Preparing for California’s New Data Privacy Act: Q&A with ASG’s Rob Perry
Are there requirements for notification to individuals?
There does not seem to be a requirement of notification around breaches. GDPR is very specific that you must alert supervisory authorities immediately when you find a breach, and that in 72 hours you have to notify affected individuals. But I have not seen a timeline for notification of breaches in this law.
How will this impact customer service and marketing initiatives?
If you look at the origin of this law, it is very much focused on companies that are viewed as making money by selling people’s data. While it affects more than that, this is the origin. There are many situations where an individual actually wants a company to have their data to provide a service. For example, when you call your credit card company, you want them to know who you are and know about your account. Relationships that both sides want—those types of relationships will continue. But, it will be interesting to see what happens around data research types of relationships and data mining relationships. Today, it seems you can mine a lot of data and use it without asking anyone for permission.
Will anything else change?
I would expect the data use model to change in some ways, introducing the concept that you can incent people for the right to use their personal data, and this may also expand, with companies providing some remuneration. Who knows? It could be a Starbucks gift card or real money depending how the data will be used. In this way, we may see business models for data use expand.
And then, of course, in all kinds of marketing, organizations will need to consider the source of the data. They will have to think: Where did it come from? Do we have the correct consent from the individual for it? Companies will have to map out what data their databases have and be clear about what they can do with it.
Is there something that companies can do now to prepare?
For companies with large quantities of data, the first step is the discovery process. Organizations will need to analyze the data they have under management so they can identify the personal data that has been collected. This is not as easy as you might think because sometimes personal data is stored in different ways as it moves through the organization. For example, a company might have email addresses, and then decide to use the email addresses as user IDs. If you are just searching for “email addresses” in headers for columns and tables, you might miss it. Ways to address this include tracking the lineage of how data moves through the organization or possibly to use a pattern matching tool to identify Social Security numbers, phone numbers, email addresses, and other personally identifiable information.
You also need to start thinking about IP addresses and other non-obvious personally identifiable information that could indicate the locations people are connecting from. That is also information that can be considered personal data. For this reason, a glossary, or repository, of all the information, all the data stored by a company and how it is being protected, is very important. A company needs to be able to demonstrate that it knows the data it has, understands how it is being protected, and is certain about how it is being used and how its use might change. For example, our tool also allows an organization to create a snapshot of the data lineage that can be compared to previous snapshots to identify change.
How does this help?
Data intelligence tools and lineage capabilities are very helpful for organizations in understanding the data that they have, including how the data has moved and flowed through the organization and whether it has changed. But companies also have to educate their teams about how they can use data, how they must protect data, and how they handle data collection. It is not a one-shot thing. Companies have to be persistent and continue to educate people about changes to regulations so they stay compliant.
Other considerations are the use of encryption, how data is stored, and how it is protected from outside threats and also how it’s protected internally from unauthorized use within the organization. With redaction, an organization can define which areas of a document, for example, should be shown to an employee based on their level of privilege.
Are there companies that have less to worry about than others?
If a company has been working on GDPR compliance it will already have done a lot of the actions it would need as a baseline for compliance with the California regulation. Certainly, it will need to adjust its language for EU and California residents. The California regulation is very prescriptive on the language that needs to be used to inform individuals about the data being collected.
CCPA has a threshold for the size of a company that has to comply. This gives smaller companies a break. But for larger companies that have already done a lot of work to comply with GDPR, there are enough differences that they will still have to think about this new law.
Other states also have data protection laws that have been adopted or are in the process of implementation. I think this will present a challenge and why the issue may be kicked up to the federal level to provide more consistency. We have already seen that there are banking regulations in conflict with GDPR. Regulations require that banks share everything about who is moving money around to prevent money laundering, but GDPR says not to share this information. Similarly, we will see inconsistencies in state laws and it is going to be interesting for a while to watch how this develops.
Interview conducted, edited, and condensed by Joyce Wells.