CCPA

The California Consumer Privacy Act (CCPA) was enacted in 2018 to combat the numerous incidents of data breaches in Big Tech from poorly defined access controls and management of privacy. Molded after the European Union (EU) General Data Protection Regulation (GDPR), the new regulations give users more control of data. Companies that collect data on California residents must provide information on how data is collected and provide users the ability to request, delete, or protect their personal data.

CCPA Steps

Step 1
Designate an individual or team to be in charge of data privacy and security. This person can be either a chief privacy officer, data privacy officer, or chief data officer.
Step 2
Perform a data inventory, so you have an auditable record of your data flows across your enterprise, like a data roadmap. For companies that did this exercise for EU resident data should be in a good position to know where their California data is. Even if they didn’t do a global program, their inventory may give some sense of where that data might be.
Step 3
Do a risk assessment of the data flows that have been identified in the inventory and measure your data practices against legal metrics. Many organizations are not aware of what data they own, the scope of that data or where it’s located. If you have good insight and understanding of your data, it’ll be much easier to get a sense of what the impact is in the context of CCPA.
Step 4
Conduct high-risk processing for information pertaining to financial, healthcare, or children’s records. Tools, like Delphix, can help businesses pinpoint things like names, email addresses, SSNs, IP addresses and provide an enterprise-wide view of exposure to CCPA. The platform can quickly deliver data copies for dev/test, analytics, reporting, support and other use cases and then serve as a single point of control for governing those copies. It then gives businesses greater authority to define controls that determine who has access to what data, where and when, allowing companies to easily create and enforce data governance policies around CCPA compliance.
Step 5
Mitigate the risk(s) identified in Phase 3 and 4 through governance, technical controls, policies, and procedures as well as vendor management. For non-production environments (i.e., dev, test, and reporting) that contain as much as 90 percent of the data that's in scope for the CCPA, masking sensitive information will bring those environments compliant with respect to the regulation. By irreversibly masking personally identifiable information, this data becomes de-identified and is no longer considered personal information under CCPA or GDPR. Also make sure vendors protect their data and follow the CCPA requirements. There is certain verbiage that needs to be in your vendor contract to shift liability to them for their failure to comply with the CCPA. Lastly, train everyone in your company who collects personal information.
Step 6 Keep an auditable record of your privacy program. This means keeping track of everything from Phases 1 to 5. You can use this in the future to benchmark for the upcoming year or apply this to new lines of business that will help you easily update the phases that are necessary.