By Stephen Cavey, Co-Founder and Chief
Evangelist, Ground Labs
When GDPR rolled out on May 25, 2018, the
fines were so high that many companies questioned if they would even be
enforced. It wasn't until this last year when The Information Commissioner's
Office fined British Airways $230M as a result of its
2018 data breach that organizations realized these fines were taken very
seriously. But the California Consumer Privacy Act (CCPA), which was put in
effect on January 1, 2020 raised a new standard for consumer privacy rights at
the U.S. state level and this time, the fines are being taken seriously
starting day one.
While the CCPA has been in effect since
January, the California Attorney General can only begin enforcement and
collecting fines from July 1, 2020. This six month grace period was established
to enable organizations to prepare and ensure they are doing their best to
comply with the data laws as they are written, avoid regulatory fines and
prevent legal action. Unlike GDPR, which imposes fines based on the degrees of
a violation, the CCPA allows individuals to pursue legal action against
companies for their infractions. Non-compliant companies could be fined up to
$2,500 for each non-intentional violation under the CCPA, rising to $7,500 if
it's proven to be intentional. Even at $2,500, this amount can grow
astronomically due to there being no cap on the total number of violations that
could result from a single data breach impacting hundreds, or thousands of
consumers.
Whether an organization already adheres to
the CCPA regulations or are scrambling now that the enforcement date has past,
here are four important steps to help streamline compliance efforts and ensure
and organization is best positioned to handle any new regulations:
1. Conduct regular data audits
By mapping out where all Personally
Identifiable Information (PII) lives within an organization, compliance
officers can have full confidence of where the data lives, who has access to it
and what it's being used for. This exercise should be done regularly to ensure
continued compliance and protection from malicious actors. It can also act as a way for you to learn what data flows
exist and why sensitive data ended up where it did. This can empower positive
changes to how data is managed, how it is communicated internally and
ultimately ensuring sensitive data is kept only where it should reside. To
achieve this, you need to scan the entire organization not just where you think
data is kept.
2. Communicate key rights of all customers
(related to their PII data)
An important step that many organizations
overlook is communicating and ensuring that the entire organization, not just
the sales and marketing team, understands a customer's rights when it comes to
their personal data so they're able to appropriately comply with CCPA. These
rights include:
- The right to know what personal information is being collected,
used, shared or sold, both as to the categories and specific pieces of personal
information.
- The right to delete personal information held by businesses and by
extension, a business's service provider.
- The right to opt-out of the sale of personal information.
- The right to non-discrimination in terms of price or service when a
consumer exercises a privacy right under CCPA.
3. Create
business strategies and internal processes
While it may seem overwhelming as
organizations begin to ensure CCPA compliance, it's critical that they
prioritize business strategies and internal processes to address the following
business obligations outlined by the CCPA:
- Organizations must provide notice to consumers at or before data
collection.
- Organizations must create procedures to respond to requests from
consumers to opt-out, know and delete. (For requests to opt-out, businesses
must provide a "Do not sell my personal information" link on their website or
mobile app).
- Organizations must verify the identity of consumers who make
requests to know and to delete personal information, whether or not the
consumer maintains a password-protected account.
- Organizations must disclose financial incentives offered in exchange
for the retention or sale of consumer's PII data.
- Organizations must maintain records of requests and how they
responded for 24 months in order to demonstrate their compliance.
4. Appoint a
leader to drive the effort
If the organization does not already have
someone in place, appoint a compliance officer to lead efforts - even if
performed in a virtual capacity. This person's goal should be to drive
compliance as part of the ongoing data lifecycle and not as a single one-off
project. To scale appropriately make sure to leverage internal training tools
where they exist such as existing e-learning which. This will create internal
management and structure moving forward, helping to alleviate the many pain
points that compliance can bring.
With the stakes high and room for error
narrowing, these new data laws may seem daunting and overwhelming at first
glance but the most important thing to understand is that compliance is a
journey. To become successful, it's crucial to build CCPA and compliance as
part of the overall company policies and goals. This means installing the
proper processes, people, IT infrastructure and technology in place to support
this changing landscape. While CCPA compliance doesn't just happen overnight,
when the right steps are taken, the compliance journey can become both
manageable and achievable. Gaining compliance can make a positive impact on an
organization's processes, company balance sheet, company reputation and risk
mitigation.
##
About the Author
Stephen Cavey, Co-Founder and Chief
Evangelist at Ground Labs
Stephen Cavey is a co-founder of Ground
Labs, leading a global team empowering its customers to discover, identify and
secure sensitive data across their organizations. As the Chief Evangelist, he
leads its worldwide product development, sales and marketing and business
operations and was instrumental in extending Ground Labs' presence with
enterprise customers. Stephen has deep security domain expertise with a focus
on electronic payments and data security compliance. He is a frequent speaker
at industry events on topics related to data security, risk mitigation and cybersecurity
trends and futures. He started Ground Labs after holding engineering and
leadership positions at Paycorp Holdings (now part of MYOB), a provider of
integrated electronic payments solutions and Webpay, a payment services
provider later acquired by Fidelity.