Implementing CCPA Compliance: 6 Best Practices

Written by Kapil Khadgi

ServiceNow Practice Head at Royal Cyber

California Consumer Privacy Act (CCPA) compliance will strengthen the data protection mechanisms and ensure that the California region residents will have more control over their personal information and how organizations will collect, save, and use data.

Data is more influential and powerful in today’s world. With companies increasingly collecting and using consumer data, the government is taking notice and establishing new regulations that focus on data privacy and security. The new rule, CCPA, passed by the State of California, came into effect in January 2020, and its enforcement started in July 2020. CCPA is a California-specific law for profit organizations conducting business in the region. This act follows the European Union’s General Data Protection Regulation (GDPR) footsteps that outline the individual’s data privacy requirements.

Even though companies are trying to comply with CCPA, there is still a long way to go. A comprehensive solution that can help companies achieve compliance, boost the consumers’ confidence, and expand data-based research and products will ensure smooth implementation of CCPA.

CCPA Compliance: ServiceNow Governance, Risk, and Compliance

ServiceNow provides a comprehensive Governance, Risk, and Compliance (GRC) solution that helps companies address CCPA. GRC monitors applications that interact with personal data and ensures that it meets the California residents’ requirements and complies with the Act’s requirements.

The following are the capabilities of the ServiceNow GRC solution:

  1. Import all the CCPA requirements with descriptions and guidance separately or with the Unified Compliance Framework (UCF) integration. Map the CCPA requirements into the application with underlying controls needed for compliance checks using ServiceNow.
  2. Develop, amend, and align all existing policies such as data protection, security, knowledge base, and code of conduct policy to CCPA. Businesses can do policy management with the help of ServiceNow’s lifecycle management.
  3. Classify data such as location, IP address, biometrics, professional information, education, browsing history, and others as personal information. Assess this information and ensure that it doesn’t result in high risk for the citizens.
  4. ServiceNow’s Customer Service Management (CSM) and service portal allow consumers to access, download or delete personal information.
  5. Map personal data to configuration items in the ServiceNow Configuration Management Database (CMDB), relate controls, assess risks, run audits, and assure ownership of information assets.
  6. ​​​​​ServiceNow Vendor Risk Management (VRM) ensures that third-party vendors meet the privacy requirements and prevent commercial use of personal consumer data. VRM also helps manage and identify issues and actions to improve the GDPR compliance of vendors.

Best Practices for a Robust Compliance Solution

Implementing solutions and complying with CCPA requires organizations to follow best practices. Some of them are:

1. Understand data - At the beginning of your compliance journey, understand data, comprehend its landscape, and identify personal information in applications and systems. The organization must ensure that they don’t collect and store any personal information in their database. They must also ensure that the data saved in the database when combined should not recognize an individual. The found personal information must be categorized as sensitive and vetted by the legal or the data privacy team.

2. Manage rights of consumers - The main objective of CCPA is to grant individuals the right to protect their data. The organizations must try to fulfill the criteria by defining clear roles and responsibilities and processes that satisfy consumer rights. Organizations must establish an automated approach to verify and validate personal information to protect consumer rights. Organizations must also audit their records and track SLAs for consumer requests. Automated emails to consumers for confirmation, clarifications, SLAs, etc., must be followed. A data repository or store that saves all the personal information about the consumers must be encrypted so that the figures is not misused by anyone in the organization.

3. Manage vendors - Organizations involved in collecting and selling personal data with vendors must establish processes to adhere to the CCPA requirements. It is essential to collect documents from the vendor while onboarding, capturing privacy notice disclosures and privacy regulatory compliance details. The vendor contract must list the circumstances under which they will share the consumer's personal information, the liability in case of breach or violation, and data security measures to protect data. Organizations must conduct regular audits and build a termination policy in case of CCPA breach.

4. Archive and retain data - According to the CCPA, the consumer’s personal information must be archived and retained for a particular period. Once the time decided is over, the organization must delete the archived information from the system. Organizations must set up a data archival and retention policy for various data categories to decide the time of data disposal from the repositories. Businesses must also define rules and a RACI matrix to operationalize the data retention policy.

5. Training and monitoring - After implementing the solution, the staff of the organization must be trained on data privacy and CCPA requirements so that they can handle the queries well. Organizations must build training material for CCPA queries and SOP for rights fulfillment. They must also create flyers, emailers, and manuals to spread CCPA awareness among the organization's employees. Businesses must also establish an ongoing monitoring mechanism to ensure CCPA compliance is in place and employees adhere to the CCPA requirements. Data Privacy Impact Assessment must be conducted periodically or on the adoption of new business processes. A clearly defined RACI and validation and sign-off policy must be established for risk mitigation and acceptance by the compliance team.

6. Reporting to government authorities - CCPA imposes fines in case of breach by organizations. Organizations must use reporting dashboards to track metrics and see which areas are not compliant. A breach monitoring mechanism will help in monitoring the violations through a central dashboard. Businesses will also be able to foresee risks and issues that may arise, track their progress, and mitigate them with mitigation strategies or control measures.

Are you CCPA Compliant?

With an increase in the number of regulatory requirements and complexity around them, organizations find it challenging to comply fully with CCPA. Organizations need holistic solutions that can automate the CCPA compliance process. Royal Cyber uses the NOW platform’s capabilities to prepare organizations for the future and navigate a minefield of possible risks with the help of customized solutions designed specifically for clients worldwide.

Royal Cyber has also partnered with OneTrust, which provides free tools to automate CCPA compliance programs. Our team can do the ServiceNow and OneTrust integration in 1-2 days, enabling organizations to identify areas where customer’s data is kept and used. The integration streamlines the organization’s ability to engage and respond quickly to consumer requests regarding cookie compliance, preference management, and policy management. Are you looking to implement CCPA in your organization, connect with us at [email protected]

Leave a Reply