The California Consumer Privacy Act passed into law in 2018 is scheduled to go into effect January 2020. It could potentially have dire consequences for unprepared businesses serving their customers especially when they demand to be forgotten.
The new law affects everyone from internet service providers to mom-and-pop shops when it comes to privacy, data retention and compliance regulations. Failure to comply with the pending CCPA regulations can result in having to pay massive fines, similar to the recent General Data Protection Regulation (GDPR) fines levied against Google in the European Union. However, there are steps that organizations can take to ensure compliance while protecting consumer data referenced as personally identifiable information (PII) or personal health information (PHI).
Companies looking to capitalize on the ever-shifting privacy landscape can maximize this opportunity by asking not just how, but why. The reasons that necessitated the CCPA are of similar logic to those that brought about its predecessor GDPR for Europeans and PIPEDA for Canadians – governments are drafting laws that aim to hold organizations accountable for safely storing and protecting consumer data. The requirements of these regulations range from the now-expected cookies prompt on websites to the use of pseudonyms when storing the data volunteered by consumers.
Another approach for organizations looking to understand the ins and outs of CCPA is to simplify the requirements. There are hundreds of pages of CCPA requirements that can equally intimidate Fortune 500 companies and small businesses alike. These requirements can be distilled into a few key steps for organizations planning to minimize risks of privacy non-compliance.
- Identify all sources of data within the organization. In order to safely secure all data that falls under an organization’s purview all sources of data flowing into the organization must be understood and documented. This makes it easier to sort the data into the appropriate data storage protocols.
- List who can access the sources of data. Much of the focus on PII / PHI revolves around who has access to that data. By always knowing who has access to PII / PHI, organizations can minimize risks while also gaining more control over internal processes.
- Establish requirements for each data source. Companies should determine the requirements necessary for each source of data. Predetermining data requirements, such as which fields need to have pseudonyms applied, can force organizations to give more thought to the volume and type of data expected, and better understand how best to store it.
- Determine what processes must be changed to comply. A little foresight can go a long way. Organizations examining data processes today can avoid potentially hefty fines for non-compliance when the CCPA goes into effect in 2020.
- Take control of data retention processes. Once companies have taken the proper steps to limit access, establish requirements, and determine processes for storing data, the next step is to take complete control of the data retention process. Establishing and maintaining control of data is the ultimate compliance goal for organizations that fall under jurisdiction of CCPA or GDPR. Additionally, there are vendors who offer capabilities such as automation and enhanced searchability of data retention.
There is no time like the present for organizations to start taking steps to ensure CCPA compliance. Often the most time-consuming part of the process is determining what steps are needed and who is best qualified to understand and overhaul data retention processes. Get a head start on understanding the 2020 requirements and take action before it’s too late.
Chris Jordan is CEO and co-founder of Fluency Security (www.fluencysecurity.com), a security audit and automation technology firm that uses artificial intelligence to retain and organize data to meet regulations and support investigations in seconds.
BroadbandBreakfast.com accepts commentary from informed observers of the broadband scene. Please send pieces to email@example.com. The views reflected in Expert Opinion pieces do not necessarily reflect the views of BroadbandBreakfast.com and Breakfast Media LLC.