GDPR and CCPA Demonstrate that the trend towards greater data privacy protection is inevitable. These GDPR facts from 2018 outline the reality of the adoption of data privacy in the market:
- The European Parliament adopted the GDPR in April 2016, and went into effect in May 2018.
- “During GDPR’s first year, 90,000+ businesses voluntarily reported breaches as they struggled to attain compliance.”
- 50% of respondents to The RSA Data Privacy & Security Report said they would be more likely to shop at a company that could prove it takes data protection seriously.
A tough data privacy law is passed, businesses struggle to comply and face business risk, and early adopters are rewarded by consumers, who are inexorably driving the change.
That was a year ago. What’s happening in late 2019?
- California’s Consumer Privacy Act (CCPA) goes into effect January 1, 2020. Similar legislation—most notably the SHIELD Act in New York—is being considered in other state houses in the United States.
- 86% of respondents of a new study are not prepared for CCPA.
- Consumers prefer data privacy provisions of CCPA: 87% wound select the CCPA-required “Do Not Sell My Personal Information” link on websites
History is repeating. However, there are some concrete steps that you should take now to mitigate your risk and comply with CCPA.
Of course, since this issue is a legal issue, consult your legal team about data privacy; this post is not legal advice. With this caveat in mind, consider a couple concrete steps to get started: 1. Identify the scope of data affected by CCPA, and 2. Determine new business practices to support consumer data privacy services.
Use progress with any existing data governance initiatives, data privacy services or programs as a starting point for data privacy.
If you have a data governance practice or have started your journey towards data governance through data privacy services or a more general data governance framework, you probably have a good start to complying with the new data privacy statutes.
In a recent blog post, we argue that “data governance must be built-in, ubiquitous, and reflexive” – which helps your organization to be prepared not only for this round of regulatory changes, but also for new changes that may come. The same is true for data centricity initiatives, and good data engineering practices. The reason? These initiatives help organizations to identify the practices that are in scope for new laws. The list is long, and for CCPA, includes:
- Personal identifiers, like real name and IP address
- Characteristics of protected classifications
- Commercial information, like products or services purchased, obtained or considered
- Biometric information
- Internet or other electronic network activity information, like browsing history, search history, and a consumer’s interaction with a website or ad
- Geolocation data
- Audio, electronic, visual, thermal, olfactory or similar information
- Professional or employment-related information
- Education information that is not publicly available
- Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences
The list may be surprising and daunting. However, a start—even a small one—goes a long way towards breaking down compliance into manageable pieces. Data privacy services may be required to jumpstart this process if you do not have existing work to build upon.
Determine how your data governance approach and capabilities can be enhanced to meet existing data privacy needs and anticipate new requirements.
In addition to new protections for these data categories, CCPA also addresses what organizations need to do to be able to support consumers’ legitimate interest in data privacy.
For example, consumers must have the ability to:
- Know what personal information is being collected about them
- Know whether their personal information is sold or disclosed, and to whom
- Opt out of the sale of personal information
- Access their personal information
- Receive equal service at the same price, even if they exercise their privacy rights
To avoid fines and meet the requirements at scale, organizations need new or amended processes for delivering these data privacy services to consumers and providing the ability to inspect or audit the processes.
CCPA is 3 Months Away—Start Preparing Now
To prepare for the new rules, enterprises will spend more than six figures on data privacy compliance. In a recent survey, 1/5 of surveyed professionals expect to spend more than $1 million.
As with any rush to meet regulatory deadlines, any start is better than inaction. Consumers demand better protection, which drives legislation, and industry change. Savvy organizations prepare for this inevitable cycle.
Start with an inventory of consumer information covered by CCPA. Review existing data governance projects for a starting point. Plan new data practices to support consumer data privacy services required by law. Consider extensibility, as data requirements are likely to change.
Syntelli Solutions provides expertise in data governance, including data privacy. Data privacy services which enable you to:
- Identify where and how personally identifiable customer data is generated
- Manage where this data is stored and how it is consumed
- Confidently and seamlessly provide a complete data record upon request
- Entirely erase personal data upon request
- Adhere to privacy laws across government jurisdictions