Case Study: Modere – Achieving GDPR & CCPA Compliance

About Modere

Modere offers a category-leading portfolio of live clean lifestyle essentials including beauty and personal care, health and wellness, and household products that are equal parts high-performing and scientifically designed. It believes modern health involves pure nutrition and a clean environment across all of its product categories.

Modere brings a holistic, live clean approach to well-being, and its products reflect a commitment to excellence and innovation with tested formulas proven around the globe. The recipient of multiple third-party validations, Modere’s line includes products that are US EPA Safer Choice-approved, EWG Verified™, NSF Certified and gray-water appropriate. The company is a proud supporter of Vitamin Angels®

The Challenge

Modere’s large footprint in Europe and multifaceted business model led to significant obligations under the General Data Protection Regulation (GDPR). The introduction of new roles and definitions under the GDPR and the lack of guidance from the regulators and attorneys regarding said roles and definitions made it difficult for Modere to understand what obligations were required and which may not apply. Further, a lack of privacy expertise and staff required to make it through and accomplish an enterprise-wide privacy program review and implementation proved difficult.

The Approach

In order to determine Modere’s GDPR obligations and build an intimate understanding of Modere’s business and personal data processing activities, CompliancePoint began the engagement by assessing Modere’s readiness to comply with these new obligations. The assessment process educated Modere stakeholders on the GDPR and provided CompliancePoint with an in-depth understanding of Modere’s personal data processing activities and its ability to comply with the GDPR’s privacy and security requirements. This involved meeting with all departments processing personal data, interviews with the Information Technology and Information Security teams, and governance review. The output of this assessment consisted of a written report outlining CompliancePoint’s findings regarding Modere’s alignment with the GDPR and the NIST-CSF security framework and detailed recommendations surrounding remediation in a corrective action plan.

Following the assessment phase, CompliancePoint was engaged to implement Modere’s GDPR privacy program through working with the US and EU Modere teams. This included project management and serving as privacy and technology experts. The foundation of the privacy program was established by conducting and compiling a comprehensive personal data map and inventory, which was relied upon to develop policies and procedures surrounding access requests, notice requirements, security controls and the other GDPR requirements. CompliancePoint assisted and led the creation of processes, procedures, and governance for Modere to demonstrate compliance with the GDPR.

Following the implementation of the GDPR privacy program, CompliancePoint was engaged to assist Modere with complying with the California Consumer Privacy Act (CCPA). Using the results of the GDPR work, CompliancePoint was able to quickly design a project plan and recommendations that would bring Modere into compliance with the CCPA.

Results and Benefits

By leveraging controls previously developed to comply with the GDPR as well as creating and implementing new processes, procedures, and governance, CompliancePoint ensured Modere could demonstrate compliance with the CCPA well before its effective date. Following the assessment and implementation phases, Modere was confident in demonstrating compliance with complex global and stateside privacy regulations while continuing business operations in these regions.

Further, the program was designed and built to be flexible to the quickly changing privacy regulatory environment. While governance and nuanced requirements will be required, Modere is prepared to comply with other privacy regulations quickly and without reinventing the wheel.

Through being transparent about their personal data processing activities and providing and honoring consumer privacy rights as well as operating under the privacy principles embodied not only in these two regulations but in the spirit of many privacy regulations, Modere maintains consumer trust that personal data is processed lawfully and securely in accordance with international and state privacy laws.