June 26, 2019
The California Consumer Privacy Act (CCPA) is sometimes called the U.S. version of the EU General Data Protection Regulation (GDPR), given its length (about 10,000 words) and scope. However, there is a big difference in how these laws originated. The GDPR was developed over the course of four years and brought into force in late April of 2016. This gave legal and IT departments plenty of time to budget for the needed changes in staffing, hardware, and professional services.
The same was not true for the CCPA. Companies that conduct business in California have only until the end of 2019 to come into compliance. This has caught compliance and legal staff at many companies by surprise. This isn’t the only example of a new or updated cybersecurity law with a short compliance runway. The Nevada state legislature, for example, recently passed a new data protection law that goes into effect on October 1 of this year. So, how do you prepare for a compliance deadline under such circumstances? An effective (and time-tested) approach is to boil compliance mandates down to three key areas, using what’s known as the “80/20 Rule.”
Meeting Short Compliance Deadlines With the 80/20 Rule
So, how do you address updated
requirements that don’t offer much time to budget for needed changes? The 80/20
Rule can help bridge the gap. As a refresher, the rule generally states that
80% of something is accounted for by 20% of something else. For example, 80% of
a hardware store’s sales are accounted for by 20% of its inventory. The same is
often true with data protection laws.
As such, the CCPA has numerous
mandates, but the bulk of the work involved in remediation involves only three
areas. Compliance leaders can meet the looming CCPA deadline by focusing on the
- Identifying (and revealing) what personal data
the company collects;
- Revealing to whom that data is “sold”; and
- Deleting that data upon request.
Identifying (and revealing) what personal data the company collects
Identifying where personal data
exists in an organization’s information “ecosystem” involves an iterative
- First, identify the systems or programs that
likely process personal data as defined by the law, such as HR, customer
service, and shipping.
- Then, interview technical and business “owners”
of those systems to determine and list the individual personal data elements
(name, address, phone).
- Finally, validate with data discovery software. This software travels through the
organization’s network and cloud repositories, searching for information that
“looks” like personal data, then applying an algorithm to confirm or
Once one iteration is complete, re-interview the system owners based on the updated information, and make corrections until there’s consensus as to what personal data is being collected. This information goes into your organization’s data inventory. From there, you can reply to consumer data access requests with concise reports that delineate exactly what personal data is being collected
Revealing to whom that data is “sold”
The CCPA mandates that businesses reveal to whom personal data is being “sold,” using a very expansive definition. Again, data discovery software can assist organizations during the search process by tagging documents or files containing personal data with labels such as “consumer” or “personal” or “CCPA.”
From there, it’s a matter of running a report and determining which of that personal data is also being transferred to third parties such as licensees and cloud service providers. You can then include the name of the third party and their contact information in the reply to the consumer data access request
Deleting that data upon request
Consumers may request that their personal data be deleted by businesses and their third parties. Once again, data discovery software comes into play. That software typically offers several options for disposal, such as “shredding,” using Department of Defense standards, encrypting, or moving the data to an off-line location (e.g., backup tapes). Deletion, then, is a matter of your running a report for the requesting consumer and deleting documents tagged as personal information.
Applicability to Other Laws
Let’s use the aforementioned Nevada
data protection law, S.B. 220, as an example. It enables consumers, at any
time, to direct the “operator” (i.e., owner) of a website not to make any sale
of any personal information that the operator has collected or will collect
about Nevada consumers.
A national retailer with an
e-commerce site would likely have 75-100 applications supporting its operations
overall. However, only a few key ones are relevant to Nevada consumers. For
- A shopping cart or similar sales program,
showing what a given consumer purchased and when;
- Shipping information, such as address, phone,
who signed for the delivery, etc.;
- Interactions with customer service; and
- Interactions with advertisements on the
retailer’s website, often tracked by using cookies, and related analysis.
So, in updating (or developing) a
data inventory, prioritizing those four or so applications means conducting
interviews with the application business and technical owners as to what data
elements are being collected or processed (name, IP address, advertisement ID)
and then validating with data discovery software.
Developing a data inventory that
addresses all relevant applications typically takes 8-12 weeks; with this 80/20
process, you and your team can complete needed updates in 2 weeks. In addition,
a common result of this process is to discover “orphaned” data repositories
that could be prime targets for criminals or other intruders.
More Short Compliance Runways on the Horizon
As of this writing, no fewer than
18 new bills addressing data protection have passed into law this year, many of
which have short deadlines for compliance:
Undoubtedly, more are on the way. The mandates for some of these new laws are extensive, with Mississippi’s being particularly arduous (I’ll be covering all of these new and updated laws on this webinar). The key to success in all cases, however, is twofold:
- Identifying and prioritizing those few areas
that represent the bulk of the law’s requirements; and
- Determining what personal data is implicated and
updating the data inventory accordingly.
Once complete, you’ll have a lot
more runway for addressing any remaining legal requirements during upcoming
Companies that conduct business in
California have only until the end of 2019 to come into compliance. Compliance
and legal staff at many companies still have time to meet this deadline with
See how Spirion can help you live
by the 80/20 rule of regulatory compliance. Schedule a customized risk
assessment with one of our data security experts to see our data protection
solutions in action.