Here’s what a CIO can do to prepare for compliance with the new California law governing how personal consumer information is handled.

On Jan. 1, 2020, the California Consumer Privacy Act (CCPA) went into effect, placing a new compliance burden on companies for the way they gather, store and disseminate information.

Passed to provide more power to consumers to protect their identity, the CCPA provides a mechanism for California residents to identify what data is being collected from them, learn how it is stored and shared, and request it to be deleted.

The act also places requirements on businesses to make changes to their compliance policies to support these new consumer rights. For this reason, it is imperative that CIOs familiarize themselves with CCPA, identify which section of the law applies to them and determine how to prepare for and stay in compliance.

How CIOs Can Prepare
It is crucial for CIOs to carefully analyze how this new law will impact their business, examine the requirements of the law and penalties for violations, and evaluate their company’s readiness for compliance and strategy for minimizing risk.

Specifically, a business that collects consumer information is required to:

  • Inform consumers about what personal information is collected.
  • Inform consumers about how their personal information will be used.
  • Identify the categories of personal information the company has collected.
  • Identify the categories of sources where the information is collected.
  • Disclose the purpose of collecting a consumer’s personal information.
  • Disclose the categories of third parties with whom the information is shared.
  • Identify the specific pieces of personal information collected from consumers.

CIOs must be proactive in identifying what part of the law relates to their business and determine how each component applies to daily operations.

Here are some points to consider when preparing for compliance with the CCPA.

Determine if your business is required to be compliant with CCPA // The first action you should take is to determine whether the law applies to your business and whether you need to be compliant. This determination could be a challenge if you do not have the right data.

In particular, CIOs find it hard to determine what categories of information their company collects and how that personal information is processed and used.

Businesses can determine if they fall under the auspices of the law by asking the following questions:

  • Do you conduct business in California?
  • Do you collect any California resident’s personal information, or does someone else collect that information on your behalf?
  • Do you generate annual gross revenue above $25 million?
  • Do you annually buy, sell, receive for commercial purposes or share for commercial purposes the personal information of 50,000 or more California consumers aged 16 or over?
  • Do you alone, or jointly with another entity, determine the purposes and means of processing consumers’ personal information?

If you answered in the affirmative to some of these questions, then you will need to develop a strategy for determining just how much data you collect and whether it is applicable to the law.

To make this determination, a company typically deploys a data mapping analysis, along with a Data Protection Impact Assessment (DPIA) to determine how much data their organization collects and how it uses that information.

The information gleaned from the DPIA provides insight and assists in understanding how to go about meeting compliance requirements.

Understand and Define the Information Flow
Here are some tips for dissecting the data and determining the level of compliance required of your business.

Follow the information flow into the company and identify the lifecycle of that information to minimize what data needs to be collected. This process includes identifying how data arrives from inside California and moves out of state, or if it is gathered from or shared with outside suppliers or vendors.

Also identify how information is transferred internally or externally and if that information flow is governed by your company’s security procedures.

Finally, all people with access to personal information must be trained on their requirements under the law.

Break Down the Information
First, identify the type of data being collected in your data mapping analysis and examine what category it falls into. Identify which employees come in contact with personal data, how the data is stored and the security of where it is stored. Identify the transfer methods for the data and how the data was collected from the consumer. Identify the information flow internally within the organization and who is responsible for that information at each stage and their access level.

Design and Implement Security Controls
Once the data flow is identified and defined through the DPIA analysis, implement appropriate policies and procedures to control how personal information is handled and who has access to that data.

A company can also put in place various types of encryption techniques for personal information that shields certain data from being viewed by unauthorized individuals or from being compromised through a database hack. There are ways to do this so that no matter how the data travels through the company, in any format, controls are in place to keep it secure and protected.

Understanding Your Obligations Under CCPA
Once you identify that your business falls under the CCPA’s data collection requirements, it is critical to understand your company’s obligations under the law.

Study up on consumer rights and the protections provided under the law. Develop a compliance strategy for your organization that provides a pathway for becoming compliant. Since the law
does not currently have a regulatory body responsible for compliance oversight, it is the responsibility of your organization to determine which requirements apply, which policies need to be in place to ensure proper security protocols and that authorized employees are handling consumer data appropriately.

After going through these compliance check procedures, the CIO should have a fairly strong understanding of how data is processed, how the business uses that personal information, the information lifecycle, who administers the data and the risks that come with noncompliance.

You can now use this information to develop a well-defined CCPA compliance strategy and identify all the risks and roadblocks that could hinder compliance and expose the company to violations.

Moving the Process Forward
Now that you have a better understanding for determining whether CCPA applies to your organization, it is important to have a well-constructed plan for implementing compliance.

Here are some additional steps to consider when developing a comprehensive compliance plan:

  • Create a privacy model and plan for taking steps to meet CCPA compliance requirements.
  • Update policies and procedures to include CCPA’s requirements with specific attention to California consumer rights. This includes opt-in/opt-out rights pages on all websites your organization controls.
  • Create external procedures that allow consumers to opt out of data collection, along with internal procedures for how to handle consumer requests.
  • Create toll-free phone numbers and email addresses specifically to cater to consumers who wish to request removal or deletion of personal information.
  • Create strong security measures to protect and safeguard consumers’ personal information and access mechanisms to control the authorized use of data.
  • Create processes that enable your company to reply to consumer requests within the required 45-day timeframe.
  • Create processes to inform third-party partners of any consumer data requests that are made of your company.
  • Develop policies and procedures to handle any unexpected incidents, such as a data breach, that define how the company mitigates damages.
  • Train your employees to understand CCPA requirements and explain how your organization informs consumers of their rights under the law.

While the CCPA is California’s version of a data privacy law, many countries and states have begun revising existing privacy laws or creating new laws that govern how personal consumer information is gathered and disseminated.

With data security breaches becoming more prevalent around the world, more emphasis is being placed on developing strong regulatory rules on the handling of consumer information. While CCPA does not apply nationwide, 11 other states proposed similar regulation for the 2019/2020 legislative sessions. Regardless of the immediate necessity of following regulation, it is critical for CIOs to understand these new laws and take proactive steps toward developing internal processes to ensure compliance.