Collibra recently partnered with Kelle O’Neal, CEO of First San Francisco Partners (FSFP), to host a joint webinar “Meeting the CCPA Challenge” about the complexities of the California Consumer Protection Act (CCPA) for the International Association of Privacy Professionals (IAPP).
Today’s digital landscape puts intense pressure on organizations. Competition is fierce. Customers are constantly demanding more. Every company and employee has to work smarter and faster to make decisions. And today, business decisions must be validated by data. New data laws appear seemingly every day and they can (and will likely) introduce new constraints. Balancing all these pressures can seem impossible for many businesses.
Kelle O’Neal argues that the impossible is possible. The CCPA is the most recent privacy law to come into play, but it certainly is not the last. In this webinar, O’Neal gives an overview of the CCPA and detailed practical ways to start complying with the CCPA and prepare your business for every regulation on its way. Here are some of the key takeaways we gathered from the webinar
1) The CCPA will continue to evolve, so prepare yourself for now, tomorrow, and the years to come.
The CCPA officially went into effect on January 1, 2020, impacting over 40 million California residents and thousands of businesses who use personal information (PI) around the globe. Aspects of the CCPA include:
- Right to know. Consumers can ask businesses what categories of their PI is being collected
- Right to access. Consumers can ask businesses to provide the list of actual PI values collected
- Right to delete. Consumers can ask businesses to delete their PI
- Right to opt out. Consumers can ask businesses to stop selling their PI or using it for business benefit
- Right to equal service. Businesses cannot discriminate against a consumer for exercising their rights
- Notice to consumer. Businesses must provide clear notice about categories of PI it collects
- Verifiable consumer request (VCR). Consumers must submit a VCR to exercise their rights and business must respond within 45 days
While these rules seem straightforward now, change is inevitable. The CCPA will evolve and new regulations will emerge over time. CCPA and GDPR were just the beginning of a wave of data privacy regulations. Nevada and Australia already passed regulations. New York and Massachusetts legislators are ramping up conversations about data privacy and the British Parliament is rethinking its policies after Brexit. All of these laws have and will have similarities, but they also have many unique nuances and will be modified as consumer demands and expectations change.
It’s not enough to come up with a plan that solves the challenges of the CCPA as it stands right now. It is essential to implement a flexible and scalable strategy.
2) Use your data governance framework as the foundation of your data privacy strategy.
How can an organization implement a flexible and scalable data privacy strategy?
You have to find the best starting point and Data Governance is a good option. To adhere to privacy regulations, you need to know what data you have, where it is, and why you have it? The data governance framework covers the processes, people, and technology around your data, so it’s a natural starting place when building the foundation for your privacy strategy. The data governance team is the best organizational fit to coordinate data practices across the business, so this team should partner with the privacy team to provide a framework for the processes, policies, and technologies necessary to manage a long-standing privacy program.
3) Data privacy compliance is interdisciplinary. It is not just the responsibility of the privacy and legal teams.
Sure, the data governance team should coordinate with the privacy and legal departments to create a data privacy strategy, but that’s just one step of the process. Data privacy compliance requires collaboration across the whole organization. O’Neal notes that “these are key roles and departments that must team up to lead the data privacy strategy:”
- Data governance to oversee data management, issue data policies, and work in the trenches
- Office of the General Counsel to lend their deep understanding of the legal nuances and implications, engage the outside law and provide a seal of approval on the plan
- Chief Privacy Officer because to contribute their deep knowledge of how to handle personal data for legal, regulatory, and business strategies
- Chief Information Security Officer (CISO) to manage access to data and technical aspects of the program
Data privacy and data governance are not just point-projects for this leadership team. All lines of the business need to embrace privacy by design principles. The leadership team needs to work to embed governance and privacy into all business and analytical processes. It’s essential to communicate and educate all employees on the data privacy strategy and train them on the standardized tactics and practices to follow.
4) Think beyond data privacy and embrace data ethics.
Compliance does not equal ethics. It’s possible to have a data governance framework and data privacy practices but still have gray areas around ethical data use.
In the webinar, O’Neal gave an example that one of her consults shared about a utility company that has a monopoly on the market. This utility company wanted to terminate customers that have failed to pay their bills consistently. The company initially found an easy explanation for an easy solution: the customers aren’t paying their bills, so the companies cut off their use. But is that ethical? Consider this:
- What if these customers are low income? They’re just trying to make ends meet, so no wonder they can’t pay all of their bills on time. Cutting off their access only makes their unfortunate circumstances much worse
- What if one of the customers is an elderly couple living in the deep south? These two people can’t survive a hot summer without air conditioning
- This company is also a monopoly, so these customers have no other way of getting utilities if they are cut off
The utility monopoly didn’t break any CCPA requirements here, but did they use that data to make an ethical business decision?
Ethics come into play when managing data and how when making data-driven business decisions. Every individual has their own set of ethics, but so a company needs to clarify the standards they expect their employees to uphold and build an ethical culture. Creating an ethical data culture helps to articulate your company’s view of data, data usage, data sharing, and data privacy.
5) Technology can empower your teammates to use data compliantly and ethically.
In order to comply with data privacy regulations, you need to know what data you have, where it sits, and how you use it. Many organizations handle these activities manually, but technology can automate data processes to expedite these activities and help avoid error.
At the end of the presentation, we gave a demonstration of our Collibra Privacy & Risk product that helps organizations govern and operationalize privacy policies with one enterprise-grade platform. We gave an example of our imaginary persona, Preston, who is the Privacy Steward at a large multinational company. To do his job effectively, Preston has to ask a lot of important questions, including
- What kind of personal information do we have?
- Where is the personal information stored?
- Is the data secure?
In the demonstration, we saw Preston answer all of these questions in a manner of minutes by
- Identifying data classification policies to understand what type of data he has and the level of sensitivity
- Using traceability diagrams to where data is stored, why it’s there, and how it’s used
- Leveraging data mapping capabilities to see which regulations govern which data categories
Data privacy regulations are confusing and getting privacy right is a multi-step process and it’s only getting more complex. Organizations will have to understand each relevant law, create a solid data governance framework, collaborate, embrace an ethical data culture, and adopt technology to comply with all the regulations now and in the future.