The buzz around the California Consumer Privacy Act (CCPA) is a lot, well, buzzier these days, and for good reason. The January 1, 2020, effective date is little more than a month away, and security and privacy teams want guidance on CCPA compliance requirements. Rather than spend your valuable time reviewing just what those requirements are—which most of us are all too familiar with by now—it might be helpful to look at best practices for overall compliance. After all, the CCPA isn’t the only regulatory challenge organizations face.

Consider:

    1. GDPR: Eighteen months after the regulations came into effect, organizations subject to GDPR appear to believe it’s easier (and safer) to notify authorities of a privacy incident than it is to accurately assess it. In fact, more than 89,000 data breaches were reported in the first year alone. This trend of over-reporting can harm an organization’s reputation and subject it to greater regulatory oversight.
    2. 49 other U.S. states: Other states than California recently amended data privacy laws. Nevada SB 220 gives customers the right to opt-out of the sale of their personal information. And New York’s SHIELD Act expands the definition of personal information to include biometric data and online credentials as well as newly specifies individual notification contents.

Keep Your Perspective

Mahmood Sher-Jan, RadarFirst’s CEO and founder, wrote back in May for the anniversary of the GDPR’s effective date that “preparing for the GDPR was a herculean effort for many. Now here we are, one year later, and the tide of GDPR fervor has ebbed, but not significantly receded—after all, achieving compliance is a marathon, not a sprint! In a way that’s to be expected—establishing and reinforcing a strong culture of compliance is not a ‘one and done’ effort, but an ongoing and organization-wide priority and push.”

We can expect to see the same with CCPA. The noise will fade—somewhat—but the journey toward compliance will never end. With that in mind, here is a CCPA compliance checklist that can apply to more than just California’s much-discussed law:

Know the latest laws. Every U.S. state has its own breach notification law. GDPR aside, other international laws such as Canada’s PIPEDA, Australia’s Notification Data Breaches scheme, and Brazil’s General Data Protection Law are adding—or will add—to the complexity. One overall trend emerges from all this activity—increasing stringency and greater complexity. To maintain compliance, you and your privacy team must know the latest version of the laws and how they apply to your organization. For assistance, check out Breach Law Radar, our free library of hundreds of always up-to-date global privacy laws, rules, and regulations.

Be able to respond quickly. With the dozens of laws to keep track of, rapidly responding to the data privacy or security incidents your organization inevitably face may feel impossible. Yet that is exactly what is required, as GDPR’s 72-hour deadline shows. This means investing in systems and thoroughly detailing organizational processes for every step of your incident response program.

Know thyself. This tip is from Dentons in a recent CCPA webinar. In it, the presenters noted, “Review and understand all existing data privacy/information security processes, procedures, and protocols. How do they align with ‘reasonable’ standards for the private right of action? How do they align with the record-keeping requirements? Where are the gaps?” (Remember, the private right of action applies to data breaches resulting from the business’s “violation of the duty to implement and maintain reasonable security procedures and practices.” So while the CCPA doesn’t add to or change the existing California data breach notification law, it gives individuals more power to sue for damages in the event of a breach and recently-signed into law AB 1130 expands the definition of personal information under the California Data Breach Notification Law.) 

Tighten up practices and internal policies, especially for incident response. When an incident occurs, do you know what to do? Do your employees have an easy, centralized way for reporting incidents, such as a missing laptop or missent fax? If your security team identifies an incident, how long does it take before privacy is notified? Delayed notification to the privacy team can mean delayed notification to regulatory authorities if the incident is actually a breach. What’s more, regulators want you to be able to demonstrate a consistent, repeatable, and defensible process for risk assessing each incident to determine if it is, in fact, a notifiable breach. Table-top exercises are an excellent way to quickly identify any gaps in your incident response program.

The Best Practice of All—Invest in Privacy Automation

With new regulations and amendments, including CCPA, coming at the speed of light, privacy teams need the right compliance software. For incident response management, that means privacy automation which guides your team through every step of the process:

  1. Identify and investigate to gather all the details critical for performing a multi-factor risk assessment.
  2. Assess the incident against the most current state, federal, global, and contractual notification obligations.
  3. Decide if the incident is a reportable breach based on guidance provided and your privacy policy.
  4. Notify affected individuals and regulators and provide incident-related documentation to regulators.
  5. Analyze incident data to pinpoint areas of improvement and pull reports for leaders and the board.

As we move into 2020, regulations such as CCPA will become the norm rather than the exception. Privacy teams who “operationalize” their incident response process now will be prepared to face the new decade with confidence.