When GDPR rolled out on May 25, 2018, the fines were so high that many companies questioned if they would even be enforced. It wasn’t until this last year when The Information Commissioner’s Office fined British Airways $230M as a result of its 2018 data breach that organisations realised these fines were taken very seriously. But the California Consumer Privacy Act (CCPA), which was put in effect on January 1, 2020, raised a new standard for consumer privacy rights at the U.S. state level and this time, the fines are being taken seriously starting day one.
While the CCPA has been in effect since January, the California Attorney General can only begin enforcement and collecting fines from July 1, 2020. This six-month grace period was established to enable organisations to prepare and ensure they are doing their best to comply with the data laws as they are written, avoid regulatory fines and prevent legal action. Unlike GDPR, which imposes fines based on the degrees of a violation, the CCPA allows individuals to pursue legal action against companies for their infractions. Non-compliant companies could be fined up to $2,500 for each non-intentional violation under the CCPA, rising to $7,500 if it’s proven to be intentional. Even at $2,500, this amount can grow astronomically due to there being no cap on the total number of violations that could result from a single data breach impacting hundreds, or thousands of consumers.
Whether an organisation already adheres to the CCPA regulations or is scrambling now that the enforcement date has past, here are four important steps to help streamline compliance efforts and ensure an organisation is best positioned to handle any new regulations:
- Conduct regular data audits
By mapping out where all Personally Identifiable Information (PII) lives within an organisation, compliance officers can have full confidence of where the data lives, who has access to it and what it’s being used for. This exercise should be done regularly to ensure continued compliance and protection from malicious actors. It can also act as a way for you to learn what data flows exist and why sensitive data ended up where it did. This can empower positive changes to how data is managed, how it is communicated internally and ultimately ensuring sensitive data is kept only where it should reside. To achieve this, you need to scan the entire organisation, not just where you think data is kept.
- Communicate key rights of all customers (related to their PII data)
An important step that many organisations overlook is communicating and ensuring that the entire organisation, not just the sales and marketing team, understands a customer’s rights when it comes to their personal data so they’re able to appropriately comply with CCPA. These rights include:
- The right to know what personal information is being collected, used, shared or sold, both as to the categories and specific pieces of personal information.
- The right to delete personal information held by businesses and by extension, a business’s service provider.
- The right to opt-out of the sale of personal information.
- The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA.
- Create business strategies and internal processes
While it may seem overwhelming as organisations begin to ensure CCPA compliance, it’s critical that they prioritise business strategies and internal processes to address the following business obligations outlined by the CCPA:
- Organisations must provide notice to consumers at or before data collection.
- Organisations must create procedures to respond to requests from consumers to opt-out, know and delete. (For requests to opt-out, businesses must provide a “Do not sell my personal information” link on their website or mobile app).
- Organisations must verify the identity of consumers who make requests to know and to delete personal information, whether or not the consumer maintains a password-protected account.
- Organisations must disclose financial incentives offered in exchange for the retention or sale of consumer’s PII data.
- Organisations must maintain records of requests and how they responded for 24 months in order to demonstrate their compliance.
- Appoint a leader to drive the effort
If the organisation does not already have someone in place, appoint a compliance officer to lead efforts – even if performed in a virtual capacity. This person’s goal should be to drive compliance as part of the ongoing data lifecycle and not as a single one-off project. To scale appropriately, make sure to leverage internal training tools where they exist, such as existing e-learning. This will create internal management and structure moving forward, helping to alleviate the many pain points that compliance can bring.
With the stakes high and room for error narrowing, these new data laws may seem daunting and overwhelming at first glance but the most important thing to understand is that compliance is a journey. To become successful, it’s crucial to build CCPA and compliance as part of the overall company policies and goals. This means installing the proper processes, people, IT infrastructure and technology in place to support this changing landscape. While CCPA compliance doesn’t just happen overnight, when the right steps are taken, the compliance journey can become both manageable and achievable. Gaining compliance can make a positive impact on an organisation’s processes, company balance sheet, company reputation and risk mitigation.
Taken from original article by Stephen Cavey, Co-Founder and Chief Evangelist, Ground Labs, published on vmblog.com: https://vmblog.com/archive/2020/07/09/4-steps-to-staying-ccpa-compliant.aspx#.XyAy6i-ZNN1