Are You Ready for CCPA?

Featured article Henry Umney, CEO, ClusterSeven

As Corporate America begins to plan for implications of the Californian Consumer Protection Act (CCPA), the train of thought within many organizations is moving towards how best to implement the requirements. The regulations do not come into effect until January 1, 2020, however it’s already on the forefront of many US companies’ business priorities. According to a recent PWC survey, only half of US businesses affected by the CCPA expect to be compliant by the 2020 deadline. The survey of more than 300 executives at US companies with revenues of $500 million or more found that US retailers may be particularly challenged in meeting the deadline: less than half (46%) of retail and consumer respondents say they will be compliant by 2020. Confidence in meeting the deadline is similarly lacking in the industrial products (44%) and health (47%) sectors. Respondents from financial services (58%) and telecommunications, media and technology (TMT) (56%) sectors are relatively more confident about meeting the deadline.

The principles that underpin CCPA are similar to those embedded in the EU’s GDPR framework, providing an implementation blue print that can serve as a general framework to ensure the timely and smooth implementation of CCPA.   While the law is focused on the needs of residents of the State of California, the scale of the Californian economy mean that the implications of CCPA have a national and international dimension. Organizations that do business in California – wherever they are based – are bound by its strictures.

Identifying the critical CCPA-relevant data is a key part of the implantation process. Where this data resides in enterprise IT applications will be challenging, but achievable. However, the pervasive use of spreadsheets – which often provide the flexibility businesses truly treasure – embedded within critical business processes means that finding and managing this CCPA data is hugely challenging, but absolutely vital.

Lessons Learned from GDPR

The approach of many organizations – as they raced towards the GDPR compliance deadline – appeared to be simply to identify the inventory of IT supported assets that hold GDPR sensitive data. For many, this is proving a significant task.  While a sensible first step, it just scratching the surface of this far-reaching regulation. The real challenge for GDPR practitioners was, and is in many cases, to create a ‘sustainable’ compliance process for the foreseeable future.

Much effort in addressing GDPR went into identifying and managing the relevant data in core IT applications.  The next challenge for the organization was to apply the same level of control, monitoring and attestation over unstructured data – typically spreadsheets, and other applications managed by the business rather than IT.

For both CCPA and GDPR, the key challenge – whether looking at Excel spreadsheets, Access databases, or business management analytics tools for example – is that these are distributed right across the business, in an uncontrolled way, and may contain the type of personal data covered by these regulations. Additional files and applications may well be added, obliging the organization to update their inventory. Given many are using Excel spreadsheets to manage their inventory, there is a management headache, as this updating will be done manually, with no audit trail in place to satisfy the regulation requirements and the auditors.

Organizations tackling CCPA requirements face an enormous task, however they can learn from the challenges faced by organizations responding to GDPR and turn their attention to the problem these files present for CCPA compliance.

FAIM – A four-step process for sustainable CCPA compliance:

Organizations can mitigate the non-compliance risk of spreadsheets by adopting FAIM – a technology-supported four step process (Find, Analyze, Inventory and Monitor) – that  enables  them to make compliance with the CCPA more ‘business as usual’ when it comes to the spreadsheet environment.

1. Find

Identifying the files that contain the sensitive personal data is obvious, but given the often significant business-owned application environment, finding a CCPA-relevant file can be akin to finding a needle in a haystack. Today there are a number of tools available on the market that organizations can take advantage of to scan the files in the business environment.

Powerful search tools are essential here, so that huge volumes of files can be analyzed for CCPA information being held at cell level, which can be difficult to scan.

2. Analyze

The next step is to produce reports based on the organizations CCPA profile and assess them to show ‘hot spots’ – i.e. files in the spreadsheet landscape that potentially contain CCPA-relevant data. Additionally, they categories the files on the basis of high, medium and low risk, which is very useful from a prioritization perspective. For instance, files that include personal data such as ethnic information, passport numbers, credit card details, trade union membership and so on, would be categorized as high risk files and would need compliance processes to be applied to them urgently.

3. Inventory

Having identified and analyzed the key CCPA files, the next step is to pull them into a management framework that allows a business to proactively monitor their CCPA files. This can encompass both IT and non-IT managed CCPA files. Placing the key CCPA files in an inventory framework allows business to proactively monitor their most sensitive, highest risk files. It provides a framework for providing attestation for CCPA files.

To make compliance with the CCPA ‘business as usual’, an automated attestation process, underpinned by full auditability, is fundamental. It will ensure that the organization is capturing data in accordance with the corporate’s CCPA policy. This attestation capability provides a robust, flexible and powerful model that helps staff and line managers manage their CCPA compliance, by confirming the CCPA status of files, and confirming they comply with the regulations. It also provides an efficient framework for managing and resolving non-compliant files.  For example, if an individual needs to have their records removed from a file, or set of files, the attestation framework allows staff to confirm that individual has been removed, bringing accuracy and consistency to an often manual, error-prone process.

4. Monitor

CCPA compliance isn’t just about being complaint on January 1, 2020. It’s about meeting regulators requirements in the days, weeks and years to come. Organizations must ensure that they are able to monitor CCPA-relevant data for version control, changes and approvals, new data, as well as the attestation process.

Organizations preparing for CCPA have the advantage of lessons learned through others who went before them with GDPR requirements. Of vital importance is recognizing that CCPA compliance will evolve as their business evolves. They need systems and processes in place that capture unstructured, as well as their structured data. They must be able to accommodate changes to this dataset, such as new data being added, or when people request their data is removed or moved to a new organization. Finally they need to be able to deliver this capability, and demonstrate it efficiently and cost effectively.