January 1, 2020, marked the effective date for the long-awaited California Consumer Privacy Act (CCPA). However, if you’re like most of the companies affected by this groundbreaking privacy compliance mandate—which, according to a December 2019 survey, represented anywhere from 90% to 99% of companies out there—you may not feel as though you’re ready to respond.
Protecting the world’s fifth-largest economy, the CCPA represents new obligations for any company doing business with residents of California. It applies not only to governing personal data with privacy controls, but also establishes new data governance best practices for greater data transparency which apply inside and outside your organization, as these new consumer rights are granted and exercised.
The CCPA will probably get a lot more attention during Data Privacy Day this year (which will be observed this year on January 28 in the United States, Canada, Israel, and 47 European countries). After all, Data Privacy Day’s original purpose was to raise awareness and promote privacy and data protection best practices. With the GDPR in place since 2018 and the CCPA now in force, it is sure to bring discussions and questions on enterprise readiness that Chief Privacy Officers, CISOs, and others with a privacy charter will need to have clear answers on to demonstrate the organization’s response.
CPOs, DPOs, CISOs and others must consider a number of risk exposure concerns when they’re discussing CCPA readiness. If you’re part of the 5% of the companies that are ahead of the curve and can answer questions about your CCPA readiness with authority—congratulations!
Or, more likely, a check is needed to identify risks and gaps in your controls that will need remediation. Either way, it’s worth a review to see what applies to your organization with the CCPA now in effect.
Organizations are often between a rock and hard place when the options are either to be proactive about managing privacy risks or live with higher possibility of privacy violations resulting in fines, reputation damage, and other consequences.
However, there is a silver liningin getting started sooner rather than later—the data privacy governance controls you put in place today canenablethe scalability to grow as requirements evolvewiththe flexibility to incorporate variations in requirements as privacy compliance becomes a global concern.
Vendors such as Informatica can offerimplementationblueprints to address your compliance journey, based on your needs and maturity level, whether starting with policy definition, enhancing risk assessment and remediation, or archiving data to minimize opportunity for abuse. Informatica’s Data Privacy Governance framework offers a prescriptive yet flexible approach to starting you onaright path, including the following steps:
- Defining and management governance policies
- Discovery, classification and understanding personal and sensitive data
- Mapping identities to data owners
- Analyzing data risk and establishing protection plans
- Remediating risk with data protection, and managing subject rights and consents, and
- Measuringandcommunicating audit readiness
Progressive companies are already taking acommon denominatorapproach by designing privacy programs according to themoststringent guidelines so that one size can fit most situations, thenadjustfor exceptioncaseswhenneeded.
For example, if data subject access requests (DSARs) under the GDPR allow for a 30-day response timeforfulfilling requests, while the CCPA allows for 45 days, organizations have nothing to lose in targeting their service level to anunder-30-dayresponse time. This can simplify the approachand allowexceptionstobe handled as needed based on region, application,or other unique scenarios.The upside is your attention to best practices can become a competitive differentiator and demonstrate to your customers your high trust assurance.
Informatica, having helped organizations meet their privacy compliance readiness for the EU’s General Data Protection Regulation (GDPR), and similar mandates in the past, offers its Intelligent Data Management platform to accelerate organizations to get ready and get ahead of regulations. We’ve enabled organizations to apply data privacy governance best practices to put risks in the rearview mirror as data management experts. And the good news is the CCPA shares many fundamental similarities to other recent privacy requirements—a foundation laid today for data privacy governance can help scale your privacy journey as regulations continue to evolve.