First GDPR, Now CCPA: Manage Your Vendors So They Don’t Put You at Risk
One year ago, organizations of all sizes were scrambling to comply with the pervasive General Data Protection Regulation (GDPR). The dark underbelly of data privacy had just been revealed, and departments were working together to secure both their organization and their vendors to avoid hefty fines.
On May 25, 2018, GDPR regulations were imposed, intending to give European Union residents and citizens greater control, enacting strict rules on how personally indefinable information or PII is collected, stored and used. Over the course of the year, companies of all sizes felt the impact of GDPR. While many companies took a lackadaisical approach to GDPR compliance in the early part of the year, many companies jumped into action once the EU flexed their proverbial muscle.
However, time has shown that this is just the beginning. As organizations take a deep breath and collectively reminisce on the last year of GDPR being in effect, there is still one major box to check off, especially for US-based organizations.
Case in point: the California Consumer Privacy Act (CCPA).
Several organizations may be feeling like Bill Murray in Groundhog Day as they start to prepare for CCPA, however it is good practice as the country – and the globe – moves towards more stringent data privacy laws.
What the California Consumer Privacy Act Entails
According to the Californians for Consumer Privacy, the organization responsible for the creation of CCPA, the law is looking to accomplish the following goals:
- The right to know what information large corporations are collecting about consumers
- The right to tell a business not to share or sell consumer personal information.
- The right to protections against businesses which do not uphold the value of consumer privacy.
Failure to comply with the regulations set in place can be pursued via consumer lawsuits (for data breaches) or monetary fines set by the California Attorney General at up to $2,500 per violation.
In short – the CCPA is allowing consumers to take back control of personal data that is collected, stored, distributed and sold without their knowledge.
Where to Start with CCPA Compliance
At a high-level, CCPA is similar to GDPR in that it is putting the consumer first, ensuring that each individual has explicit rights to any data that is collected by external parties.
There are nuanced differences between the two, however basic guidelines for GDPR can also be applied to CCPA. While there are more than six months until the law goes into effect, companies cannot wait until the last minute to comply – even more so if their vendors have access to personal data belonging to Californians. Here are three high-level steps to start the compliance process:
1. Risk Assessment
Conduct an organization-wide initial risk assessment to determine whether CCPA applies to your organization or your vendors.
This is the quickest and simplest step – a swift and repeatable way to determine whether any data that an organization or its vendors collect falls under CCPA. This initial risk assessment needs to at least confirm the following:
- Do you or your vendors hold personally identifiable information (PII)?
- Does any of the PII belong to California citizens or residents?
This assessment instrument may be as simple as a brief questionnaire. But to be effective, it must be distributed among every potential data holder to ensure that no potential reservoir of personal data is overlooked. Be sure to include all internal systems and data silos, all third parties who may hold customer and employee data, and any new third parties.
2. Data Privacy Impact Assessment
Fulfill impact assessments that reveal the nature and extent of your exposure.
In every instance where PII has been identified, an in-depth “data privacy impact assessment” is necessary to determine what types of personal data is stored, how that data is collected and used, and what controls are currently in place. Internal enterprise assessments and external vendor assessments, for each vendor, are both needed to guarantee that compliance measures are being taken inside and outside of the organization. The assessment should address the following issues:
- Data Issues: The types of PII (names, addresses, SSN), where this data is stored, how it is used and how is it deleted
- Access Issues: The individuals, departments and systems that have access to this information
- Control Issues: The current policies and procedures for data collection, use and compliance; and how controls are checked and documented
With these assessments, organizations can identify the gaps in data practices for both themselves and their vendors to answer the question…where do potential vulnerabilities remain?
3. Policies & Procedures
Establish and monitor policies and procedures to maintain CCPA compliance over time.
Enterprises need to document intent by creating and enforcing data policies and procedures for themselves and for their partnerships with third parties. Components to an initial compliance program should include:
- People: If not already in effect, organizations should create a distinct data compliance role responsible for data monitoring and enforcement and identify comparable roles among third parties. Once confirmed, a means of regular communications and reporting between these titles must be established.
- Policies: Organizations need to create and document policies, including procedures for addressing the biannual California citizen data requests, and for addressing potential policy breaches. They must also confirm that their third parties have CCPA policies in place, and that they are compliant.
- Monitoring: With GDPR, and now CCPA, all data activity must be monitored, and organizations should establish regular procedures for the monitoring and documentation of both internal and external (third-party) data activity. Other documentation should include “read & understood” certification activities to educate employees and third parties and the tracking of potential policy or personnel changes, made internally or by third-party providers, that could affect CCPA.
Why Automated Third-Party Risk Management Can Ease the CCPA Compliance Burden
While many of these steps seems easy in nature – a few forms, a few checked boxes – companies that deal with several hundred vendors need more than just paper forms to ensure that all of their vendors are compliant.
If an organization has over 200 vendors, an initial two-question assessment can go from an hour-long process to days…or even weeks. Paper-based policy documentation resists efficient management – and may expose organizations to unnecessary risk. Automating manual processes with Third-Party Risk Management software can not only ease the burden of this new regulation, but also save valuable time and money for an organization.
January 1, 2020 may seem far away, but the time is now to comply. Contact ProcessUnity to learn how you can simplify and streamline your organization’s CCPA compliance process.