Data Discovery Background Image

Leveraging Data Inventories for CCPA and GDPR Compliance – Part 2

Data inventories
are directories for managing sensitive data throughout the enterprise.  This article shows how to leverage those inventories for compliance with the CCPA, GDPR, and similar laws and regulations.

In Part 1, I described how to leverage data inventories to fulfill individual rights requests under the GDPR and CCPA.  In this post, I will describe how to do so for conducting risk assessments and managing the sharing of personal data with business partners.

Conducting Risk Assessments Under the GDPR and CCPA

Risk assessments are processes for identifying threat/vulnerability combinations and prioritizing their resolution.  When developed correctly, they serve to drive data protection expenditures toward the best value in terms of budget and time.  All or nearly all modern data
protection laws and regulations mandate a risk assessment in some form.  Sometimes the phrase “risk assessment” is explicitly cited (e.g., NYCRR Part 500); more often, it is not quite as succinct.  Article 32 of the GDPR is one example, featuring a risk “preamble” and then a mandate for the implementation of controls:

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk[.]

The GDPR then goes on to list examples of such measures.  The CCPA takes a less wordy tact, mandating the businesses “[I]mplement and maintain reasonable security procedures and practices appropriate to the nature of the information[.]”  Under either of these approaches, data inventories are a feeder, providing details on:

  1. The individual data elements processed;
  2. Which applications share and further process the data; and
  3. With whom outside of the organization the data is shared.

Under Article 35 the GDPR, when the envisaged processing of personal data creates a high risk to individuals, an additional or expanded
assessment called a data protection impact assessment (DPIA) is mandated. Essentially, this is an assessment for a worst-case scenario:  what could happen if personal data was compromised?  Data inventories are also equally relevant here.

This chart summarizes the requirements under both laws:

Sharing Personal Data With Business Partners

The challenges associated with the sharing of personal data are, in some respects, in a class by themselves.  This is so because the responsibilities for protecting that data are multiplied among recipients.  The licensing of personal data to Cambridge Analytica by Facebook is Exhibit A.  Facebook missed several opportunities to prevent misuse of that data, and the result was a $5B fine levied against the company.  The idea of policing the sharing of personal data was popularized by the EU Data Protection Directive 95/46/EC.  There, it was referred to as an “onward transfer.”  The GDPR uses this same language and devotes Chapter V (Arts. 44 – 50) for the associated  requirements.  The CCPA takes the limiting of onward transfers a step further.  It offers California consumers the ability to tell businesses not to transfer personal information and their third-party recipients not to use it.  Data inventories advance compliance with the foregoing by:

  1. Identifying third-party recipients of personal data/personal information as well as precisely what is being transferred; and
  2. Helping distinguish between those merely
    processing or providing some service and those that are using it for their own

Note that even when the recipient business partner is a processor/service provider, there are still numerous opportunities for failure.  Article 28(3) of the GDPR acknowledges this by citing many requirements to be incorporated in the contract between the business and the processor.

This chart summarizes how the GDPR and CCPA regulate business partner recipients of personal data/personal information:

In part 3 of this series, I will describe how to leverage data inventories for developing breach notification plans and for managing data protection programs.

Data inventories
are directories for managing sensitive data throughout the enterprise.  This article shows how to leverage those inventories for compliance with the CCPA, GDPR, and similar laws and regulations.

See how Spirion can help you meet your compliance obligations with data protection. Download the CCPA whitepaper, How Spirion Advances Compliance with the California Consumer Privacy Act of 2018 (CCPA).

Related Blog Posts

Blog Post
Redefining Data Classification: Part 1 in The Evolution of Data Classification Series
Blog Post
How to Ensure Data Privacy While Preserving Data Integrity
Blog Post
Women in Cybersecurity Series Featuring Penni Kessler, Director of Product Management at Spirion
Blog Post
Women in Cybersecurity Series Featuring Cully Buchanan, Director of HR at Spirion
Blog Post
10 Data Privacy Tips for Staff and Students in Education
Blog Post
8 Remote Work Productivity and Security Tips from CSO Mike Scott