Readiness Process

Sprint Timeline

The engagement follows structured phases, each building on the outputs of the previous one.

1

Intake

2–6 days
  • NDA & stakeholder map
  • Document request
  • Scoping interviews
  • System boundary draft
2

Assessment

9 days
  • TSC selection
  • Type 1/Type 2 recommendation
  • Control walkthroughs
  • Evidence sampling
3

Outputs

9 days
  • Controls matrix & gap register
  • Policy/document backlog
  • Evidence calendar
  • Executive readout & roadmap
4

Follow-on

Variable
  • Remediation implementation
  • Type 2 observation period

Phase Details

1. Intake & Scoping Week 1

We start by understanding your privacy program, data landscape, and compliance context.

  • Privacy program review — assess existing privacy policies, notices, and procedures
  • Data inventory kickoff — begin mapping personal information collection, use, and sharing
  • Vendor/contractor mapping — identify all third parties that receive or process personal information
  • Consumer rights workflow assessment — evaluate current ability to receive and respond to consumer requests

2. Assessment Week 2–3

We evaluate your current privacy posture against CCPA/CPRA requirements.

  • Data flow mapping — document how personal information moves through your systems, vendors, and partners
  • Privacy notice gap analysis — compare current notices against CPRA disclosure requirements
  • Consent mechanism review — assess opt-out, GPC signal handling, and SPI consent flows
  • SPI handling evaluation — review sensitive personal information practices against CPRA standards

3. Outputs Week 3–4

We deliver the artifacts that define your path to privacy compliance.

  • Privacy rights response procedures — documented workflows for handling all consumer request types
  • Vendor contract templates — CPRA-compliant service provider and contractor agreement language
  • Privacy impact assessment framework — methodology for evaluating high-risk processing activities
  • Remediation roadmap — prioritized plan to close gaps with owners and timelines

4. Follow-on Ongoing

After the readiness sprint, continued support ensures sustained compliance.

  • GPC/opt-out implementation — technical implementation of Global Privacy Control and opt-out preference signals
  • CPRA audit compliance — preparation for cybersecurity audit requirements under CPRA regulations
  • Privacy notice updates — ongoing maintenance of privacy disclosures as regulations and practices evolve

Sprint Deliverables

Every readiness sprint produces these minimum deliverables:

Personal information data map
Privacy notice gap analysis
Consumer rights response procedures
Vendor/contractor contract review
SPI handling assessment
Opt-out mechanism evaluation
Risk assessment framework
Remediation roadmap

Start Your Readiness Sprint

Most companies complete the readiness sprint in 3–4 weeks. The result is a clear, actionable plan to achieve CCPA/CPRA compliance.

Get in Touch