Virtualization Technology News and Information
Article
RSS
4 Steps To Staying CCPA Compliant

By Stephen Cavey, Co-Founder and Chief Evangelist, Ground Labs

When GDPR rolled out on May 25, 2018, the fines were so high that many companies questioned if they would even be enforced. It wasn't until this last year when The Information Commissioner's Office fined British Airways $230M as a result of its 2018 data breach that organizations realized these fines were taken very seriously. But the California Consumer Privacy Act (CCPA), which was put in effect on January 1, 2020 raised a new standard for consumer privacy rights at the U.S. state level and this time, the fines are being taken seriously starting day one.

While the CCPA has been in effect since January, the California Attorney General can only begin enforcement and collecting fines from July 1, 2020. This six month grace period was established to enable organizations to prepare and ensure they are doing their best to comply with the data laws as they are written, avoid regulatory fines and prevent legal action. Unlike GDPR, which imposes fines based on the degrees of a violation, the CCPA allows individuals to pursue legal action against companies for their infractions. Non-compliant companies could be fined up to $2,500 for each non-intentional violation under the CCPA, rising to $7,500 if it's proven to be intentional. Even at $2,500, this amount can grow astronomically due to there being no cap on the total number of violations that could result from a single data breach impacting hundreds, or thousands of consumers.

Whether an organization already adheres to the CCPA regulations or are scrambling now that the enforcement date has past, here are four important steps to help streamline compliance efforts and ensure and organization is best positioned to handle any new regulations:

1. Conduct regular data audits

By mapping out where all Personally Identifiable Information (PII) lives within an organization, compliance officers can have full confidence of where the data lives, who has access to it and what it's being used for. This exercise should be done regularly to ensure continued compliance and protection from malicious actors. It can also act as a way for you to learn what data flows exist and why sensitive data ended up where it did. This can empower positive changes to how data is managed, how it is communicated internally and ultimately ensuring sensitive data is kept only where it should reside. To achieve this, you need to scan the entire organization not just where you think data is kept.                                                                                                                                                                                                                           

2.  Communicate key rights of all customers (related to their PII data)

An important step that many organizations overlook is communicating and ensuring that the entire organization, not just the sales and marketing team, understands a customer's rights when it comes to their personal data so they're able to appropriately comply with CCPA. These rights include:

  • The right to know what personal information is being collected, used, shared or sold, both as to the categories and specific pieces of personal information.
  • The right to delete personal information held by businesses and by extension, a business's service provider.
  • The right to opt-out of the sale of personal information.
  • The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA.

3.  Create business strategies and internal processes

While it may seem overwhelming as organizations begin to ensure CCPA compliance, it's critical that they prioritize business strategies and internal processes to address the following business obligations outlined by the CCPA: 
  • Organizations must provide notice to consumers at or before data collection.
  • Organizations must create procedures to respond to requests from consumers to opt-out, know and delete. (For requests to opt-out, businesses must provide a "Do not sell my personal information" link on their website or mobile app).
  • Organizations must verify the identity of consumers who make requests to know and to delete personal information, whether or not the consumer maintains a password-protected account.
  • Organizations must disclose financial incentives offered in exchange for the retention or sale of consumer's PII data.
  • Organizations must maintain records of requests and how they responded for 24 months in order to demonstrate their compliance.
4.  Appoint a leader to drive the effort 

If the organization does not already have someone in place, appoint a compliance officer to lead efforts - even if performed in a virtual capacity. This person's goal should be to drive compliance as part of the ongoing data lifecycle and not as a single one-off project. To scale appropriately make sure to leverage internal training tools where they exist such as existing e-learning which. This will create internal management and structure moving forward, helping to alleviate the many pain points that compliance can bring.

With the stakes high and room for error narrowing, these new data laws may seem daunting and overwhelming at first glance but the most important thing to understand is that compliance is a journey. To become successful, it's crucial to build CCPA and compliance as part of the overall company policies and goals. This means installing the proper processes, people, IT infrastructure and technology in place to support this changing landscape. While CCPA compliance doesn't just happen overnight, when the right steps are taken, the compliance journey can become both manageable and achievable. Gaining compliance can make a positive impact on an organization's processes, company balance sheet, company reputation and risk mitigation.

##

About the Author

Stephen Cavey, Co-Founder and Chief Evangelist at Ground Labs

Stephen Cavey 

Stephen Cavey is a co-founder of Ground Labs, leading a global team empowering its customers to discover, identify and secure sensitive data across their organizations. As the Chief Evangelist, he leads its worldwide product development, sales and marketing and business operations and was instrumental in extending Ground Labs' presence with enterprise customers. Stephen has deep security domain expertise with a focus on electronic payments and data security compliance. He is a frequent speaker at industry events on topics related to data security, risk mitigation and cybersecurity trends and futures. He started Ground Labs after holding engineering and leadership positions at Paycorp Holdings (now part of MYOB), a provider of integrated electronic payments solutions and Webpay, a payment services provider later acquired by Fidelity.

Published Thursday, July 09, 2020 10:22 AM by David Marshall
Filed under: ,
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Calendar
<July 2020>
SuMoTuWeThFrSa
2829301234
567891011
12131415161718
19202122232425
2627282930311
2345678