1. Understand everything about the data you collect, use and disclose
A comprehensive data mapping exercise is the foundation on which everything else is built. How many of the data elements in CCPA’s broad definition of personal information does the business collect? Are additional data tracking mechanisms needed? Are you considering both self-reported information and data from tools that crawl and gather information? What operational issues arise with regard to deleting data to comply with the ‘right to be forgotten?’ Consider identifying the data inventory in a searchable, relational database.
2. Evaluate how the organization transfers and sells data
Are you selling personal data under the broad interpretation of the CCPA, and if so, do you need to make adjustments to privacy notices on your websites and other consumer-facing channels? Do you have data transfer issues under the GDPR, and if so, have you done a legitimate interest assessment and maintained the proper inter-company data transfer agreements?
3. Understand requirements for privacy notices
“Nearly every piece of privacy legislation requires some form of privacy notice to some constituent,” said Dry-Wasson. “We need to understand what needs to be in that privacy notice, when we need to provide that notice, who we need to provide it to, and how we distribute it.” For the CCPA, that includes notification of consumers’ privacy rights. Under the GDPR, it includes notice around data transfers and Privacy Shield certification.
4. Embed necessary privacy language into contracts with customers and vendors
For any personal data you collect, you are responsible for it downstream as it is disclosed to others. So you need contractual language that holds customers and suppliers accountable to appropriate privacy controls. Draft template contracts, with corresponding playbooks and training for personnel who negotiate contracts. Make sure the language follows CCPA guidelines while being broad enough to meet privacy laws worldwide.
5. Build a workflow for fulfilling data subject rights requests
Both the CCPA and the GDPR grant data subjects the right of access to their personal data – or the right to have it deleted. Implement a technology system to accept, track and fulfill those requests. Consider ways to enable self-help to address these requests, building Privacy by Design precepts into your IT systems.
6. Have a well-established protocol for handling incidents, complaints, and breaches
Under the CCPA, a data breach could open the floodgates for class action suits. You need a tested, documented security and privacy incident response process, preferably with tools for tracking it, and a tight partnership with your IT and Info Sec teams for incident navigation.
“Provide training to your people so they know without hesitation how to report something,” said Dry-Wasson. “That 72 hours can go by in a blink, particularly when things happen on a Friday, and we can absolutely concur that this is the kind of thing that tends to occur on Friday afternoons.
“Have vendors under contract for services such as forensics, call centers, and credit monitoring already established. You don’t want to do this in a crisis, and you won’t have time.”
7. Train everybody in the organization on CCPA and GDPR requirements
“I can’t reiterate enough how important it is to have solid training and awareness,” said Dry-Wasson. “That could be online, it could be in-person, but it should absolutely be both high-level and role-based.” At Allegis, this effort is led by a dedicated change manager in the privacy office. The firm also hired a data privacy officer – a GDPR requirement, but not mandated by the CCPA.
8. Adopt Privacy by Design concepts and data privacy impact assessments
The Privacy by Design framework embeds privacy into the design and operation of IT systems, networked infrastructure, and business practices. The GDPR requires it; the CCPA does not, but it’s a best practice that reduces the cost of future development by taking privacy into account early.
Article 35 of the GDPR requires an impact assessment before data processing activities that could post a high privacy risk. It’s not required by the CCPA, but it’s certainly a best practice.
9. Implement rigorous data security practices
“Security is obviously a critical element of every one of the privacy laws,” said Dry-Wasson. “While most of them don’t get specifically prescriptive about what you have to do, you should be considering appropriate controls to protect data, looking at places where you can do pseudonymization, encryption, or anonymization where appropriate.”
Consider pursuing certifications such as the ISO/IEC 27000 family of standards for information security. And make sure you have strong and well-documented information security policies in place.
10. Regularly revisit the organization’s CCPA and GDPR readiness
“A year into the life of GDPR, we’ve seen that compliance is a process, and it isn’t an event,” said Jeanne Kelly, a partner specializing in data protection and privacy at LK Shields in Ireland. “No company really ever reaches a point of which they can say, ‘I am now GDPR compliant.’”
However, you can demonstrate that you’re keeping pace with evolving requirements. Have strong research systems in place to stay current on data privacy laws. Be thorough about accountability and documentation. Consider third party audits or various readiness assessment tools so you’ll be able to show regulators the work you’ve done.