Effective January 1, 2020, the release of the California Consumer Privacy Act (“CCPA”) marks the beginning of “America’s GDPR.” Like the European Union’s General Data Protection Regulation (“GDPR”), the CCPA will require organizations to focus on user data and provide transparency in how they’re gathering, distributing and using such data.
Requirement violations include penalty thresholds that may expose large California-based businesses to significant risk.
If your company serves or employs California residents, you may find these four CCPA requirements have the biggest impact on your business plans:
- Data inventory and mapping of in-scope personal data and instances of “selling” data
- The best way to conduct effective data inventory is to:
1.) centralize how it is collected
2.) document the policies for the data's use and if it will be sold
- New individual rights rights to data access and erasure as well as the right to opt out of data selling
- Businesses are required to give customers/users a clear method for removal from any data selling processes.
- Updating service-level agreements with third-party data processors
- In the past, Service Level Agreements (SLAs) have been cumbersome and hard to interpret. The CCPA aims to provide awareness to any agreement changes that involve third-party organizations who will be handling and respecting user data.
- Remediation of information security gabs and system vulnerabilities
- In today’s era of growing cybercrimes, neglecting good cyber hygiene is no longer an option. This policy aims to enforce that known issues are dealt with and are in-line with cybersecurity industry standards and best practices
Failure to plan is planning to fail. If your company lacks a strong understanding of their user’s protection rights, they may face substantial penalties for noncompliance in addition to lawsuits from users due to a lack of transparency.
Companies are now required to include a clearly visible footer on websites that offers consumers the choice to opt out of data sharing. If that data footer is missing, consumers can sue. Consumers also have the right to sue if they are unable to easily determine how their information was collected or if they can’t obtain copies of their information.
Luckily, certain CCPA requirements overlap with the existing GDPR individual rights requirements. So if you’re GDPR-ready, you may have a jump start on building a capability around user-data handling practices. However, several policies, processes and systems will still need updating to address differences between the two laws.
It is crucial that your company examines their data and how it is secured. It is not an IT issue, it’s a business issue that must be addressed from the board level. The following steps cover best practices to bolster your compliance program:
- Security and privacy by design and by default
- When designing and implementing new technology, privacy and security should be baked in and not bolted on after design implementation
- Locating, identifying and classifying personal data
- Written policies which clearly identify where personal data is being stored and accessed is necessary. Classifying data, especially personal data for this case, will clearly identify how each data class should be handled in addition to the surrounding, existing IT controls.
- Tracking personal data use via audit trails to demonstrate compliance
- Providing for response capabilities to individual requests for access, correction, deletion, and transfer of personal data and audit trails to demonstrate compliance.
- The developed systems and platforms must support transparency and validation for user requests.
- Effectively preparing for and responding to breaches
- Best practices include, vulnerability management programs, penetration tests, incident response plans, as well as written information security policies
- Implementing security controls according to risk (vulnerability assessments, access controls, activity monitoring and encryption
- Cyzen’s security architectural reviews target all of these aspects
Data protection laws…one big step forward for global digital security, one giant leap for technology leaders into the maze of complex laws and regulations.
State- and federal-level response to mounting data breaches shifted cybersecurity for businesses from “nice to have” to “must have” forcing technology leaders to navigate a patchwork of compliance requirements. Fortunately, we have you covered. Stay tuned for part two of our data privacy readiness series and contact your cybersecurity advisor with any questions you have.
Message Us 212.842.7005
Sign up for Our Blog!
* All fields are required