With the California Consumer Privacy Act (CCPA) now in force, some businesses may find themselves treating the mandate as merely a checkbox — tick it off on your list and hope for the best. After all, the pandemic has forced IT executives at many organizations to shift their focus from data privacy to urgent issues like supporting remote work and protecting IT assets from increasing external threats. However, ready or not, enforcement is here, and if CCPA requirements are not followed strictly enough, the price can be extremely high.
The nature of checkbox compliance
Checkbox compliance means treating data protection requirements from a legal perspective only, as a number of requirements you need to mark as “done.” Such an attitude leads to having merely paper policies that are created to demonstrate formal compliance to auditors, instead of changing processes to enhance data protection. These organizations may buy a compliance tool marketed using the keyword “CCPA,” but it turns out to be like a fire extinguisher — you installed it because you had to, but you have no idea how to actually use it.
In reality, organizations cannot just buy a tool, kick back and wait for auditors’ mercy. Nevertheless, it’s not unexpected that the CCPA turned into a checkbox for many businesses. First, there is a severe lack of clarity in the law itself. It was drafted so quickly and so many edits have been made that the law has been literally shifting under our feet, complicating preparation. Second, most businesses do not have any standard frameworks for assigning roles and establishing procedures around data privacy, because it has never been much of a concern before. Finally, customer data is often scattered across increasingly complex IT environments, so businesses often have lost control over this data. With the pandemic causing additional business upheaval and overshadowing privacy issues, it is not surprising that the CCPA is not warmly welcomed.
However, regulators — and, more importantly, consumers — now expect that personal data will be treated with respect. This makes it necessary to embed privacy requirements into everyday processes. Regulators demand that compliance efforts be an integral part of an organization’s business routines and culture, not just a formal rule stated in a security policy buried in a drawer somewhere.
How to comply “out of the box”
To go beyond checklists and turn CCPA compliance into a cost-efficient and continuous process, I recommend that organizations adopt the following best practices:
Choose a privacy framework as a foundation. Frameworks help professionals structure their understanding of the problem. The NIST Privacy Framework is considered to be one of the most effective ones for CCPA compliance. It improves visibility into the key aspects of privacy management so you can be more prepared to create and negotiate your compliance strategy with the legal team and other business stakeholders. More importantly, it was created in alignment with the NIST Cybersecurity Framework and its cybersecurity controls, so you can easily integrate your existing security workflows for privacy matters instead of investing resources into duplicate effort or thoughtless acquisition of compliance solutions.
Eliminate disconnects between stakeholders. Disconnects between the legal department, security teams and executive leadership can lead to serious gaps in your compliance posture and non-compliance penalties. To build an effective compliance strategy, it is important to define roles and responsibilities clearly and work as a team.
Identify what data you store. To ensure that regulated data is properly secured, security and compliance teams have to know what types of data the organization collects, stores and processes and where that data resides. This is not a one-time effort but a continuous one, since data is constantly being added, modified and deleted, and classification categories and criteria can change over time as well. Solutions that automate data discovery and classification are invaluable for helping you stay aware of what needs protection.
Limit the number of users that have access to sensitive information. To mitigate risks to data protected by the CCPA, IT professionals should make sure that access rights are granted strictly on a need-to-know basis and only through group membership.
Create a culture of working with personal data properly. It is also critical to ensure that all employees with legitimate access to consumer data actually understand how critical it is and how to handle it correctly. To that end, organizations have to conduct effective employee cybersecurity awareness training. Rather than settling for “one size fits all” training, security teams should focus on the specific data protection procedures and policies relevant to employees’ roles and responsibilities. This requires extra effort, but brings much more value.
Prioritize visibility into what is happening around regulated data. To move compliance beyond the checkbox, organizations are also advised to adopt continuous cybersecurity monitoring. This helps them see what is happening around regulated data and detect potentially harmful activity before it results in a data breach that entails compliance failure. Continuous visibility also enables the business to ensure that it is functionally secure throughout the year — not just during the compliance assessment.
Automate evidence collection and data subject access requests (DSARs). To achieve CCPA compliance without breaking the bank and overwhelming IT teams, it is essential to automate time-consuming tasks with a dedicated solution. In particular, automating collection of the audit trail across the IT infrastructure will help organizations provide auditors with hard evidence that they started protecting regulated data when the CCPA took effect. Automation will also minimize the risk of errors, which is of vital importance for successful audits. Second, satisfying DSARs can be prohibitively costly, so I recommend investing in a solution that automates data discovery and enables you to complete data searches quickly.
In the coming months and years, we should expect more states to adopt privacy laws. The resulting patchwork of different regulations will likely echo the GDPR scenario and eventually stimulate adoption of a federal data privacy standard in the U.S. Indeed, several different bills have already been proposed at the national level, but with other pressing issues at hand and multiple interest groups involved, it is unlikely we will see a regulation passed in the near future. Thus, the legal landscape might be changing drastically throughout next few years.
The best way to get ready is to adopt best practices for handling data with privacy in mind at each stage of the data lifecycle. These security best practices include ongoing IT risk assessment, regular auditing, and ensuring profound visibility into data repositories and user activity.