Next in Data Privacy Compliance: The California Consumer Privacy Act
This May marked the 1-year anniversary of the European Union’s General Data Protection Regulation (GDPR) and its rigorous compliance requirements. Aimed at establishing trust with customers, employees, and citizens by giving them more control over their data, GDPR has already dramatically impacted the way organizations capture, manage, archive, distribute, and dispose of data. With the threat of substantial financial penalties for non-compliance (up to €20 milion or 4% annual global revenue), companies had to act.
Having endured GDPR compliance, these companies now face a tough new data privacy law, thanks to the state of California—The California Consumer Privacy Act (CCPA).
Signed into law in June 2018, CCPA very much continues this trend of regulating how personal information is stored and managed. When the legislation goes into effect on Jan. 1, 2020, CCPA requirements will not be limited to businesses located within California but relate to anyone storing information on California-based individuals.
Like GDPR, the CCPA empowers consumers—in this case, residents of California—to compel business to disclose personal information collected about them. Under CCPA, Californians can issue a request for information to a business, and that business must then disclose the categories and specific pieces of personal information it collects. The business must also indicate where and why that personal information was collected, and with whom it was shared.
What’s more, requests for information by citizens can seek all data about them going back 12 months. This means companies are on the hook for all relevant data dating to January 2019—afull year prior to the date CCPA goes into effect.
If your company does business in California, you need to ensure you’re properly managing your data starting yesterday.
GDPR Look Back
One key lesson from GDPR compliance that applies directly to CCPA: Your compliance plan must address more than just a data challenge. As was the case with GDPR—particularly the Subject Access Requests (SAR) within GDPR—CCPA also poses an equally significant content challenge.
Think about the numerous places where organizations store data and content about their customers. Despite myriad content repositories, most businesses still lack an easy way to search, access, and secure that information. That might be adequate for managing and protecting personal information on an internal basis. But complying with CCPA will require more than just making sure that data is locked down, secure, and accessible to only the right people. You need an easy means of managing and accessing content and information. Only then can you realistically provide full details of all the personal information you have stored on your customers.
From a practical perspective, CCPA is mandating that you respond to information requests on a massive scale. For every Californian who issues a CCPA request for their personal information, you will have to undertake an extensive information gathering process. This includes finding and pulling data from every single system that could possibly store information on that person. Then you must collate it and share it with that citizen.
Easy, right? Wrong.
Many CIOs simply haven’t factored in this crushing workload load when planning for CCPA—if they’re planning for CCPA at all. That presents a potential business crisis, considering the negative fallout that could result from failed CCPA request responses. When people start issuing CCPA requests for personal information in January, you don’t want to be the company that takes forever to comply. Extended delays can quickly turn into negative publicity and social media attacks for a slow-responding organization.
Responding to CCPA privacy requests
Organizations typically use multiple systems for managing business-critical information—enterprise content management systems, file sharing apps, network file folders, etc. Occasionally, they’ll even deploy more than one per department. In this environment, it’s virtually impossible to arrive at a single version of the truth.
Today’s leading information management tools, on the other hand, offer more of a "repository-neutral" approach. The modern content services platform (CSP), for example, allows users to quickly find the information they need no matter where it resides. For companies managing CCPA requests, that means they can use CSPs to connect data on an individual from all those different systems in the business. This lets them respond to those requests as they come in, sharing the requested information back to the citizen in an appropriate format and in a timely manner. CSPs also help from an organizational perspective, as they let firms identify all the places within the business where personal information is in fact stored. This has the additional benefit of assisting from an auditing point of view as well.
Many content management solutions currently on the market purport to help with CCPA, but come with very clear limitations. For one, they tend to look for personal information in only a few places: the file system and network drives, in Word documents and Excel spreadsheets, etc. These would-be solutions will not, however, look within the core enterprise CRM or ERP systems, or within HR systems, or other line of business systems—which is where personal information is primarily stored.
A CSP, by contrast, can access all these repositories. A CSP will look at both file systems (for unstructured content) and inside connected enterprise solutions (which are often database applications containing structured data) in order to provide a complete view of your CCPA-related information. This provides a solid foundation for addressing an organization’s CCPA needs.
Metadata and AI
Today’s most modern CSPs will also leverage metadata and AI, which will greatly assist in CCPA compliance. An intelligent, metadata-driven CSP can automatically categorize assets that contain personal consumer information, and ensure it is properly managed according to various CCPA requirements.
Metadata, often described as “data about data,” generally takes the form of attributes that describe the data file or object. A Word document, for example, will include metadata that denotes its file type, size, author, data created and date modified, all of which are important data points that help individuals quickly find and access specific documents and information objects.
AI will enable faster, automated metadata in more detail, including audio, video files. This is crucial because some PII data is stored in file formats like images that cannot be analyzed and indexed as well as text documents.
Once a file or object is labelled as containing personal data, the system can apply control and permission management to ensure only authorized users can access it. Organizations can assign access permissions to an entire class of documents—such as “financial” and set rights within the system that prevent anyone outside the finance group from viewing the information. The system can also prevent files or objects from being inadvertently or intentionally emailed or transferred outside of the organization.
When it comes to CCPA, another key benefit to deploying a metadata-driven CSP is that it provides an automated tracking system. Each change to a piece of content is documented by the system, leaving an audit trail behind that details who made what changes and when.
Additionally, organizations can leverage CSP to enforce information governance rules around retention and deleting, to ensure data isn’t kept longer than necessary. For example, an enterprise may decide that all personal information should be encrypted and that it should be purged as soon as possible after the mandatory retention period passes.
Taking such an automated approach to managing and protecting personal data brings order and consistency to the task, making it easier to comply with CCPA requirements.
A modern tool: Content services platform
CSPs are emerging as a modern tool with the ability to integrate data and content across the enterprise; they will be ideally placed to serve compliance with CCPA and any broader privacy laws that may follow.
Organizations need to appreciate the full impact of CCPA and consider how to adequately accommodate requests for personal information. And they need to do this now—before CCPA comes into force and before the requests for information start pouring in.
If you don’t, you risk not only business disruption, but possible negative PR around CCPA—both of which will have significant negative impact on your organization.