How to prepare for CCPA and other privacy regulations
Consumer data access is one of the main fundamental rights of the EU’s GDPR and California’s California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). It is founded on the premise that individuals should have rights to their own personal data and businesses should ask for permission for its use.
For companies that fall in the purview of these laws, there is significant risk arising out of non-compliance. Compliance with the law requires significant initial investment of effort and development of ongoing controls that can monitor and prevent violations, as well as put appropriate corrective measures in place.
Following are some good starting points for an organization to consider for a company:
- Identify and empower key stakeholders – The first step for any organization is to assign the responsibility to investigate and impact to an executive who will help implement the changes stemming from the regulation and keep management abreast of progress. They will in turn assemble a team for budgetary requirements, timelines and risk assessment arising from both implementation as well as non-compliance. The stakeholders should be drawn from the groups that have the closest relationship with the customers and their data. Typically, these executives belong to the Marketing department or Customer Service, supported by the Legal department and the CIO office.
- Audit and monitor impacted information management systems – Any company that has been around for a reasonable length of time and is big enough to fall in the purview of the privacy laws will have assembled a potpourri of applications, databases and processing systems that deal with customer data. Since experience organic, planned changes, as well as periods of uncertainty resulting from events like hypergrowth, changes in markets or acquisitions, their well-planned IT systems can become more like urban sprawl. The catalog and inventory of data and controls can fall out of sync with reality. It is critical that the systems and processes dealing with customer data be identified and analyzed for impact.
- Implement bidirectional communication channels with customers – Consumers can make requests in different formats and they can be received via different channels. There is also a need to respond to the consumer’s privacy request in ways approved by the regulation.
- Set up a compliance and controls framework – Once the teams have been assembled and systems identified, it is important to detect violations and put corrective actions in place to avoid process drift where systems fall out of compliance over time. The laws require and enable a full-time or a consulting Data Privacy Officer who will ensure that the framework is enforced within the organization.
- Setup a Center of Excellence – The EU’s GDPR and California’s CCPA and CPRA are the tip of the spear for consumer demands and needs for enforcing their data privacy. Other states of the US, the Federal government, as well as other countries are implementing their own version of the privacy laws. Setting up a CoE within the company can help manage current and future expertise needs in a competent manner.
- Provide training to all personnel – Provide regular and ongoing training to all personnel, so that every member of the organization is aware of the need to handle sensitive data.
It can be tempting to see the data privacy regulations as a burden but they also provide an opportunity. By enabling the continuous audit and monitoring of user data, they provide an opportunity to businesses to have a good handle on one of their most important asset- the information about customers. Businesses can take advantage of meeting regulatory needs to better server their customers.
Privathy provides multiple services that can meet your organizations needs to assess applicable laws and the required steps for compliance. You can find out more by contacting us using our contact form listed here.
Sources:
- CPRA – https://thecpra.org/
- CCPA – https://www.oag.ca.gov/privacy/ccpa
- GDPR – https://gdpr-info.eu/