To round out this series on right-sizing a privacy program, our last stop is thinking about the impact of working with third parties. There are many legal requirements to assess and/or to address in third party contracts when personal information is being gathered or is changing hands.

Unfortunately, the legal requirements in this area are not static. As many are aware, the terms that exist in this vein in the EU are in the process of changing. They are also ever-growing. In the US, many laws provide certain protections -or require certain hurdles- if contractual provisions are not in place (California’s CCPA, for example). While many are aware of the CCPA provisions regarding third parties, other laws impact contracting with third parties, including in the data security realm. For example, state data protection laws in California, Illinois, Massachusetts, and New York, as well as several others.

When faced with such a large number of legal requirements, it often helps to take a step back. Critical for a right-sized approach is understanding what information is flowing to which partners. With that diligence –done perhaps in coordination with IT or IS teams’ efforts– privacy professionals can work on having the appropriate contractual terms in place. While standardized language is ideal, it is not always feasible. Knowing when and where to push back, or when and where to have customized language, is one of the potential benefits of a right-sized approach.

Putting it Into Practice: As our “Privacy Day” week draws to a close, we hope that these insights and ideas with respect to strategizing and customizing as well as legal and vendor considerations help you think through creating a right-sized privacy program at your organization. In sum, we suggest initiating efforts with a focus on strategy, establishing and keeping track of measurable goals, and obtain the resources you need to keep implementation going. This one-sheet is a handy resource for the various elements discussed over the course of this series.