Written by Kapil Khadgi
ServiceNow Practice Head at Royal Cyber
California Consumer Privacy Act (CCPA) compliance strengthens the data protection mechanisms and ensures that the California region residents will have more control over their personal information and how organizations will collect, save, and use data.
Data is more influential and powerful in today's world. With companies increasingly collecting and using consumer data, the government is taking notice and establishing new regulations that focus on data privacy and security. The new rule, CCPA, passed by the State of California, came into effect in January 2020, and its enforcement started in July 2020. CCPA is a California-specific law for profit organizations conducting business in the region. This act follows the European Union's General Data Protection Regulation (GDPR) footsteps that outline the individual's data privacy requirements.
Even though companies are trying to comply with CCPA, there is still a long way to go. A comprehensive solution that can help companies achieve compliance, boost the consumers’ confidence, and expand data-based research and products will ensure smooth implementation of CCPA.
Implementing solutions and complying with CCPA requires organizations to follow best practices. Some of them are:
1. Understand data - At the beginning of your compliance journey, understand data, comprehend its landscape, and identify the personal information in applications and systems. The organization must ensure that they don't collect and store any personal information in their database. They must also ensure that the data saved in the database, when combined, should not recognize an individual. The found personal information must be categorized as sensitive and vetted by the legal or the data privacy team.
2. Manage rights of consumers - The main objective of CCPA is to grant individuals the right to protect their data. The organizations must try to fulfill the criteria by defining clear roles and responsibilities, and processes that satisfy consumer rights. Organizations must establish an automated approach to verify and validate personal information to protect consumer rights. Organizations must also audit their records and track SLAs for consumer requests. Automated emails to consumers for confirmation, clarifications, SLAs, etc., must be followed. A data repository or store that saves all the personal information about the consumers must be encrypted so that no one in the organization misuses the figures.
3. Manage vendors - Organizations involved in collecting and selling personal data with vendors must establish processes to adhere to the CCPA requirements. It is essential to collect documents from the vendor while onboarding, capturing privacy notice disclosures and privacy regulatory compliance details. The vendor contract must list the circumstances under which they will share the consumer's personal information, the liability in case of breach or violation, and data security measures to protect data. Organizations must conduct regular audits and build a termination policy in case of CCPA breach.
4. Archive and retain data - According to the CCPA, the consumer's personal information must be archived and retained for a particular period. Once the time decided is over, the organization must delete the archived information from the system. Organizations must set up a data archival and retention policy for various data categories to decide data disposal time from the repositories. Businesses must also define rules and a RACI matrix to operationalize the data retention policy.
5. Training and monitoring - After implementing the solution, the organization's staff must be trained on data privacy and CCPA requirements so that they can handle the queries well. Organizations must build training material for CCPA queries and SOP for rights fulfillment. They must also create flyers, emailers, and manuals to spread CCPA awareness among the organization's employees. Businesses must also establish an ongoing monitoring mechanism to ensure CCPA compliance is in place and employees adhere to the CCPA requirements. Data Privacy Impact Assessment must be conducted periodically or on the adoption of new business processes. A clearly defined RACI and validation and sign-off policy must be established for risk mitigation and acceptance by the compliance team.
6. Reporting to government authorities - CCPA imposes fines in case of breach by organizations. Organizations must use reporting dashboards to track metrics and see which areas are not compliant. A breach monitoring mechanism will help in monitoring the violations through a central dashboard. Businesses will also foresee risks and issues that may arise, track their progress, and mitigate them with mitigation strategies or control measures.
Organizations need holistic solutions that can automate CCPA and similar regulatory requirements.
Royal Cyber leverages partnerships with OneTrust and Collibra to deliver the following capabilities: