Leveraging Data Inventories for CCPA and GDPR Compliance – Part 2

Data inventories
are directories for managing sensitive data throughout the enterprise.  This article shows how to leverage those
inventories for compliance with the CCPA, GDPR, and similar laws and
regulations.

In Part 1, I described how to leverage data inventories to fulfill individual rights requests under the GDPR and CCPA.  In this post, I will describe how to do so for conducting risk assessments and managing the sharing of personal data with business partners.

Conducting Risk
Assessments Under the GDPR and CCPA

Risk assessments are processes for identifying
threat/vulnerability combinations and prioritizing their resolution.  When developed correctly, they serve to drive
data protection expenditures toward the best value in terms of budget and
time.  All or nearly all modern data
protection laws and regulations mandate a risk assessment in some form.  Sometimes the phrase “risk assessment” is
explicitly cited (e.g., NYCRR Part 500); more often, it is not quite as
succinct.  Article 32 of the GDPR is one
example, featuring a risk “preamble” and then a mandate for the implementation
of controls:

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk[.]

The GDPR then goes on to list
examples of such measures.  The CCPA
takes a less wordy tact, mandating the businesses “[I]mplement and maintain
reasonable security procedures and practices appropriate to the nature of the
information[.]”  Under either of these
approaches, data inventories are a feeder, providing details on:

  1. The
    individual data elements processed;
  2. Which
    applications share and further process the data; and
  3. With
    whom outside of the organization the data is shared.

Under Article 35 the GDPR, when the envisaged processing of
personal data creates a high risk to individuals, an additional or expanded
assessment called a data protection
impact assessment
(DPIA) is mandated. 
Essentially, this is an assessment for a worst-case scenario:  what could happen if personal data was
compromised?  Data inventories are also
equally relevant here.

This chart summarizes the requirements under both laws:

Sharing Personal Data
With Business Partners

The challenges associated with the sharing of personal data
are, in some respects, in a class by themselves.  This is so because the responsibilities for
protecting that data are multiplied among recipients.  The licensing of personal data to Cambridge
Analytica by Facebook is Exhibit A.  Facebook
missed several opportunities to prevent misuse of that data, and the result was
a $5B fine levied against the company. 
The idea of policing the sharing of personal data was popularized by the
EU Data Protection Directive 95/46/EC. 
There, it was referred to as an “onward transfer.”  The GDPR uses this same language and devotes
Chapter V (Arts. 44 – 50) for the associated requirements.  The CCPA takes the limiting of onward
transfers a step further.  It offers
California consumers the ability to tell businesses not to transfer personal
information and their third-party recipients not to use it.  Data inventories advance compliance with the
foregoing by:

  1. Identifying third-party recipients of personal
    data/personal information as well as precisely what is being transferred; and
  2. Helping distinguish between those merely
    processing or providing some service and those that are using it for their own
    purposes.

Note that even when the recipient business partner is a
processor/service provider, there are still numerous opportunities for failure.  Article 28(3) of the GDPR acknowledges this
by citing many requirements to be incorporated in the contract between the
business and the processor. 

This chart summarizes how the GDPR and CCPA regulate business partner recipients of personal data/personal information:

In
part 3 of this series, I will describe how to leverage data inventories for
developing breach notification plans and for managing data protection programs.

Data inventories
are directories for managing sensitive data throughout the enterprise.  This article shows how to leverage those
inventories for compliance with the CCPA, GDPR, and similar laws and
regulations.

See how Spirion can help you meet your compliance obligations with data protection. Download the CCPA whitepaper, How Spirion Advances Compliance with the California Consumer Privacy Act of 2018 (CCPA).