The January 1, 2020 deadline for implementing the California Consumer Privacy Act (CCPA) is looming. While enforcement of the new law won’t begin until July 1, 2020, many organizations are still only in the starting blocks. Correctly adhering to CCPA regulations requires attention to its details, a sound strategic approach, and the appropriate use of technology. We published a new whitepaper with First San Francisco Partners (FSFP) to give you a deep dive into
Drilling down into the requirements
The CCPA differs in some important ways from other data privacy regulations, such as the EU’s General Data Protection Regulation (GDPR). It also has its own special nuances, which require care and attention to implement. These include:
- Who must comply? – Organizations need to first understand whether or not they need to comply with the CCPA. There are a number of qualifying criteria that should be examined closely. Organizations that feel they do not qualify should document why this is so.
- Who and what is protected? – CCPA has its own definitions around who and what is protected, which differ in some significant ways from GDPR. For example, the definition of the personal information that it covers is much broader than GDPR.
- Which rights are granted? – The list of rights that CCPA gives consumers that are related to their personal information differs in many crucial ways from GDPR.
- How are penalties assessed? – CCPA differs from GDPR in the way it can force organizations to compensate consumers whose data has been breached, without the need to show harm.
There are many other ways in which CCPA and GDPR differ, so it’s important to realize that just because an organization is compliant with the European rules, it may not be fully compliant with CCPA. Organizations need to understand the rules and analyze how the rules will impact them.
Thinking about how to change
Next, organizations need to identify the adjustments they have to make to policies and processes, to comply with CCPA. Following that, organizations must decide what is the right way to go about creating the changes that are needed.
For data privacy compliance, it’s becoming increasingly clear that organizations are much better off thinking strategically about the implementation of new policies related to the new regulations. GDPR and CCPA are only the beginning of a coming tsunami of personal data regulations, which are being created to align individual jurisdictions with the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
Creating point projects to adapt to each set of data privacy regulations is an expensive and time-consuming way to go about compliance. A more sustainable approach is required, which uses a data governance framework to enable the organization to adapt with agility to new personal data rules.
Implementing such an approach is, over the medium-term, much less resource-intensive as well – it future-proofs the organization’s investment in data privacy. FSFP and Collibra have shown many companies how to use technology to support the growing need to get data privacy right. For example, technology can be used to locate all of the personal data within an organization, automate data lineage, and create visualizations such as interactive data flow maps. Through automation, technology brings data privacy compliance policies and processes to life, supporting the development of a culture of compliance within the organization and enabling the business to use personal data with confidence.
