforceable as of 2020. (Yes, it’s been in effect since January 1, 2020, but it’s the real deal now, complete with final rules and all.)

A lot has changed since CCPA first rolled out. And a lot has REALLY changed since January. So what’s a privacy-minded organization to do if they need to get up to speed on falling in line with CCPA regulations?

Sit back and put your feet up – we’ll tell you what you should know.  

What’s in CCPA (and what’s in it for me?)

It’s never a bad idea to start with a refresher on what exactly is going on with privacy regulations. By necessity, privacy regulations are complex and nuanced. CCPA is no exception. 

CCPA is the most expansive data privacy law to date in the United States. Informed by advertisers using consumer data without consent to influence events like political elections, it’s regulatory reach goes beyond the borders of California.

CCPA is often said to be the lite version of GDPR. That’s not inaccurate, but there are some important differences to make note of now that we’re entering into the enforcement period of CCPA.

Does CCPA apply to me?

Anytime there is a new regulation, the first question that pops into a business owner’s head is, “Okay, do I need to worry about this?” 

So, if you’re in a compliance state-of-mind and thinking you should probably dig into whether or not you need to start scrambling, here’s the short answer for you. The CCPA applies to your business if:

  • You’re a for-profit business that:
    • Collects and controls California residents’ personal information AND
    • Does business in California AND
    • Has one of the following:
      • Annual gross revenues in excess of $25 million
      • Annually receives or discloses the personal information of 50,000 or more California residents, households, or devices on an annual basis
      • Derives 50% or more of your annual revenue from selling California residents’ personal information

CCPA Rights: What You Need to Know and How to Get Prepared

CCPA provides thorough guidelines. (And it should – it went through numerous revisions to get where it is now.) There are seven articles with 42 sections total that cover how businesses can meet the regulations. 

What do you absolutely need to know, though? Here are some of the most relevant takeaways. 

If you’ve reached this point and you’re already thinking “Yikes!” don’t get overwhelmed. Compliance is always manageable with the right help.

You’ve got to know if your business is collecting or selling consumers’ personal information

Are you buying, renting, gathering, obtaining, accessing, or any other synonym for “receiving” personal information? If so, you’re collecting consumers’ personal information. It’s relatively straightforward. 

What constitutes selling data? CCPA defines it as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”

But what does that actually mean? Selling data can often be misconstrued. Yes, it can be the usual “I’ll give you x amount of money for y amount of data,” but under CCPA, it can include the act of sharing that data where the third party uses data for their own purposes.  If data is shared with a service provider and per the contract the service provider is limited to use the data only to deliver the services, it would not qualify as a sale of data under CCPA..

Regardless of whether you collect or sell personal information, you need to have data mapping processes in place. Here are some questions to consider when you undergo data mapping:

  • Where do you host your data (including with any third parties)?
  • For what purpose is the data you collect used?
  • Do you collect and sell data on children? 

Wait, what’s considered “personal information”? Is it the same as GDPR?

Like GDPR, the CCPA defines personal information broadly. It’s any information that identifies or is reasonably capable of identifying a particular consumer or household. Significantly, the CCPA’s private right of action provision relating to data breaches incorporates a narrower definition of personal information (more on this below).

The statute provides a non-exhaustive list of categories of personal information, including:

  • Identifiers including real name or alias, postal address, unique personal identifier, digital identifiers (all those pixels, cookies, etc), internet protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers
  • Characteristics of protected classifications under California or federal law
  • Commercial information, including records of personal property, goods or services purchased or considered, or other aspects of purchasing history
  • Biometric information
  • Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement
  • Geolocation data
  • Professional or employment-related information
  • Education information

Let’s pause for a moment on the category of “identifiers.” Digital identifiers are a new and increasingly important part of personal information. Think about how much time people spend online and how many websites – and how many pixels – they visit. This alone is a substantial source of personal information that you need to be aware of. 

Transparency and notice obligations

Transparency! It’s not just a buzzy value to tout to your customers – it’s essential under CCPA. You can’t just tell customers you’re collecting data after the fact. You need to give customers four distinct types of notices so your data collection practices are crystal clear:

  • Notice of the collection of personal information
  • Customer opt-out rights
  • Financial incentive notice
  • Business’ privacy policy

When putting together these notices, it’s important to balance comprehensive attention to detail with consumer-friendly copywriting. Your notices need to be easy to understand by your consumers. 

But remember, being user-friendly isn’t just about your writing style – it also means your website is set up in an ADA-compliant manner. The law requires privacy notices to be accessible for all users. That means you need to consider how individuals with disabilities and the technology used to help make websites useable, such as screen readers, will interact with the notices. 

Sidebar: When you’re structuring these practices and policies in a piecemeal fashion, it’s hard to connect the dots. The result can be ineffective and incoherent. But when you take a long, hard look at how privacy, data practices, and consumer needs fit into your organizational values, it comes together with greater ease. 

Your consumers, their information

Much like GDPR, the CCPA is meant to protect an individual’s rights regarding their personal data. How you implement it can significantly impact the trust your consumers have in your business. So how does your business achieve these objectives while providing value to your customers? By focusing on upholding individual rights. Here are some key points to think about. 

Think about: Consumer rights

There are six distinct consumer rights that are covered by CCPA that you need to uphold. Do you know what they are – and what you’ve got to do?  

  1. The Right to Notice
    • What does it mean?
      • You’ve got to tell your consumers that you’re collecting their data at or before the time of collection and when you collect new categories or data in plain and straightforward language.
      • You’ve got to link to your “Do Not Sell My Personal Data” button on your homepage.
  2. The Right to Access Personal Data and Information
    • What does it mean?
      • Your consumers have the right to access their data twice a year to confirm that you’re collecting their personal data and to get a copy of the data from the past twelve months.
  3. The Right to Know if Their Personal Data is Being Shared (And With Whom)
    • What does it mean?
      • Are you sharing your consumers’ data with other parties? Your consumers have a right to know and they can ask to see what you’re sharing.
  4. The Right to Deletion 
    • What does it mean?
      • Consumers can ask you to delete any of their personal information. The catch: You have to provide them this right in an accessible format. 
  5. The Right To Know Whether Their Data Is Being Sold And The Option To Opt-out Of Sale
    • What does it mean?
      • Consumers can ask you to not sell their data.
  6. The Right To Equal Rights And Services
    • What does it mean?
      • An individual’s use of their CCPA rights can’t affect the goods and services you provide them.

Want a closer look at individual rights? We’ve got an article for that.

Think about: Managing consumer requests

Responding to individual rights requests is huge for compliance, but it’s even bigger for establishing trust with your consumers. Under CCPA, consumers can submit requests to access their personal data in accordance with their rights.  

If you interact with customers in person, you need to provide at least two methods of contact, one being a toll-free number for requests. If your business operates ONLY online, you can get by with an email for submitting Requests to Know and Requests for Deletion. 

For requests to Opt-Out, you need to have two ways for consumers to achieve this and one of them needs to be through the Very Important “Do Not Sell My Data” link.   

Are you able to meet deadlines?

Under CCPA, you have 10 days to confirm receipt of the request to know and delete personal information, and 45 days to complete the entire process. This can be hard, especially for busy small businesses, but it’s important to make it a priority. 

Think about: Verifying data

When a consumer wants to request to know or a request to delete their personal data, you have to verify their identity. However, under CCPA, verifying data is nuanced: make sure that you’ve trained your team THOROUGHLY on your process. (And to meet the 45-day timeline!)

Think about: Is your team prepared?

Your customer-facing team has a lot of responsibility. They need to know what the requirements are. They need to know how to respond to different types of requests. They need to know what the limitations on requests are. They need to know how to correctly verify requests. And they need to know how to help your customers exercise their rights. 

Are you ready to help them handle all of this? Training, unsurprisingly, is essential. 

Enforcement and Beyond

Under the scope of CCPA, California residents have the right to sue companies if their non-encrypted and non-redacted personal information is subject to a qualifying data breach. This is a significant provision in and of itself. 

But beyond that, the California attorney general’s office is responsible for making sure companies are in compliance with the regulation. 

If you’re found in violation of the CCPA, your company will be subject to civil enforcement actions. You’ll get a notice of non-compliance and 30 days to resolve the problem. If you don’t meet the 30-day deadline, you’ll be subject to an injunction and a civil penalty of $2,500 for each unintentional violation and $7,500 for each intentional one. 

Enforcement is only part of the picture, though. Your customers expect you to do be doing the right thing with your data. If you’re not doing the right thing with it, you’re not staying in compliance. (And of course, that’s an issue.) 

But you’re also not honoring the trust your customers have given you by sharing their data. Breaching that trust is just as damaging as any data breach. 

So the question is – how do you factor this into your business operations? Your brand? Your vendor relationships? 

These questions don’t have one-time answers. Being responsible for consumer data, staying current on regulations – these things are the new norm, and meeting expectations is a moving target. 

 

We’re here to help you find the right roadmap for your business, no matter what it might look it. Contact us to schedule a free call.

GDPR (or the General Data Protection Regulation) has been around for over two years now. And like most two-year-olds, people have found ways to get some kind of compliance under control. 

That’s not to say that there haven’t been bumps along the way. Organizations have balked at the international reach of the regulation. Technology solutions have lagged in comparison to the regulatory environment. Business processes have lagged as well. 

Yet GDPR has continued to gain traction, especially as consumers look to protect their personal information wherever possible. Similar laws are being passed and going into action in the United States – the California Consumer Privacy Act is the first, but definitely not the last – and Brazil, Australia, and other places. It’s a big deal, globally. 

And a big job. Compliance with GDPR is a significant undertaking for organizations. The first place we suggest starting? With a data inventory. And what does a data inventory require? Taking a good long look at Article 30 of GDPR. 

Quick reference: What is GDPR?

GDPR is the most in-depth, comprehensive set of data protection regulations. GDPR, which went into effect in May 2018, limits what organizations can do with an EU resident’s personal data and codifies that resident’s right to determine how their data is used. Organizations don’t have to be located in the EU to feel the pressure of compliance or even conduct business with EU residents – if you simply collect their data, you’ve got to comply. (Or face some pretty hefty fines.)

Moreover, GDPR was a significant piece of legislation because it shifted the landscape on how personal data was defined. We all have a general understanding of personal data as information that identifies an individual. It can be something we all clearly associate with personal information, like a name or birthdate. 

However, GDPR pushed the envelope. It’s definition included technology-specific items like digital identifiers like cookies. GDPR made a particular impact in creating special categories of personal data. These categories are more carefully guarded and include information about racial or ethnic origins, political or religious beliefs, genetic or biometric data, and more. 

But GDPR isn’t just about defining data – it’s about structuring how and why companies can use it. Under GDPR, organizations that collect personal data have to keep records of processing activities. Herein lies the function of Article 30. 

See a full list of special categories of personal data here. To do a deeper dive into GDPR issues, we have a helpful FAQ that reviews common issues and a wealth of detailed blog articles that explore GDPR

A few words about Article 30

If GDPR focuses on accountability, Article 30 is one of the main tools to help create it. It tells organizations exactly what they need to document to be GDPR compliant. We’ll cover exactly what you should document for Article 30 below, but just as important as the actual data is keeping it up-to-date and organized. 

This emphasis on organized data collection is why the process of data inventories is so important. You don’t actually need a data inventory to meet Article 30 requirements, but it would be next to impossible to do it without one. With a data inventory, you can establish data flows, you can figure out what is (or isn’t) accounted for, and pinpoint vulnerabilities resulting from information transfer.

Meeting Article 30 requirements

GDPR compliance isn’t something that can be handled overnight – it contains 99 articles with important definitions, instructions, and guidelines to incorporate into how your organization handles personal data. (And even when you’re done, you’re not really done – it’s an ongoing process. That’s why we serve as fractional CPOs to help companies manage the long-term work.)

But let’s zoom in on Article 30. Article 30 provides an important jumping-off point for any GDPR-related compliance by requiring that all organizations provide records of how all personal data is processed. This means providing an Article 30 report, though you might know this by the name of, yes, data inventories, but also data mapping or records of processing activities. 

What do you need to collect to put together a data map/data inventory/record of processing activities/Article 30 report? Let’s take a look at the overall requirements referred to in the article and what they mean. 

Get ready, get set, get your records ready

Under Article 30, any organization acting in a processing capacity has to keep a record of all categories of processing activities conducted on behalf of a controller. These records should contain the following information:

  • Name and contact details of the controller
  • Purpose of processing
  • Categories of processing activities that are carried out for each controller  
  • Categories of data subjects and processed data
  • Categories of processing activities that are carried out for each controller  

It’s important to remember that an organization can be both a processor AND a controller. How to tell the difference? If you’re determining what data is collected and why, then you’re the controller. If you’re just doing the processing at the behest of another organization, then you’re the processor. As with everything in life and work, situations aren’t always black or white. Additional professional and legal guidance can be a big asset in navigating them. 

Names and contact details of the controller

If applicable, you should include the name and contact details of your data protection officer and of any joint controllers that decide with you why and how personal data is processed.

Purpose of processing

One of the kickers of GDPR is that there needs to be a legal basis for collecting data. This can include (but again, isn’t limited to):

  • When consent is given by the subject for a given purpose
  • When data collection is necessary for a contract with the data subject
  • When there is a legal obligation
  • To protect the vital interests of the data subject
  • For public interest or in the course of official authority
  • The legitimate interests of the data controller or a third party as long as those interests don’t infringe on the rights of the data subject

Categories of processing activities that are carried out for each controller  

According to Article 30, “processing’ means any operation or set of operations which is performed on personal data or on sets of personal data…” 

That’s quite a broad definition, right? This broadness allows the regulation to apply to as many organizations that might have their hands on personal data as possible. 

Article 30 does provide a (non-exhaustive) set of examples for guidance, though. Data processing includes (but is in no way limited to), “collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”

As per this requirement, you don’t just have to pinpoint who is doing the collecting and processing. You also have to identify the “categories of recipients of personal data,” that is, anyone that you’re sharing collected personal data with. This could include vendors, government agencies, credit bureaus, and more. 

Categories of data subjects and of the categories of personal data

Article 30 requires that categories of data subjects and processed personal data are included in records of processing activities. In a more straightforward way, this just means what kind of information you’re collecting and about whom.

Personal Data

  • Name
  • Home address
  • E-mail address 
  • Personal phone number
  • Work phone number
  • Birthday/age Languages
  • Passport details
  • Social security number or other national identifiers


  • Driver's license details
  • Sex
  • Marital status 
  • Wage/salary
  • Bank account
  • Credit card details
  • Education level/diplomas

Data Subjects

  • Current personnel
  • Former personnel
  • Contractors/consultants/freelancers 
  • Students
  • Volunteers
  • Directors
  • Shareholders


  • Beneficiaries
  • Public officers
  • Consumers
  • Website end-users
  • Customers
  • Prospects
  • Suppliers

Special categories of data

  • Race and ethnic origin
  • Religious or philosophical beliefs
  • Political opinions
  • Trade union memberships


  • Biometric data used to identify an individual
  • Genetic data
  • Health data
  • Data related to sexual preferences, sex life, and/or secual orientation

Where applicable/possible

You may also need to include information on the following:

  • Identification of any transfer of personal data to another country or international organization. This needs to meet cross border transfer requirements.

  • Time limits for the erasure of different categories of data

  • General description of the technical and organizational security measures 

How to go about the work of meeting Article 30 requirements?

Data inventories don’t just create themselves! Knowing what you need to put together is half the battle, but you also need to determine effective internal processes to do the work. Some things to consider:

  • Are you starting from scratch or using an existing data map? 

  • How are you going to populate it: automated scanning? Questionnaires? API integration? 

  • How far back are you collecting data? 

  • Who is doing the work - your IT team? Legal? 

And, importantly, what is your long-term strategy for maintaining your records? Compliance is never a one-and-done deal. It requires care, attention, and strategy over time. 

If you’re ever feeling overwhelmed, let us know. We’re happy to advise. Red Clover Advisors has been a partner in guiding clients through the process of meeting GDPR compliance requirements for US. We help you create a comprehensive strategy covering data inventories, privacy policies, and data protection that are custom-built for your company’s needs. 

To get started with your own roadmap, reach out to set up a free consultation with our team today.

For many organizations in the US and abroad, the General Data Privacy Regulation (GDPR) and the California Consumer Privacy Act (CCPA) lay the groundwork for how data security and consumer privacy are approached.

These regulations have made big impacts in the data landscape. An important element of these legislative landmarks? The need for businesses to implement cookie banners across their website and app. But while it’s tempting to just add a cookie banner to your website and move on to your next project, do you know what the deal actually is with them – and how to make sure you’re truly compliant? 

Differences Between GDPR and CCPA: The Nutshell Version

Comparing GDPR and CCPA can be a helpful exercise in understanding data privacy issues. While the two regulations aren’t interchangeable, they both deal with similar issues and similar concerns in individual rights. Both of them create legal requirements around:

  • Transparency in businesses practices dealing with personal data 
  • Security and control over personal information for consumers
  • Defining digital identifiers (cookies) as personal information  

One of the big points of departure between GDPR and CCPA is the issue of user consent. Consent and data are approached from two different angles between GDPR and CCPA. GDPR centers on the user, requiring prior consent for collecting cookies. CCPA allows businesses the ability to collect data before getting consent as long as users have the ability to opt-out of collection.

Another significant difference between GDPR and CCPA is scope. While both have international reach, despite the fact they pertain to residents of specific territories, compliance mandates differ. Under GDPR, any website, organization, or business has to comply with the regulation if it’s processing the personal data of EU residents. (Even if they aren’t actually located in the EU.)

On the other hand, the CCPA requires companies or for-profit businesses or organizations have to comply – and only if they meet the following criteria:

  • Has a gross revenue of more than $25 million
  • Buys, receives, sells, or shares personal information of more than 50,000 consumers, households, or devices each year for commercial purposes
  • Derives 50% or more of annual revenues from selling consumers’ personal information.

Meet Your GDPR Cookie Banner Compliance Requirements

GDPR compliance. We’ve been talking with that for a little bit, haven’t we? Seeing that GDPR has been in effect since May 25, 2018, you may have already grappled with cookie banners and consent.  

A key tenant – perhaps even THE key tenant – of GDPR requirements is that EU residents have the right to be informed when a business or organization collects their personal data. And it’s not just that they’re collecting the data – businesses and organizations have to tell people why they’re collecting it, how long they’re keeping it, and who they’re sharing it with. If an individual doesn’t want their data used in that manner, they have the right to object.

But how does this actually play out on websites? Websites and apps that are used by visitors from the EU must implement a consent banner that complies with GDPR and it has to have several pieces in place. 

Opt-in Cookie Consent

When you set up your cookie banner, the safest way to approach cookie consent is to take an opt-in approach. The opt-in approach means that website visitors have to actively give you permission to drop cookies. (At least those that aren’t essential for site functions.)  

How do you get that consent? By an opt-in button. But remember, your text has to be crystal clear in communicating that the user is agreeing to cookie deployment. 

More on Cookie Deployment

Let’s expand on cookie deployment just a little bit. According to GDPR, your website needs to be sufficiently detailed so that visitors are able to give informed consent about accepting cookies. A key piece of this information is the whats and whys of your cookies. What kinds of cookies are you using? Why do you want the data and how are you going to use it? 

Third-Party Data Sharing

When we talk about how we’re using visitors’ data, one topic that comes up time and again is sharing with third-party vendors. Third-party vendors provide businesses with valuable services, but they also pose a security risk. For transparency, you need to inform users who else has access to their data. 

Link to the Website’s Cookie Policy. 

You’ve got a cookie policy. (Right?) Don’t be shy about sharing it with your website visitors – it’s part of your compliance journey. 

The most straightforward way to get people to your policy is by adding a link to your website’s cookie policy in your cookie banner. Your cookie policy should cover the details of how cookies are used on your site and include an exhaustive list of all the cookies you’ve put into place. 

Win Brownie (Err…, Cookie) Points

You don’t have to do this, but your visitors will appreciate it if you add a link to your cookie settings within the cookie banner. Yes, it’s not strictly required by GDPR as long as visitors have the choice to refuse all cookies. Website users, unsurprisingly, appreciate the option to control their user experience and their data. 

Meet Your CCPA Cookie Banner Compliance Requirements

The CCPA went into effect on January 1, 2020, but only recently became enforceable as of July 1. Similar to GDPR, CCPA gives California residents the right to be informed when a business or organization collects their personal data. In fact, California residents even have the right to bring suit against businesses in certain cases. 

Under CCPA, website owners have to inform users about what information they’re collecting, how they’re processing it, and with whom they share it. That part is very similar to GDPR. 

However, there is a big difference between GDPR and CCPA: CCPA takes an opt-out rather than an opt-in approach. While CCPA doesn’t require a banner to facilitate the opt-out, it’s currently the best practice to make sure you’re giving visitors the ability to opt-out at the time of – or before – collection.  

The CCPA does restrict one aspect of data collection for websites: the sale of personal data for visitors under 16 years old. These underage visitors are required to opt-in rather than opt-out. So if you’re not sure you don’t have visitors under the age of 16, it’s better to use the opt-in approach. 

With all that in mind, let’s take a look at the Ingredients for a CCPA-compliant cookie banner. You should include the following in your cookie banner. 

Information About Cookie Use

CCPA requires websites to provide users with the details about why they’re collecting and using cookies and if they’re going to be sharing or selling that information to third parties. 

A Button to Accept Cookies

As noted above, there’s not an opt-in requirement under CCPA. However, you can include a link that allows users to accept cookies. (But you can fire cookies before the website user accepts them as long as you give them the information about data you’re collecting at the point of collection.) 

As in the GDPR version of a cookie banner, you have the option of including a link to a cookie setting page that allows users to opt-in or out. No, it’s not necessary, but yes, it’s a good step towards transparency and user experience. 

Do Not Sell Button

Under CCPA, you’ve got to give your users the ability to opt-out not just of data collection, but of the sale of personal information. According to CCPA, selling includes the following: “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” With such a broad definition, it’s important for companies to understand the data that is collected and shared and specifically what the third party is doing with the information to determine if data is classified as a sale under CCPA 

(One issue to be mindful of is how you or your partners are using ad tech. While not all ad tech is considered selling, some uses may fall into the category of sales.) 

To uphold CCPA requirements, you need to provide the option of opting out. CCPA is specific on how you should do this: include a link or button to an opt-out form on your website’s home page. 

Your “Do Not Sell” needs to include some specific information, as well. It needs to have:

  • A link to your website’s privacy policy
  • A button that allows them to opt-out of personalized ads

Let us reiterate: Your “Do Not Sell” button isn’t the same thing as or interchangeable with a cookie banner. Don’t treat it as such. It’s a separate function. However, it’s smart to use it alongside your cookie banner to help your website use cookies to process data in a CCPA-compliant manner.

Tying it all together

Yes, both GDPR and CCPA have a lot of moving pieces that you have to address in your cookie banners. And yes, it’s tempting just to find a customizable cookie banner online and wash your hands of it. 

But we don’t recommend this approach. Cookie banners don’t exist in a vacuum. Cookies change and have to be updated. It should all be part of your larger privacy strategy.  

If this feels overwhelming, we hear you. That’s why we work closely with clients to build a manageable strategy for long-term business goals. Ready to take the next step? Give us a shout. We’d love to chat.

cybersecurity health check

It’s well known food, exercise, mental health, and lowering stress are all things people can do specifically to prevent many diseases. By investing in higher quality foods and investing time in our bodies, we can prevent a medical disaster.

Yet less than 5% of adults participate in 30 minutes of physical activity every day. It seems most people know what’s best for them… but don’t make the time for it.

The same is true with data breaches.

77% of businesses don’t have a cybersecurity plan. And just as with staying healthy, if you’ve done nothing to prepare, you’re left vulnerable. If you do a little to prepare, you’ll lower the risk a tad. And if you do it once and forget, it’s like saying the diet you did 30 years ago should be giving you results today.

While you don’t need to do push ups to keep your company safe from online hackers, you do need to implement a steady diet of security measures to protect your customers and your business.

That’s why we’re giving you The Ultimate Cyber Security Health Check. It includes all the preventative measures your business can take to keep your privacy management healthy. Check it out.

Have a Plan: Preparing for Phishing Scams

When dieting, it’s important to set yourself up for success or you’ll inevitably fail. That’s why many people meal prep. They know if the food is already prepared, they won’t be tempted to cheat.

When it comes to your business’s privacy, you also need to be prepared. If you don’t, the consequences are much more severe than that of sneaking a cookie or other sweet treat.

Phishing attacks are the leading cause of data breaches, accounting for 90% of them. These are attempts to trick users in your organization into clicking a malicious link or providing sensitive information. And while there isn’t a way to 100% prevent your company from experiencing a phishing attack, there are many measures you can take to protect your business.

1. Train your EmployeesCybersecurity tips for small businesses

Provide your employees with ongoing security awareness training programs and conduct simulated tests to measure results. This will teach your team to spot phishing emails and avoid making a business-ending mistake.

But just like dieting or working out, if you do it once, you won’t see the results you want. In 2018, companies that ran 11 or more training campaigns about phishing awareness reduced click-through rates to 13%. So keep in mind the importance of consistent training as opposed to a one-time session.

We recommend Curricula for this training. It’s the best in the business, and if you mention Red Clover Advisors sent you, you’ll get the red carpet treatment.

2. Implement Security Software

Think of security software as your daily vitamin. Like vitamins, security software keeps out the bad stuff. And it’s a highly effective way of preventing phishing emails and the security issues common to Zoom right now. Security software will allow your business to implement an email filter that can block 99.9% of spam and phishing emails and 100% of known malware.

There are several security defenses your business should invest in:

Firewalls

Firewalls set up barriers between your internal network and outside networks such as the internet. They use defined rules to allow or block traffic. Firewalls can be hardware, software or both.

Virtual Private Networks (VPN)

A virtual private network allows you to create a secure connection to another network over the internet. This is especially important if you have employees handling data on their own computers or phones.

Data Loss Prevention (DLP)

A DPL can identify, classify and tag sensitive data and monitor the activities and events surrounding that data. This is a great way to ensure your employees don’t send any sensitive information outside the business’s network.

Network Segmentation

Network segmentation divides a network into multiple segments or subnets, each acting as its own small network. This allows network administrators to stop harmful traffic from reaching devices that are unable to protect themselves from attack.

Antivirus Software

Antivirus software is one of the most common security softwares for a business to invest in. They prevent, detect and remove malware from computers.

3. Put Limits on Access ControlsThe Remote Work Guide

Your doctor doesn’t just share your health records with just anyone. And you shouldn’t share your clients’ personal data with everyone either.

95% of cybersecurity breaches are caused by human error. And hackers know this. That’s why most phishing attack methods target privileged user accounts. To protect the personal data your company processes, limit its access to only the employees who need it to complete their jobs.

For more online preparedness steps and tips, download the free Remote Work Guide. It’s designed to help companies of all sizes understand best practices for security, privacy and operations when it comes to remote work.

Make the Investment

When trying to implement a healthier lifestyle, there are bound to be upfront costs. From workout clothes and gym memberships to organic foods and nutrition plans, you’re going to have to make the financial investment somewhere.

If you don’t take preventative measures to ensure your health stays intact, you may eventually suffer a catastrophic medical episode. The same goes for protecting your data. If you don’t take precautions to ensure the health and protection of your data, a data breach is likely. And this can cost you in money ($200 per record), time (losing focus on core business activities), and longevity. Some data breaches even lead to class action lawsuits under laws like the CCPA, which sucks up even more of your valuable resources.

Those resources instead could be used to grow a company and focus on sustaining it.

Just as you consult with doctors, personal trainers, and nutritionists – and a myriad of health tools and systems – to help you, your business needs dedicated internal and external personnel to handle your privacy.

Here are a few investments your business should make in security:

1. Hire a Fractional Privacy Officer

There’s rapid adoption of global privacy laws taking place across the world. And the security team can’t prevent and react to data breaches all on their own. The role of a Chief Privacy Officer has never been more important. But that’s not a cheap position to staff. And if you’re like most small-to-mid-market businesses, you can’t afford to fill a full-time position.

That’s why an increasing number of companies are outsourcing this role to privacy consultants or Fractional Privacy Officers.

Smart companies realize privacy best practices and a privacy program influence and have a big role in the prevention of a data breach. An FPO steps into this role as a preventative force, while saving companies from having to allocate resources to a full-time position.

The FPO is responsible for all your businesses privacy needs including:

  • Interpreting & monitoring privacy laws and industry updates to maintain compliance
  • Connecting and building a privacy program
  • Listening to maintain, report and assess potential risks

But your FPO will only be as good as the tools they have to work with. So make sure your business is fully stacked and prepared before bringing this person on board.

2. The Technology Stack

As mentioned, your FPO won’t be able to do much without the proper resources. It’s important this person has complete visibility into your data. To get started, load up on technologies such as:

Privacy Management Software

This software will enable your business to store sensitive data in compliance with global privacy laws such as GDPR and CCPA.

Third-Party Risk Management Software

The more people touching your data, the more at risk you are for a breach. A third-party risk software will gather vendor risk data to protect your business from risk of data breaches or non compliance.

Consent & Preference Software

This will enable your company to drive opt-in demand while demonstrating compliance with hundreds of global privacy regulations.

Regulatory Research Software

This software will help your FPO stay up-to-date on all the global privacy regulations and make quick adjustments to your privacy management when necessary.

This might look like a lot of different softwares. But don’t let it intimidate you: There are one-stop-shops out there that have all of this included.

In addition, it’s important to keep in mind FPOs will need to work with the security team to integrate and implement any of these tools. The security team is on the frontlines protecting data with a variety of specific cybersecurity tools, and the FPO needs to work with them.

Conclusion: Make Healthier Privacy Choices

Living a healthy lifestyle doesn’t happen overnight. It’s a series of healthier decisions that ultimately become life changing habits.

The same goes for your privacy program. From hiring the right people, working with the right vendors and investing in the best technologies, it’s a marathon not a sprint. But with each step, your business will become more compliant with global regulations and less vulnerable to a data breach.

If you’re ready to build a privacy program for your business, but aren’t sure where to get started, reach out today!

Schedule a free consult!

Brexit, personal data, and the GDPR.Everyone’s talking about the latest Brexit deadline and the implications of the UK actually leaving the European Union (EU).

There’s talk of economics and trade agreements, but data privacy isn’t exactly on the tip of everyone’s tongues. However, there are real issues regarding data privacy and Brexit to consider.

The General Data Protection Regulation (GDPR) is the EU’s main privacy law. It describes seven main principles regarding the “lawful processing of personal data.”

According to GDPR, processing includes the collection, organization, structuring, storage, alteration, consultation, use, communication, combination, restriction, erasure or destruction of personal data.

So if the UK is not longer a part of the EU, how will its citizens’ data be protected?

Basically, this is what will happen:

  • The transfer of personal data from organizations within the EU to organizations in the UK will be subject to strict data transfer rules, as outlined by the GDPR. It will be the responsibility of companies in the EU to ensure data transferred to businesses in the UK are lawful. 
  • The UK will have to achieve adequacy status in order for data transfers to be legal. That means the EU has to find that the UK data protection system is equivalent to that of the EU’s GDPR.
  • If the final Brexit deal contains a provision regarding data privacy and protection, the UK may be automatically granted adequacy status. 
  • It can take several months and up to several years for a country to reach adequacy status. The longer it takes, the more likely new restrictions for data transfers will come into play. Organizations should begin working with their EU partners now to construct a plan so that no disruptions will occur in March if there’s no provision for data privacy when Brexit becomes official.

How does this affect businesses in the UK?

If a company is already GDPR-compliant, not much will change, especially if that company doesn’t conduct business outside the UK. However, if your business has data that flows between the UK and EU, you’ll have to comply with EU and UK privacy laws and stay up to date about changes with both sets of regulations.

The UK government said it remains committed to data privacy. It already has regulations in place similar to the GDPR. As of now, though, nobody knows for sure if the EU will consider those regulations adequate. 

The best rule of thumb for UK companies looking ahead to Brexit is to become GDPR-compliant as soon as possible, if they’re not already. This step will prevent any interruption in the flow of data in and out of that business. 

Does Brexit affect U.S. companies?

In short, yes. Brexit does affect companies based in the United States.

Brexit has implications on the US-EU Privacy Shield. Once Brexit is official, the UK will no longer be covered by that agreement.

The Privacy Shield framework was designed by government officials in the United States and Europe to provide companies on both sides of the Atlantic clear guidelines of data protection requirements when transferring personal data from the European Union and Switzerland to the United States. 

The framework was developed in support of transatlantic commerce. As trade and data privacy agreements are in flux during Brexit negotiations, your company should stay informed about this subject. If your company shares data with organizations in the UK, you should consider and develop strategies for potential changes or additions to the Privacy Shield framework now to avoid data privacy issues and interruptions to your operations down the road.

Top Three Brexit Tips 

  1. Review your data inventories to understand cross-border transfers and how they affect your company.
  2. Determine if your vendors are prepared for Brexit. If they aren’t, develop steps to appropriately manage the situation.
  3. Stay close to news of future updates so you can easily determine any other changes you may need to make. After all, Brexit is still a fluid situation.

If you’re still unsure of how Brexit can impact your company and its data protection systems, contact us today for a complimentary consultation. 

Schedule a free consult!

There’s a lot of uncertainty in the world right now. 

A global pandemic, major lifestyle changes, and increased isolation have turned our business worlds upside down. One thing remains certain, though. Red Clover Advisors is committed to providing trusted and practical privacy consulting services to our business community. 

By taking careful precautions and acting with sober judgement when it comes to remote work, we believe that together, our businesses can grow stronger and more resilient during this time.

Remote Work Best PracticesSecurity and privacy must be top of mind for remote work.

While the world is on lockdown, we get to connect more than ever online through the modern miracle of remote work. This presents a plethora of opportunities for your team to grow while getting creative about new ways to conduct business.

However, there are also a lot of new ways privacy and security risks can creep in and put your company in danger. 

As always, our team is prepared to help. 

In particular, we want to outline some of the privacy and security areas related to remote work that may affect your business. There are specific legal and practical steps you should be taking to keep your customers, your employees, and your business safe when it comes to remote work. 

Virtual Meetings

Conference calls and web meetings – aka virtual meetings – are at the center of making remote work successful. You’ll need to connect with colleagues and clients in order to move projects forward. 

There are major implications for virtual meetings, though. 

Just think about the situations when one meeting runs over, and the callers who dial in for the next meeting – on the same conference line – unwittingly overhear proprietary, client-specific, or competitor information. That’s a big no-no.

Virtual meetings must be set up correctly and procedures followed to a tee to avoid these unwanted privacy blunders from happening. Follow this checklist to make sure you’re doing it properly:

  1. Have a separate code for each virtual meeting you set up. 
  2. Schedule meetings to end at 25 or 40 or 55 minute intervals. The extra five minutes will give users time to log off before new users log on. 
  3. Set a timer to make sure you don’t run over meeting times.

Although virtual meetings tend to be quicker than in-person versions, you should still take extra precautions to make sure they end on time for the sake of protecting sensitive information. This ensures your remote work will increase collaboration without causing an embarrassing or costly security or privacy incident.

Remote Work Connections

VPNs and intranets are essential for successful remote work. When they’re set up correctly, it makes a security issue far less likely.

If your company doesn’t have a process for setting up a secure VPN, now is the time to create one. It should be reviewed by executives and technical experts on your team. And everyone in your company should be trained about how to use it.

Other tips for keeping connections and data secure include:

  • Best practice dictates not allowing employees to use their personal devices for work activities. If they do, it’s critical they follow all the following steps.
  • Don’t allow employees to use public WiFi without a VPN.
  • Install the proper software, firewalls, and connections securities required by your industry on employees’ work devices. 
  • Consider adding two-factor authentication to employees’ work devices and any tools from which they access work content. Google Authenticator, Ping ID and Authy all sync with hundreds of apps commonly used to protect data.
  • Make sure employees are aware of who can see their screens when working offsite. Screens shouldn’t be visible to others, especially when entering passwords.

One of the silver linings to the remote work cloud is the companies stepping up to provide free security resources to help organizations better protect their networks during this time.

Disinformation and Deepfakes

Even if your business is internally secure while pursuing remote work, outside threats are taking advantage of the situation. Fake news and deepfakes are at the center of this conspiracy.

A deepfake is Photoshopping for video. Using a form of artificial intelligence (AI) called deep learning, creators make videos of fake events, often superimposing faces on bodies. They’re common and convincing. 

Fake news and deepfakes can be weaponized to harm brands and undermine trust in companies and industries. It’s a possibility your company could be targeted by this disinformation while working remotely. It’s important you understand legal actions that can be taken against the perpetrators, as well as how to prepare and react to exposure of this kind.

Preparation is Your Ally

While businesses aren’t defenseless in this new remote work environment, protecting customers and individuals will require forward thinking, preparation, and diligence. Red Clover Advisors is here to help you navigate these issues and other topics as they arise. 

We’ve created The Remote Work Best Practices Guide to give you a detailed rundown of privacy and cybersecurity challenges to watch out for.

It’s a practical checklist you can implement with your remote work team today.

Please reach out if we can help explain any of these concepts or help you work through them. During this unprecedented time, we are thinking of you, your families, and your teams. We’re all in this together, and our team is prepared to provide assistance in all the ways we can.

The orchestra of privacy managementYou can’t have an orchestra without a conductor, and you can’t have a conductor without the instruments. And none of it works without music to play.

The same can be said when it comes to privacy management.

The GDPR, CCPA and other global privacy laws operate as an orchestra. The lawmaker is the composer, the conductor is the Fractional Privacy Officer (FPO), and the orchestra is the technology to implement compliance.

And just like an orchestra needs all parts – composer, conductor, and instruments – to operate, so does privacy management. You can’t have one without the other.

Being a conductor – in this case the FPO – for an orchestra isn’t a gesture to cue the music and walk away. The FPO and the technology go hand-in-hand to create a unified implementation force. It’s directionally sound and delivers a satisfying result.

 

Breaking Down The Ensemble: The Conductor

The Individual Rights Pocket GuideA conductor (privacy consultant or FPO) is essentially the interpreter for the composer (lawmakers). 

From setting the tempo to bringing the whole production to life, the FPO directs and implements the day-to-day execution of privacy compliance across global privacy laws for the organization. 

This expert also helps you create a strategy for what technology your company requires and how to integrate each piece of technology to complement the others, much like instruments in an orchestra. 

Outsourcing your privacy program management can save you time, money, and lots of headaches.

The compliance measures you established for the CCPA aren’t enough to support ongoing privacy issues and additions to the laws that inevitably arise. Checking the box once on compliance implementation isn’t going to fly with lawmakers. In fact, most require consistent and proactive monitoring.

Although many companies assign this role internally, this leaves too much room for error.

You wouldn’t see the expert violinist directing the orchestra during the symphony. So it’s not wise to pull a talented team lead into an arena they’re not trained to handle

Cue the FPO.

Timing and organization is vital for building a privacy management program. It’s not an easy task without the right technology. And it’s even more challenging when you don’t have any at all.

The FPO is responsible for the entire privacy ensemble:

  • Interpreting & monitoring privacy laws and industry updates to maintain compliance
  • Connecting and building a privacy program
  • Listening to maintain, report, and assess potential risks

Those are just some of the key aspects the Fractional Privacy Officer manages for a privacy program. But this privacy guru can’t implement a privacy strategy without the right tools. 

Every meastro needs his or her instruments, after all.

 

The Instruments of Privacy Technology

Top 5 To Dos to Make Your Digital Strategy Privacy-FriendlyWith 80+ countries having passed privacy laws, using the right kind of solutions to help automate, monitor, and implement compliance is key to finding the perfect pitch. Once you’ve mastered getting GDPR or CCPA compliance up and running, building a scalable privacy program becomes an additional layer to the foundation you’ve already built.

The instruments become the privacy technology the conductor needs to create a sustainable privacy management program.

Leveraging a full suite of solutions for compliance with GDPR, CCPA & new upcoming regulations will enable the FPO to fulfill their duties. Without both you risk data breaches, non-compliance suits, PR nightmares, and even worse, lost profits.

There’s one person who manages the technology to avoid such risks.

A key role of the FPO is to support implementation of privacy management technology. The complex landscape of privacy should be maintained by a proactive individual who understands the inner workings of the regulations, best practices, can measure effectiveness and mitigate risk before it even happens.

Privacy technology instruments are used by the FPO to:

  • Streamline data inventories & maintain continuous compliance
  • Maintain & update privacy notices & policies across digital platforms
  • Enable cookie consent banners & maintain website scan audits
  • Centrally manage & integrate consent with existing digital marketing platforms
  • Automate privacy assessments to see the impact on your business
  • Stay on top of new & existing privacy laws to manage compliance
  • Automate consumer rights requests from intake to fulfillment
  • Creating third-party risk assessments to manage vendors
  • Evaluate and strategize for new or existing products/services
  • Train team members on implementation & regulations

How would these tools be used in practice with the FPO as the conductor? 

 

Creating & Mitigating Third-Party Risk Assessments

Today, there are many tools at the FPO’s disposal to build an ongoing privacy program.

From cookie consent to performing third-party assessments, to overseeing compliance and technology, an expert can build a strong privacy program for any company. 

Third-party risk assessments are a proactive way for an expert to minimize risk before it actually becomes a red flag. The FPO can assess vendors with automated assessments to ensure they aren’t a risk for the company.

 

Review Existing Data Inventories & Update Them with any New Changes

Managing data inventories represents a critical component of compliance.

Data inventories help companies understand the data they have from start to finish. It means you understand what specific pieces of information you’ve collected about each person and vendor, and exactly where each of those pieces of information are stored. 

Using an Excel spreadsheet to a Google Doc to create a data inventory just won’t cut it anymore. There’s a massive amount of data that needs to be mapped and updated regularly. And there’s no way to create advanced reports. 

The FPO manages this entire process and the technology that automates it.

This person pinpoints what data you have, how it’s being used, and where it’s stored so the information entered is accurate, business purposes are approved and allowed per privacy regulations, and policies and individual rights processes are constructed accurately.

 

Managing an Integrated Digital Marketing Compliance Program

Leveraging a unified tool for consumer requests, cookie compliance, policies & notices and consent management can be a confusing and challenging task for your company’s marketing team to fully manage. But if anything, creating a strong digital marketing compliance program is vital to creating personalized experiences for prospects and customers. 

The laws and regulations are the least of your marketing team’s worries.

They have quotas to meet with what they think is a marketable database to reach those goals. That’s where a FPO would act as the expert to centrally implement preferences and consent across all marketing platforms. 

The danger here is thinking only using technology without an FPO will get the job done.

You still need the expert to train your team to use the technology. You need a person to safeguard what’s being captured is the right information. 

An orchestra without a conductor – without someone to teach the music and ensure it’s being played correctly – is just a jumbled mess of sound. It doesn’t work, and neither does privacy technology without an FPO.

The FPO would use his or her knowledge of the regulations to help your marketing team implement the right consent questions and policy notices necessary to collect data. The use of technology such as cookie banners and preference management pages would then be used to create a single source of truth for marketing consent. 

The combination of the privacy expert and the technology are vital to implementing the needs of your team while building a scalable program.

It takes the worry out of the hands of an individual whose day to day job isn’t privacy.

Again, you wouldn’t ask your star instrumentalist to lead the orchestra. Nor would you expect that person to understand anything but his or her own parts of the composition.

You can’t do the same thing with your marketing team, technology, and privacy management.

 

Conclusion: The Complete Privacy Management Orchestra

You need both the FPO and privacy management technology to make the orchestra of privacy compliance function. You can’t have one without the other. They’re both essential for building a strong privacy program. 

Both will create and maintain a strong foundation for GDPR, CCPA and any new privacy regulations for you to handle.

Without a designated individual to maintain the different components of technology, assigning an employee or letting the software run its course leaves room for a reactionary response for when something goes wrong. 

You need an expert in place who knows how to interpret the language, implement the technology, and can play the balancing act that lets your organization preserve trust. The role of the FPO is to navigate the privacy landscape for your company, understand the entire landscape, and determine a plan to carefully handle your data. 

Much like how a conductor uses his or her baton to direct the whole ensemble, creating a process that can be properly implemented by an FPO establishes the necessary automation and reporting you need to operate around each framework.

The FPO and technology work as one whole unit building a solid foundation. When all of the parts of the orchestra are working together it creates a beautiful sound. 

Cue the music.


FPO FAQ

If you’re not sure if you need a Fractional Privacy Officer or not, you’re not alone. Most companies ask themselves these questions to determine if it’s a good fit:

  • Do we have the knowledge to deal with complex privacy regulations?
  • Can we afford a full-time privacy officer?
  • Do we have someone who can address privacy concerns as we grow and develop new products?
  • Do we have a strategic data privacy mentor?
  • Do we have someone who can keep tabs on what has to be done for privacy compliance?

If you answered no to any of these questions, a Fractional Privacy Officer would be a wise addition to your team. And if you’re still not sure what a Fractional Privacy Officer does or if it’s right for you, our team of experts can help you decide.

Reach out today!

 

Schedule a free consult!

Third-party agreements

You’re only as strong as your weakest link.

And most companies are blissfully unaware of their weakest link when it comes to compliance with new and forthcoming privacy regulations.

This hidden danger? Third-party agreements. Truth is, they can make or break your privacy rights implementation.

Third-party vendors are fast becoming the fashion of the day. The General Data Protection Regulation (GDPR) refers to them as processors. Under the California Consumer Privacy Act (CCPA), they include true third party services, as well as service providers.

Outsourcing specialized or less intensive tasks (think technology, marketing, and IT) to experienced outside resources seems like a no-brainer. In fact, it’s proven more efficient and cost-beneficial for most companies that use it.

Because of the increasing demand for third-party vendors, the risks they bring to the table also escalate dramatically. And the responsibility for managing that liability falls fully on the company to which the third-party vendor is contracted.

In other words, you.

Paying attention to what your third-party vendors are sending – and what those third parties are doing with that data – isn’t just a suggested best practice anymore. Regulatory oversight has expanded to make monitoring sensitive data and processes of third parties critical to a company’s operational success.

If you’re a business that doesn’t have vendor evaluation and monitoring processes in place, you’re not alone. Even if you have created these elements, chances are they’re completed and managed on Excel spreadsheets. Worse, you’re probably using a one-size-fits-all approach for analyzing every vendor.

This is a huge red flag.

Not all vendors are the same. A small consulting firm won’t pose the same risks as a large IT database company. Evaluating both of these vendors on the same scale, with the same criteria, is inefficient and ineffective. It’s essential to customize third-party evaluations based on each company’s size.

Proper third-party agreements protect your company from reputational damage and inadvertently violating laws. Because third-party agreements are an essential part of regulatory compliance and can’t be overlooked, all companies should follow a complete privacy checklist to execute them consistently and accurately.

#1 – Nail Down your Vendor List

Sure, you can probably reference a list of vendors, suppliers, distributors and contractors with whom you do business. But under most regulatory guidance, the definition of a third-party vendor is more nuanced than just a simple list.

Many companies don’t understand that it covers any business arrangement between an organization and another entity, by contract or otherwise.

Under this definition, a third-party agreement includes undocumented, verbal, and hand-shake contracts. These could have been established recently or many years ago by someone who doesn’t work at your company any longer. It doesn’t matter. These contract manufacturers, brokers, agents, and resellers all count as vendors and must be a part of your evaluation of third-party agreements.

To take it a step further, some third parties actually outsource some of their own projects to additional resources. If this comes as a shock, don’t worry. It’s standard practice for vendors to do this without the consent or knowledge of the company they’re working for. However, it’s an essential piece of managing third-party agreements.

Point is, you probably have more third-party agreements than you thought. Nailing down your vendor list – including their own subcontractors – is an essential first step for privacy compliance.

#2 – Review and Update Contracts

Cybersecurity tips for small businessesThe next step on the checklist is reviewing and updating your third-party agreements. You’ll have to read through each contract to make sure it adheres to best practices for cybersecurity, data security, and privacy rights. Doubtless you’ll have to update the verbiage in these contracts to reflect privacy standards and clearly lay out duties for each entity to follow.

In order to maintain a clear definition of responsibility for data, you must follow a process to make sure all your vendors are compliant.

The first step in this process is creating and updating an evergreen inventory of security and privacy updates and requirements. You can then use this database to perform a comparable scan of each of your vendor contracts. You’ll want to hone in on specific contract terms and data processing agreements (DPAs) within contracts.

If you’re wondering if your work completed under the GDPR requirements applies for the CCPA, it doesn’t. There are specific requirements for each regulation, so you’ll need separate inventories supporting each standard.

Once you’ve extracted the outdated language from each vendor contract, it’s time to update it with the correct text. Traditionally, this has been the responsibility of the legal team and focused on data security topics. Now the privacy team also needs to have a say because of the privacy risks and stipulations so prevalent in legislation. Individual rights is an especially important part of this, with amendments limiting the use of data only to a specific purpose. Third parties must agree to honor these individual rights requests on your company’s behalf.

If the privacy team doesn’t lay out how and where data should be managed and stored, the security team can’t protect it. Because of this, all new contract language should be pre-written and pre-approved by the legal, security, and privacy teams.

Most importantly, all companies should have an established method for alerting stakeholders when vendors are subject to breaches or regulatory enforcement. The key to reviewing existing third-party agreements is to pinpoint high risk vendor relationships. When you’ve identified these organizations, you can put extra care around monitoring and preventing risks. This will ensure vendor accountability and compliance across the board.

#3 – Create a Third-Party Risk Management Process

Top 5 To Dos to Make Your Digital Strategy Privacy-FriendlyThe final task on your privacy checklist for evaluating third-party agreements is planning for the future. It’s not enough to ensure your existing vendors are up-to-snuff. You must also create a bulletproof plan for assessing, onboarding, and monitoring vendors you’ll add to your roster in the time ahead.

First, get your team on the same page. This means organizing cross-functional stakeholders from procurement, IT, finance and executives to whom the vendors will report – and privacy officers, of course – to help perform and review new third-party agreements. Next, identify the critical risk categories on which you’ll assess new third parties: strategic, reputational, operational, financial, compliance, security, and/or fraud.

Remember, you also have to make sure appropriate questions are asked to organizations based on their sizes. A simple way to determine evaluation criteria and scoring is through third-party questionnaires. These tools are lifesavers when it comes to evaluating vendors for compliance, security, and other risk factors. Non-profit privacy organizations offer high-quality questionnaires to their members. In addition, any third-party risk management software will normally include these questionnaires for free as a part of a subscription cost.

You may be surprised to learn the most important part of these evaluations is not the completion of them by the vendors in question. It’s critical the team assigned to review these questionnaires – and accept or deny the vendor – actually completes its responsibility, and does it in a timely manner. This cross-departmental group should weigh the scores based on risk impact so vendors can be categorized and prioritized in tiers.

The steps of this third-party risk management plan should be written down and kept on hand by anyone who deals with onboarding new vendors at your company. It should be followed to the letter to ensure all third-party agreements meet company and regulatory standards. And of course, ongoing training is essential. New and existing employees should complete rigorous training on the new third-party risk management process.

Conclusion: Get a Handle on Your Third-Party Agreements

Today’s consumers hold more power than ever before. If there’s an issue with how their data is being managed or used, they’re not going to point the finger at the third-party vendor responsible for the misdemeanor. They’re going to fully blame you – the vendor’s employer.

If you don’t want to get in trouble for something you didn’t do, completing due diligence with your third-party agreements is crucial.

The good news is, risk management software can help you complete this privacy checklist for evaluating third-party agreements in the least amount of time, effort and expense. It allows you to ditch the Excel spreadsheets and dusty digital files. Instead, you’ll be able to utilize a cost-effective, intuitive system that’s applicable to each new vendor.

Hiring a Fractional Privacy Officer (FPO) can also give you a leg up. This individual is adept at creating the review process, managing it from end-to-end, analyzing the assessments, and making it right inside the organization. If you’re interested in seeing how an FPO can exponentially benefit your vendor management process, we’ve got a team of experts who are well-versed in this high-risk area.

Reach out today to schedule a free consultation!

 

Schedule a free consult!