Surprised by a Compliance Deadline? How to Use the 80/20 Rule for Success
The California Consumer Privacy Act (CCPA) is sometimes called the U.S. version of the EU General Data Protection Regulation (GDPR), given its length (about 10,000 words) and scope. However, there is a big difference in how these laws originated. The GDPR was developed over the course of four years and brought into force in late April of 2016. This gave legal and IT departments plenty of time to budget for the needed changes in staffing, hardware, and professional services.
The same was not true for the CCPA. Companies that conduct business in California have only until the end of 2019 to come into compliance. This has caught compliance and legal staff at many companies by surprise. This isn’t the only example of a new or updated cybersecurity law with a short compliance runway. The Nevada state legislature, for example, recently passed a new data protection law that goes into effect on October 1 of this year. So, how do you prepare for a compliance deadline under such circumstances? An effective (and time-tested) approach is to boil compliance mandates down to three key areas, using what’s known as the “80/20 Rule.”
Meeting Short Compliance Deadlines With the 80/20 Rule
So, how do you address updated requirements that don’t offer much time to budget for needed changes? The 80/20 Rule can help bridge the gap. As a refresher, the rule generally states that 80% of something is accounted for by 20% of something else. For example, 80% of a hardware store’s sales are accounted for by 20% of its inventory. The same is often true with data protection laws.
As such, the CCPA has numerous mandates, but the bulk of the work involved in remediation involves only three areas. Compliance leaders can meet the looming CCPA deadline by focusing on the following:
- Identifying (and revealing) what personal data the company collects;
- Revealing to whom that data is “sold”; and
- Deleting that data upon request.
Identifying (and revealing) what personal data the company collects
Identifying where personal data exists in an organization’s information “ecosystem” involves an iterative process.
- First, identify the systems or programs that likely process personal data as defined by the law, such as HR, customer service, and shipping.
- Then, interview technical and business “owners” of those systems to determine and list the individual personal data elements (name, address, phone).
- Finally, validate with data discovery software. This software travels through the organization’s network and cloud repositories, searching for information that “looks” like personal data, then applying an algorithm to confirm or reject.
Once one iteration is complete, re-interview the system owners based on the updated information, and make corrections until there’s consensus as to what personal data is being collected. This information goes into your organization’s data inventory. From there, you can reply to consumer data access requests with concise reports that delineate exactly what personal data is being collected
Revealing to whom that data is “sold”
The CCPA mandates that businesses reveal to whom personal data is being “sold,” using a very expansive definition. Again, data discovery software can assist organizations during the search process by tagging documents or files containing personal data with labels such as “consumer” or “personal” or “CCPA.”
From there, it’s a matter of running a report and determining which of that personal data is also being transferred to third parties such as licensees and cloud service providers. You can then include the name of the third party and their contact information in the reply to the consumer data access request
Deleting that data upon request
Consumers may request that their personal data be deleted by businesses and their third parties. Once again, data discovery software comes into play. That software typically offers several options for disposal, such as “shredding,” using Department of Defense standards, encrypting, or moving the data to an off-line location (e.g., backup tapes). Deletion, then, is a matter of your running a report for the requesting consumer and deleting documents tagged as personal information.
Applicability to Other Laws
Let’s use the aforementioned Nevada data protection law, S.B. 220, as an example. It enables consumers, at any time, to direct the “operator” (i.e., owner) of a website not to make any sale of any personal information that the operator has collected or will collect about Nevada consumers.
A national retailer with an e-commerce site would likely have 75-100 applications supporting its operations overall. However, only a few key ones are relevant to Nevada consumers. For example:
- A shopping cart or similar sales program, showing what a given consumer purchased and when;
- Shipping information, such as address, phone, who signed for the delivery, etc.;
- Interactions with customer service; and
- Interactions with advertisements on the retailer’s website, often tracked by using cookies, and related analysis.
So, in updating (or developing) a data inventory, prioritizing those four or so applications means conducting interviews with the application business and technical owners as to what data elements are being collected or processed (name, IP address, advertisement ID) and then validating with data discovery software.
Developing a data inventory that addresses all relevant applications typically takes 8-12 weeks; with this 80/20 process, you and your team can complete needed updates in 2 weeks. In addition, a common result of this process is to discover “orphaned” data repositories that could be prime targets for criminals or other intruders.
More Short Compliance Runways on the Horizon
As of this writing, no fewer than 18 new bills addressing data protection have passed into law this year, many of which have short deadlines for compliance:
Undoubtedly, more are on the way. The mandates for some of these new laws are extensive, with Mississippi’s being particularly arduous (I’ll be covering all of these new and updated laws on this webinar). The key to success in all cases, however, is twofold:
- Identifying and prioritizing those few areas that represent the bulk of the law’s requirements; and
- Determining what personal data is implicated and updating the data inventory accordingly.
Once complete, you’ll have a lot more runway for addressing any remaining legal requirements during upcoming budget cycles.
Companies that conduct business in California have only until the end of 2019 to come into compliance. Compliance and legal staff at many companies still have time to meet this deadline with immediate attention.
See how Spirion can help you live by the 80/20 rule of regulatory compliance. Schedule a customized risk assessment with one of our data security experts to see our data protection solutions in action.