There are a few different ways to approach the California Consumer Privacy Act (CCPA), which comes into effect on January 1, 2020. As we’ve discussed before, the ISO 27001 standard can be a great springboard to CCPA compliance. If you’ve already gone through the ISO compliance process, that might be your best starting point. Europe’s GDPR is similarly suitable as a platform to build off of towards CCPA compliance.
Whichever approach is most helpful for you to tackle the CCPA, there can be no doubt that the time to get started is now. The CCPA may not be law just yet, but it’s never too early to prepare for the inevitable and waiting could come at significant cost in last-minute effort or even fines for failure to comply. Here are several steps you can take now on the road to compliance which, coincidentally, are integral parts of a full, professional compliance process.
Review and make notes
It may sound basic, but before we get into more technical steps and considerations, take a few moments to read up on exactly what the CCPA is and what it requires of you. As you read, make some notes for yourself to look back on for reference. Is there a part of the legislation you don’t understand? Write it down. Parts of the CCPA require that you take stock of processes and behavior within your own organization that you may not have enough information about yourself. Jot them down so you can look into it further. If you have any serious legal or security concerns after this step, consult with compliance experts for some guidance.
Map consumer data
Now to the juicy stuff. A professional compliance process will begin with a proper gap analysis and risk assessment, designed to find the specific points that are lacking for CCPA compliance. Without the technical or practical knowledge to properly perform this process yourself, you’ll want to cover a few activities that will make risk assessment and compliance as a whole far easier.
The first is to map consumer data and understand how that data moves within your organization. What information is or has been collected by your organization? What methods do you use to collect it and how is it stored? What security measures have you put in place to keep it secure? Is that data shared or sold to other organizations? With your focus on providing a good service or product, these are questions you might not know the answer to. Now is the time to answer them and note them down.
Once you have a better idea of where and how consumer data flows within your organization, the CCPA stipulates that consumers themselves must be informed of your data practices at or before the point of collection. Update your privacy disclosures to reflect what you’ve learned and start to plan out the best ways to put them in front of consumers. Don’t forget to add a link to these documents on your website’s homepage.
Strategize for consumer requests
According to the CCPA, consumers have the right to make various requests regarding their data that you have to be ready to follow up on. They may ask to see what data of theirs you have stored and how it’s used. They can also request that their data be deleted and opt-out of the sale of their personal information. Consider how best facilitate such requests and have some ideas ready before you consult with compliance experts.
Inform the whole organization
While just preparing for the CCPA, you may not be able to tell your employees exactly what changes are going to be made as part of the compliance effort, but you should at least be able to tell them that certain changes are on the way. Once compliance is enacted, these workers will need to be aware of what’s required to them to uphold the law, and it’s best if that doesn’t come as a surprise.
Increase security measures
The CCPA puts the impetus for data protection on the organizations that collect and store it. Review your organization’s security measures and consider how they might be increased. The legislations does not stipulate specific security measures but does say these must be “reasonable.” The better you are able to protect consumer data, the less likely it is that you will find yourself in legal hot water.
The key to being prepared for the CCPA is awareness – awareness of what the law requires and awareness of your own organization. Compliance may be a legal matter first and foremost, but it is also a matter of organizational culture and mentality, calling on you to put the protection of your consumers high on your list of priorities. The CCPA and your entire organization should be looked at through this lens so that you are ready for compliance.Share this on...