CCPA’s top five compliance challenges
The California Consumer Privacy Act (CCPA) took effect on New Year’s Day. California is the first state in the union to create a data privacy law for its residents. Other states will follow soon.
For compliance purposes, there is good news and bad news. The good news: CCPA has a six-month grace period. There will be no enforcement action until after July 1, 2020. Bad news? You only have until July 1 to get your act together, and the clock is ticking.
Let’s get to work. Here are the top five challenges you’ll encounter while complying with CCPA’s requirements and tips to address them.
1. CCPA’s foundational requirement
CCPA demands that you categorize personal data and for each category, define its purpose. CCPA states: “at or before the point of collection, [the business shall] inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used.”
CCPA’s categorization requirement presents organizations with a foundational challenge. How well does the mission and goals of the company, along with its processes and policies, align with the data you are collecting and protecting people’s data privacy? Can you justify the privacy data you collect?
Address data privacy’s foundational challenge with a thorough and effective, focused, and flexible data governance structure. This type of governance lets you more easily identify the categories of personal information you need to achieve the goal of complying with CCPA.
2. Data involves every department, not just IT
For CCPA compliance, organizations need pinpoint accuracy to know what data is and where it’s located. It’s as if you need GPS tracking on all personally identifiable data from anywhere.
Given the way data flows through and outside an organization, the job of data caretaker falls on everyone – business managers, audit, privacy officer and security personnel. It’s not a job that can be relegated to IT. Business processes, toolsets, customers, and vendors, all also interact with data, and data’s omnipresence presents challenges for CCPA compliance. For example, many companies monitor their servers for configurations, data security, and the applications that run on them. That, however, is not true with company laptops that can run unapproved software, store gigabytes of protected data, and insecurely communicate with third parties via email and cloud-based share drives.
The daily course of business can also be a trouble spot. Let’s say a salesperson prefers using a free CRM tool, but the software falls outside the company’s approved toolsets and standard processes. Or the product management team’s reporting solution is incompatible with the enterprise’s reporting solution. In each case, awareness and access to data are lost.
Whether it’s processes or people touching data, both need direction and guidance on handling data with privacy implications.
3. Protecting your organization’s data
CCPA stipulates your company is responsible for protecting its data.
The challenge comes when performing risk assessments and conducting continuous monitoring, which are key tactics for securing and protecting data. Such activities disrupt people and processes focused on serving the needs of the business. You may encounter resistance.
Another issue is the lack of guidance for security procedures compliant with CCPA. While CCPA does not define reasonable security procedures, California’s attorney general has cited the CIS Top 20 as the minimum set of controls that would meet the standard for reasonable security. On a side note, understanding which CIS 20 controls to use and apply them holistically can be a challenge in itself.
Data protection requirements with CCPA calls for an integrated management of assets and data combined with the CIS Top 20 set of controls.
4. Meeting data subjects’ rights
CCPA grants its citizens multiple rights, including Right to Access, Right to Know, Right to Opt-Out, and Right to Deletion. Companies mistakenly believe data subject rights focus exclusively on the right to be forgotten. It’s much more than that.
For CCPA compliance, you need consumer-facing and back-office processes designed to address all data subject rights, as well as facilitate disclosures and answering consumer questions submitted via multiple channels, including a toll-free number. Failure to address all data subject rights could not only damage customer relationships but also lead to fines, reputational damage, and litigation.
5. The race against the clock when data breaches occur
CCPA’s breach notification requirement is time-sensitive and can be high stress. When a breach occurs, multiple clocks start ticking, including what happened and notifying the effected people and appropriate authorities.
Although not required for compliance, firms are also under pressure to act quickly after a breach occurs. That means getting ahead of the story or taking proactive steps to keep the business operational and preserving its reputation. Firms should also consider specific plans for financial resiliency as some businesses will encounter steep fines and/or class action lawsuits pursued by data subjects.
Data breach notification requirements and non-regulatory issues call for a dedicated cross-functional team that can act swiftly and report to higher-ups with real-time information needed to make informed decisions without delay.
Enlist a technology solution for CCPA compliance
Between the complexity of requirements and the company’s orchestration demanded, it makes CCPA compliance next to impossible without a technology solution.
Look for a solution that can deliver on the following:
- Houses CCPA requirements and connects them to controls, processes, and more for an integrated view of risk and compliance
- Incorporates CIS Controls for information security
- Enhances privacy by normalizing CIS Top 20 with ISO 27701 and, when released, NIST 800-53 V5
- Streamlines communications between departments, and third parties, including customers
- Automatically identifies hardware and software assets on networks, including rogue or unknown assets
- Facilitates, consolidates, and/or reports on the status of responses to data subject requests from multiple channels, including a toll-free number
- Integrates surveys and questionnaires that support continuous monitoring of third parties to ensure compliance with processes and ethical practices
- Manages and reports on the entire privacy incident management lifecycle
Let’s face it, you are likely not going to get the extra resources you need to manage privacy using your current processes and toolsets. In order to keep up with CCPA and future privacy requirements, you need to take a purposeful and automated approach to meet the challenges listed above. The right technology solution allows you to do more with less, all the while helping you meet CCPA requirements. It sets you up for not only complying with CCPA, but also other state data privacy regulations, GDPR, and data privacy laws in over 80 countries.
Welcome to 2020 and the dawn of a new decade. Here are our four building blocks for accomplishing anything big and consequential this year.
As 2019 comes to a close, we look back to the year that was and cast an eye toward 2020 in our Risk Roundup 2019 Year in Review.
Webinar Recap: a few highlights from the 2020 Risk Trends and Predictions webinar that featured a Q&A with the panelists.