10 IT Governance Steps for CCPA Compliance
The California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020. However, there is a 12-month lookback, meaning that organizations will need to be prepared to respond to consumer requests dating back to January 1, 2019.
Organizations must start preparing now, looking to leverage similar activities that have already been initiated to accelerate their CCPA readiness. Preparing for CCPA will undoubtedly put organizations in a better position to comply with other new US privacy regulations that are bound to be enacted soon.
1. Define Requirements
Organizations potentially subject to CCPA must understand and document their privacy requirements, understand timelines, set milestones, and assign responsibilities for executing the plan. Consider:
- Does a new program need to be designed, or is there an existing function that should own this activity?
- Who are the key stakeholders that will inform the privacy requirements?
- What does the future state need to look like?
Organizations should consider documenting legal and compliance requirements to understand the jurisdictions in which they are doing business, where customers reside, and what legal obligations are either currently in place or need to be considered.
2. Perform Assessments
Once requirements have been defined and documented, assess your current state to determine how ready (or not) you are to meet these new regulatory obligations. A current state assessment typically focuses on the key points of the regulations to identify gaps, determine a level of maturity, and identify a roadmap to privacy compliance. For CCPA, key assessment criteria include:
- Data inventories and data flows
- Governance and operating models
- Notices and policies
- Service provider and third-party contracts
- Consumer rights processing capabilities
3. Identify Synergies
As the privacy program is developed, include stakeholders from different parts of the organization. IT, information security, legal, compliance, HR, finance, sales, marketing, and key business units commonly have a seat at the table when discussing privacy related initiatives. Understanding each function’s major initiatives is critical in designing a comprehensive program to address current and future needs. By aligning each constituency, you can build out a privacy program that is not only compliant with broad frameworks like CCPA, but also addresses specific needs across the organization.
4. Identify and Address Gaps
As companies define requirements and assess their current state, potential gaps will be identified. A mitigation plan should be developed to address the gaps. Companies should clearly communicate responsibilities for addressing the gaps, including identifying and incorporating areas that may already be targeted for remediation.
5. Implement Change Management
Addressing the requirements of legislation such as CCPA can sometimes lead to potentially unsettling and disruptive changes in business processes if proper planning does not take place. Understanding your corporate culture, and employees’ receptivity to change, will help determine an approach to CCPA compliance tailored to your organization.
6. Train and Create Awareness
Organizations typically deploy cybersecurity and information management training to limit exposure to data breaches due to phishing attacks and other IT security focused use cases. However, many organizations do not have data privacy related training offerings. Training should be developed, implemented, and measured to confirm that both new hires and existing personnel have not only completed the training requirements, but also understand the subject matter.
7. Communicate and Socialize the Program
Preparing for CCPA cannot be done in a vacuum. Changes to policies and related procedures will need to be clearly communicated across the organization. Companies have different mechanisms to deliver these messages. A combination of leveraging existing staff meetings, departmental update meetings, and email communications can effectively inform stakeholders of pending actions.
Preparing for CCPA can be a catalyst to review and update company documentation. Some organizations may have recently reviewed and updated policies and procedures as part of their GDPR implementation, or in response to other regulations. Other organizations may not have reviewed or updated their policies and procedures in some time and CCPA preparations can be a vehicle to support such activities. Along with data privacy policies and updates to website privacy notices, remember to consider vendor agreements with third parties with whom you share information. Acceptable Use policies, Records Retention policies, and other technology policies such as Bring Your Own Device (BYOD) should also be reviewed to determine if any CCPA related changes are required.
9. Implement the Program
While CCPA will be effective January 1, 2020, it includes a 12-month “look back” requiring companies to catalog, preserve, and be prepared to disclose personal information dating back 12 months before CCPA’s effective date. Organizations should be documenting processes now, so they have current information about how they use and share data. Organizations should also evaluate technology solutions that can help operationalize and maintain CCPA compliance programs.
10. Monitor and Maintain the Program
While preparing for CCPA may be a focus within your organization, it should ultimately fold into more robust privacy program initiatives. With a privacy program designed and operationalized, organizations should implement an ongoing monitoring capability to identify changes and updates to the regulations and determine how best to react. As new privacy regulations are implemented, they will likely be revised and updated, so organizations need to stay vigilant to maximize program effectiveness.
Debate continues in California and across the country about the CCPA. Both its opponents and supporters are still advocating for clarification and additional changes, which could mean that the regulation will be again amended before it is enacted. In much the same way that GDPR impacted European and other international privacy programs, CCPA is a catalyst for data privacy in the United States. Organizations must start preparing now, looking to leverage similar activities that have already been initiated to accelerate their CCPA readiness. Preparing for CCPA now will undoubtedly put organizations in a better position to comply with other new US privacy regulations that are bound to be enacted soon.
If you need help setting up your compliance procedures, please connect with our team.
Material discussed in this communication is meant to provide general information and should not be acted on without obtaining professional advice tailored to you or your company’s individual and specific needs. Any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used by any person or entity, for the purpose of (i) avoiding penalties that may be imposed on any taxpayer or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. This information is for general guidance only and is not a substitute for professional advice.
The information contained herein should not be construed as personalized investment advice. Investment in securities involves the risk of loss, and past performance is no guarantee of future results. There is no guarantee that the views and opinions expressed in this document will come to pass. Historical performance results for investment indexes and/or categories generally do not reflect the deduction of transaction and/or custodial charges or the deduction of an investment-management fee, the incurrence of which would have the effect of decreasing historical performance results. There can be no assurances that your portfolio will match or outperform any particular benchmark.
Information presented was obtained from sources deemed qualified and reliable; however, MFA makes no representations as to accuracy, completeness, suitability, or validity of any information within this communication and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use. Any forward-looking statements are believed to be reasonable; however, MFA gives no assurance that such expectations will prove to be correct.