January is almost here, and with it comes the new year, new resolutions, with new goals to chase. Also arriving immediately in 2020, is the California Consumer Privacy Act (CCPA), the much-discussed legislation designed to improve privacy rights and consumer protection for California residents.
If you’ve never heard of the CCPA, it’s basically a set of data privacy regulations that gives people living in the Golden State the right to know what personal data is being collected about them by companies; whether their personal data is sold or disclosed and to whom; the ability to object to the sale of their data; access to their personal data, and the power to request a business to delete any personal information collected about them.
Whether or not CCPA will accomplish what it’s intended to do is anybody’s guess at this stage. Likewise, the way in which CCPA will impact enterprises both near and long-term remains to be seen. Regardless of how things play out, the law is the law and there are some immediate challenges enterprises face on the path to CCPA compliance, especially on the technology front.
One of the first questions companies want to know about CCPA is what the most critical rules are they should watch out for. Given what we know, the main rules that companies ought to focus on are meeting Subject Rights Requests (SRRs) timely and accurately and enabling Calif. consumers to easily opt-out and invoke their right to be forgotten by companies that hold their data. The rest of CCPA is essentially serving these two main rules.
Unlike other data privacy regulations such as GDPR which has no specific provision for consumer suits, CCPA easily enables the consumer to take punitive action against any organization that is non-compliant, rather than enriching a third-party entity or governing body; with very little effort and using social media, consumers can go after non-compliant organizations to receive a payout for the mismanagement of their information.
Because of this, companies are potentially facing a mountain of SRRs. Further complicating matters is that many organizations still use a manual systems-based approach to manage compliance, which is complex, time consuming, and offers little insight into their known and unknown data. If a company doesn’t know what data they have or where it resides or moves, it’s impossible to comply with CCPA, creating a vicious cycle of opportunistic SRRs that can prevent an enterprise from attending to its core activities and bringing business to a halt.
For companies, keeping up with ever-increasing demands from SRRs has the potential to be a huge burden on operational resources. In addition to responding to the SRRs themselves, there is tremendous effort required to discover personal data within a company’s network. Classifying the data that has been found and accurately linking different sources of personal data is also arduous and must be streamlined.
It’s for this reason that a company’s technology approach to CCPA compliance must include an automated, accurate and scalable solution built to respond to an unlimited number of SRRs, while requiring minimal operational overhead. Additionally, the technology in place must be able to find all repositories of personal data, unstructured or structured, plus those that are not yet inventoried continuously. Again, if you don’t know what you don’t know about the data in your organization, you can’t comply.
Just as enterprises should be concerned about the tech needs for keeping up with ever-increasing demands from SRRs, they must have the tech in place for fulfilling consumers’ right to be forgotten. The only way to truly address this is through a technology approach that can automatically produces a list of all the locations in which a subject’s personal data can be found, enabling the enterprise to efficiently remove the relevant data from every location within the enterprise. This sounds simple until you imagine how many iterations of one person’s data can exist throughout an organization’s network.
This is why enterprises must have a data mapping process in place, which includes systems, process, data stores, and more in order to show CCPA compliance. Understanding the flow of data throughout the enterprise, its business use, and where it is shared is required by CCPA, and is a standard component of an enterprise security policy. Without visibility over the network traffic of an organization, it is difficult to create these data maps. And it’s not something that can be easily accomplished manually, never mind maintained. Your CCPA solution should be able to examine network traffic in real-time, enabling mapping of the actual dataflow through the network – which also better equips your company to handle SRRs and the right to be forgotten requests.
At the very least, organizations need to know everything about the personal data of California residents they hold. If they haven’t already, organizations should start getting rid of personal data they do not have a reasonable business use for. They also need to locate all data repositories that are undocumented – think DevOps, Shadow IT – as well as copies of personal data anywhere it resides. Establishing mechanisms to verify the identity of the data subject making the request should also be priority. One more thing: have a happy New Year.
UPDATE: This article has been updated to clarify the provisions for consumer suits under the CCPA.