The California Consumer Privacy Act passed into law in 2018 is scheduled to go into effect January 2020. It could potentially have dire consequences for unprepared businesses serving their customers especially when they demand to be forgotten.
The new law affects everyone from internet service providers to mom-and-pop shops when it comes to privacy, data retention and compliance regulations. Failure to comply with the pending CCPA regulations can result in having to pay massive fines, similar to the recent General Data Protection Regulation (GDPR) fines levied against Google in the European Union. However, there are steps that organizations can take to ensure compliance while protecting consumer data referenced as personally identifiable information (PII) or personal health information (PHI).
Companies looking to capitalize on the ever-shifting privacy landscape can maximize this opportunity by asking not just how, but why. The reasons that necessitated the CCPA are of similar logic to those that brought about its predecessor GDPR for Europeans and PIPEDA for Canadians – governments are drafting laws that aim to hold organizations accountable for safely storing and protecting consumer data. The requirements of these regulations range from the now-expected cookies prompt on websites to the use of pseudonyms when storing the data volunteered by consumers.
Another approach for organizations looking to understand the ins and outs of CCPA is to simplify the requirements. There are hundreds of pages of CCPA requirements that can equally intimidate Fortune 500 companies and small businesses alike. These requirements can be distilled into a few key steps for organizations planning to minimize risks of privacy non-compliance.
- Identify all sources of data within the organization. In order to safely secure all data that falls under an organization’s purview all sources of data flowing into the organization must be understood and documented. This makes it easier to sort the data into the appropriate data storage protocols.
- List who can access the sources of data. Much of the focus on PII / PHI revolves around who has access to that data. By always knowing who has access to PII / PHI, organizations can minimize risks while also gaining more control over internal processes.
- Establish requirements for each data source. Companies should determine the requirements necessary for each source of data. Predetermining data requirements, such as which fields need to have pseudonyms applied, can force organizations to give more thought to the volume and type of data expected, and better understand how best to store it.
- Determine what processes must be changed to comply. A little foresight can go a long way. Organizations examining data processes today can avoid potentially hefty fines for non-compliance when the CCPA goes into effect in 2020.
- Take control of data retention processes. Once companies have taken the proper steps to limit access, establish requirements, and determine processes for storing data, the next step is to take complete control of the data retention process. Establishing and maintaining control of data is the ultimate compliance goal for organizations that fall under jurisdiction of CCPA or GDPR. Additionally, there are vendors who offer capabilities such as automation and enhanced searchability of data retention.
There is no time like the present for organizations to start taking steps to ensure CCPA compliance. Often the most time-consuming part of the process is determining what steps are needed and who is best qualified to understand and overhaul data retention processes. Get a head start on understanding the 2020 requirements and take action before it’s too late.
Chris Jordan is CEO and co-founder of Fluency Security (www.fluencysecurity.com), a security audit and automation technology firm that uses artificial intelligence to retain and organize data to meet regulations and support investigations in seconds.
BroadbandBreakfast.com accepts commentary from informed observers of the broadband scene. Please send pieces to email@example.com. The views reflected in Expert Opinion pieces do not necessarily reflect the views of BroadbandBreakfast.com and Breakfast Media LLC.
- T-Mobile’s Acquisition of Sprint Passes Federal Muster, But 16 States Press On in Opposition
- Comcast Touts 100 Gigabit Service, SHLB Seeks Reconsideration on Telehealth, Senate Clears Emergency Communications
- As Next Year’s C-Band Auction Looms, FCC Officials Reflect on Innovation in Spectrum Auctions
- Problems of Lack of Transparency Pervade Issues of Algorithms in Artificial Intelligence
- New Hampshire Plans a Broadband System, Microsoft on Californian Privacy, and Google Collects Medical Data
Signup for Broadband Breakfast
Broadband Data5 months ago
California Report: Income Most Significant Factor in Low Broadband Adoption
Intellectual Property4 months ago
In Congressional Oversight Hearing, Register of Copyrights Says Office Is Responding to Online Users
Broadband Data5 months ago
Pennsylvania Broadband Speeds Worse Than Previously Believed, According to State Report
Privacy and Security2 months ago
Comparing Privacy Policies for Wearable Fitness Trackers: Apple, Fitbit, Xiaomi and Under Armour
Antitrust2 months ago
Addressing the Impact of Big Data Upon Antitrust is More Complicated Than a Big Tech Breakup
Expert Opinion4 months ago
Geoff Mulligan: A ‘Dumb’ Way to Build Smart Cities
Antitrust2 months ago
Broadband Roundup: Everyone (Almost) Gangs Up on Google, Muni Broadband Fact Sheet, SHLB Anchornet Conference
Broadband Roundup3 months ago
Cable Industry Touts Energy Efficiency, Next Century Highlights Open Access Fiber, Aspen Forum Set