Risk and Compliance

Last Call: A CCPA Readiness Primer

Jeffrey SanchezJoel Wuesthoff
November 21, 2019
4 min read

The California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020. That’s just 40 days from the date we published this blog. Yet we continue to see a considerable number of organizations that are likely to be impacted by this new legislation failing to put together personal data privacy protection programs. That could be a costly mistake.

In a recent webinar we held on this topic, a full 100 percent of attendees said they are putting only “moderate” effort into CCPA planning. Forty-two percent of that same audience said they are covering CCPA planning solely using internal resources, versus hiring outside counsel or consultants. Nearly 60 percent of the audience said they are “definitely not” selling personal data – a key factor in the CCPA regulations. That’s consistent with what we hear from clients, yet we often find those same clients failed to understand an important piece of the CCPA “fine print,” which says that if an organization is exchanging data for any benefits (not just selling data for money), that’s considered “selling” data under CCPA. All of these are important points to consider when planning for CCPA yet are often passed by in the planning process.

CCPA, while broader than the European Union’s General Data Protection Regulation (GDPR), is complex and – as with any governmental requirements — the devil is in the detail. Amendments discussed in the webinar have either been resolved or tabled for now. And while enforcement will be delayed until mid-2020, that January 1 effective date remains critical. If your organization is among those who are on the back side of planning for CCPA, here are several important tips.

First, spend time reviewing this privacy operating model, which we use with all new clients.

Note that governance is at the top. When organizations consider broad policy design, and how that design aligns with its risk profile and risk appetite, how the personal data collected, processed and stored is of critical importance. At the bottom of this framework is the technical infrastructure, which plays such a big role in understanding and developing a data inventory. In between, we would cover the building blocks of any privacy program, including the process purpose, how to contract with service providers or third parties, how to honor consumer requests, incorporating security and privacy by design and more.

At any given layer, different stakeholders, ranging from outside counsel to internal stakeholders, should each own a particular process. Perhaps legal owns contractual relationships, while the chief information security officer (CISO) owns risk assessments and determine what levels of security requirements are needed.

Communication, education and training at both the audit committee level and executive committee level, as well as with individuals across the organization also needs to be addressed. Many clients are amazed at the extent of what personal data means to the organization and how each person who handles data within the organization, or who talks directly with consumers, also has a role in data protection. Getting level set on what personal data means in content to this statute, is a real need.  One of the areas we like to start with is data identification. Organizations just starting to put a data privacy program in place need to understand the data they have, how that data is used and why that data is used. That exercise will help inform the data privacy notices, policies and procedures that need to be developed. Above all, do not get into a situation where data practices are not accurate.

Once processes are established, there will be ongoing compliance needs to consider. This chart provides a high-level review of the types of questions an organization must continue to ask as it develops and refines its program.

Clearly, CCPA is not something that’s going away. We fully anticipate we will continue to see states and countries implement new privacy requirements. Which is why getting control of data is perhaps the most important factor to get clarity on now. That includes data mapping, processing and data flow.

Without understanding inventory, flow of data, it is difficult to understand where data exists. We cannot emphasize enough, understanding data is a critical first step.

Finally, establish a steering committee or some sort of dialog across the organization so that everyone understands the policies are not aspirational, they are practical. These policies must reflect the way the organization will operate going forward. This could likely involve a cultural change, which our colleagues discuss in another webinar in this series, Establishing an Organizational Privacy Function. (link to that blog, still in review).

To listen to this webinar on-demand, or any of the other webinars in our privacy series, click here.

Jeffrey Sanchez

Managing Director
Security and Privacy

View all posts

Joel Wuesthoff

Managing Director
Legal Consulting

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
18 Apr

Learn more about what GRC Managed Service is and what it can do for SAP S/4HANA and SAP cloud solutions in the latest #SAP Blog post. https://ow.ly/OMaL50RfsHw #ProtivitiTech

Reply on Twitter 1781035159438954997 Retweet on Twitter 1781035159438954997 Like on Twitter 1781035159438954997 Twitter 1781035159438954997
protivititech Protiviti Technology @protivititech ·
17 Apr

Protiviti is a proud sponsor of ServiceNow Knowledge 2024—a three-day conference all about #AI. Stop by our booth (#2503) to visit with our team and learn how the #ServiceNow platform makes business transformation possible. https://ow.ly/qa6p50Rh9wf

Reply on Twitter 1780627914964308382 Retweet on Twitter 1780627914964308382 Like on Twitter 1780627914964308382 Twitter 1780627914964308382
protivititech Protiviti Technology @protivititech ·
16 Apr

What is #DesignThinking? Could it help your organization? Find out how Protiviti uses it to help clients build net new applications and modernize legacy systems. https://ow.ly/fMK550Rfsoi #ProtivitiTech

Reply on Twitter 1780204913663873376 Retweet on Twitter 1780204913663873376 Like on Twitter 1780204913663873376 Twitter 1780204913663873376
protivititech Protiviti Technology @protivititech ·
15 Apr

Join our May 2 webinar designed for privacy and security professionals seeking to navigate the intricate nuances of data governance within the ever-evolving global regulatory landscape. Register today! https://ow.ly/hzrG50R4fTX #ProtivitiTech #DataPrivacy

Reply on Twitter 1779872392535212145 Retweet on Twitter 1779872392535212145 2 Like on Twitter 1779872392535212145 1 Twitter 1779872392535212145
protivititech Protiviti Technology @protivititech ·
12 Apr

The latest Technology Insights Blog post offers insight into the unique risks associated with Large Language Models (LLMs) and how to establish strategies to mitigate them. https://ow.ly/q3w550RfbXm #ProtivitiTech #TechnologyInsights

Reply on Twitter 1778890996282982442 Retweet on Twitter 1778890996282982442 Like on Twitter 1778890996282982442 Twitter 1778890996282982442
Load More