With 16 U.S. state consumer privacy laws now enacted (as of this writing), companies are streamlining their compliance activities to address obligations from multiple laws. And, in general, we do see strong patterns and commonalities emerging. However, in some areas, states have struck out on their own — take California’s opt-out button requirement, for example.
Another unique element amongst the laws is Oregon’s obligation for companies to provide consumers “a list of specific third parties, other than natural persons, to which the controller has disclosed: (i) The consumer’s personal data; or (ii) Any personal data” upon request. Other state laws allow for organizations to disclose categories of recipients of personal information, as opposed to specific entities.
The Oregon Attorney Generals’ Office, when asked about this provision, stated, “We think it is very important for consumers to have the right to know specific third parties so that they can track their data downstream and effectively exercise their rights under the bill.”
This obligation puts significantly more pressure on organizations to understand how data flows through the business. So, what do companies do to comply with this obligation? Well, there are few names for it (like many things in privacy). Some call it records of processing activities, others call it data mapping, and Red Clover calls it a data inventory.
A data inventory should include the personal information you collect, the purpose for collection, the source of the data, the entities to which you disclose it, where you retain it, and for how long.
For companies with hundreds — if not thousands — of vendors this is a heavy lift. Maintaining a third-party inventory is closely tied to a data inventory, and they can serve as a check on each other, insuring all third parties in your data inventory are accounted for in your third-party inventory.
What should you do?
- Update your data inventory to ensure you know exactly which third parties are processing and receiving personal information. It will be critical to create an ongoing plan of how to maintain this list. Best practices include updating the data inventory when a new vendor is added (work with the procurement team), creating a set monthly or quarterly review update schedule, meeting on a regular basis with business units to identify changes in the data inventory.
- Keep in mind, that the data inventory should be documented where pulling this information is readily available.
- Companies who fill the data processor role under the EU General Data Protection Regulation (GDPR) may be able to leverage their sub-processor list and methodology and build it out to include all third parties.
Need Help?
Red Clover works with organizations to kick off, maintain, or update data inventories, third-party inventories, and all aspects of privacy operations. We can help you establish and implement processes to comply with privacy and data protection laws like the Oregon Consumer Privacy Act, California Consumer Privacy Act, and the GDPR.
Have questions? Schedule a consultation today.