The California Consumer Privacy Act (CCPA) has many U.S. organizations suddenly aware that their data handling practices may represent a considerable risk to business. The fact of the matter, however, is that it’s been that way for quite some time—just ask any number of the companies that have experienced data breaches in the past decade or so.
So, while CCPA may be a wake-up call, in terms of your data protection responsibilities there’s a lot more to consider than just one law (though, admittedly, it is rather impactful). Governments and other organizations have been publishing privacy laws and frameworks for longer than I’ve been on Earth, and with each significant technological advancement, they mature.
CCPA is the flavor of the year in 2019 just as GDPR was the flavor of the year in 2018, which begs the question, what’s next? To be prepared for whatever comes down the pike, you need to do more than chase compliance. Like building a house, you need a strong foundation. Building a program around ethics and customer expectations provides that foundation—and it turns out most of these laws and frameworks provide a remarkably similar playbook for just that.
While today’s privacy laws have differences in how they define certain things, or what specific elements you need to include in a privacy notice, most are predicated on the same basic idea: Be responsible and honest. Collect only the information you need, do with it what people would reasonably expect you to do with it, tell people what you’re going to do with it, protect it while you have it and get rid of it when you’re finished doing that thing.
So, instead of chasing compliance, work toward a solid privacy program that will set you up for success no matter what requirements end up on your lap. Here are a few steps to get you started.
- Inventory and data mapping: First and foremost, you need to have a good understanding of your data – know what PI you collect, why, and where you keep it. Talk to everyone who touches personal information in your organization, find out what they collect, where they keep it and what they do with it. There’s no way to ensure, for example, that you’ve deleted all the personal information you hold about a person unless you know what you have and where you have it.
Mapping data flows will help you understand where you get PI, where you hold it, with whom you share it, for what purpose, and what do you do with it when you no longer need it. This provides the basis for every other step. It is arguably the most important thing an organization can do when creating a privacy program.
- Review privacy notices: Now that you have a good understanding of the personal information you hold, review and revise your privacy notices; make sure they accurately reflect your practices. This is an area where specific laws have specific requirements around what you must include. So, it’s important to look at the regulations in the jurisdictions where you operate and ensure you meet those requirements.
- Review or create internal documentation: Your privacy notice explains your privacy practices to the outside world, but it’s imperative that your employees and contractors know what’s expected of them to uphold that notice. Create or review formal policies, standards and processes that clearly outline the privacy obligations of the organization and employees’ data handling responsibilities as well. These documents should cover access and appropriate use, retention and deletion, and individuals’ rights over their data, among other topics.
- Understand your business relationships: If you share personal information with other entities you need to understand the terms of that agreement. In many situations, there should be some restrictions around how a third party can use the data you share with them. For example, if you share the name and address of your customers for a mailing, there should be a stipulation in your contract that the mailing company can’t use their information for marketing later.
- Implement rights submission methods: Establish and implement methods for individuals to exercise their rights over their information. Specific to CCPA, consumers have the right to opt out of the sale of their PI and request disclosure and deletion of their PI, but, for example, in Europe there are other rights like rectification and restriction as well. Setting up methods and processes to take in and respond to those rights will help with your CCPA compliance, but also put you on the right foot for any expansion of privacy rights to come.
Even if your processes are manual to begin with, this at least allows individuals to submit requests and you to do your best to honor them. Plus, it’s a very visible indicator of whether you are working to comply with privacy laws—getting these systems set up will help keep you out of the sites of regulators.
While this list will get you off to a good start on a solid privacy program, it’s important to remember that with privacy there’s no “done.” Internal documentation needs revision as practices, systems or priorities change. Privacy notices need to be kept up-to-date with your business practices. Legislative changes are coming fast and furious. Keeping up with it all requires an engaged and active team that reaches into every department of an organization and is a true partner in managing data in a responsible and honest way.