Leveraging Data Inventories for CCPA and GDPR Compliance – Part 3

Data inventories are directories for managing sensitive data throughout the enterprise.  This article shows how to leverage those inventories for compliance with the CCPA, GDPR, and similar laws and regulations.

In Part 2, I described how to leverage data inventories for conducting risk assessments and managing the sharing of personal data with business partners under the GDPR and CCPA.  In this post, I will describe how to do so for developing breach notification plans and for managing data protection programs.

Breach Notification

Breach notification is the process of determining the scope of a breach of personal or other sensitive data, evaluating its severity, and notifying regulatory authorities and likely victims.  It is a distinct process from incident response, which is mostly centered on “battling the bad guys” and re-establishing the integrity of the organization’s infrastructure.  Perhaps the most important aspect of breach notification is rapidly assessing the details of the breach and providing actionable information to authorities and victims.  Under the GDPR, the organization (data controller) suffering the breach must notify authorities “without undue delay and, where feasible, not later than 72 hours after having become aware of” the breach.  It must also notify victims without undue delay when there is a high risk to their “rights and freedoms.”  While the CCPA is not, per se, a breach notification statute, Cal. Civ. Code §1798.82 requires victim notification “in the most expedient time possible and without unreasonable delay[.]”  That law cites specific information that must be included in a notice, which is also true of the GDPR.

Data inventories advance the fulfilling of these requirements by assisting the victim organization in identifying:

  1. In general, the types personal data in its possession and the individual elements;
  2. The personal data implicated or likely implicated in the breach;
  3. The business and technical owners of the underlying application program or process that uses the personal data.

This chart summarizes the requirements under both laws:

Data Inventories Chart 1

Data Protection Officers/Managers

The idea of a data protection officer (DPO) grew out of Germany’s implementation of the EU Data Protection Directive.  Essentially, the DPO is a data protection cop, policing use of personal data by an organization.  The GDPR’s version of the DPO more or less copied Germany’s but added additional context.  Here, the DPO has more day-to-day multinational oversight of personal data use and processing.  Appointing a DPO is mandated when the processing taking place “require[s] regular and systematic monitoring of data subjects on a large scale” or involves so-called “special personal data” (healthcare, political/religious beliefs) on a large scale.  In the U.S., the closest analog to a DPO is found in New York’s Department of Financial Services’ Part 500 regulations for financial services companies.  Part 500 mandates both the creation of an information security program and the appointment of a chief information security officer (CISO) to lead it.  The CCPA does not mandate the appointment of a DPO.  However, the complexity and scope of the law necessitates that someone with intimate knowledge of their organization’s collection and processing of personal information be appointed to lead the program.  The same is true for those EU-based organizations that aren’t required to appoint a DPO.

This this end, DPOs and data protection managers can leverage data inventories to:

  1. Identify data subjects/consumers and data elements being processed;
  2. Gain insight into how much an organization knows about an individual; and
  3. Minimize the volume of personal information has in its possession and associated risks.

This chart summarizes DPO duties under the GDPR that are applicable to the CCPA:

Data Inventories Chart 2

Data Inventories – the Cornerstone of GDPR and CCPA Compliance

In this series, I’ve described the necessity and value of data inventory, a directory of an organization’s sensitive data.  Sensitive data includes personal data, as well as information that is attorney-client privileged, export controlled, or otherwise confidential.  The definition of personal data has expanded substantially with the introduction of the GDPR and CCPA.  Now, personal data includes machine-readable data such as IP and MAC addresses, geo-location information, and browser cookies. 

The purpose of an inventory is to serve as a “single source of truth” for data protection team leaders.  It enables them to quickly and accurately answer questions such as:

  1. What sensitive data are we collecting and using?
  2. Where is it located throughout our organization?
  3. Who has access to it?
  4. With whom is it being shared?
  5. How is it protected and who is responsible for it?

There are at least five ways to advance compliance under the GDRP and CCPA using a data inventory, including:

  1. Meeting the requirements of data subject/consumer rights, such as the right to deletion;
  2. Conducting risk assessments, including Data Protection Impact Assessments (DPIA), in order to determine appropriate controls;
  3. Determining which third parties have access to personal data and in what capacity (service provider vs. licensee);
  4. Developing breach notification plans and providing actionable information to affected parties in the event of a breach; and
  5. Assisting Data Protection Officers (DPO) and other staff in executing their day-to-day duties.

Even if the GDPR did not mandate the creation of a data inventory (called a record of processing activities), data protection team leaders would still be creating them.  This is so because of the constant need for timely, accurate information about an organization’s sensitive data landscape and how that data is being used, shared, and protected.  As such, data inventories represent the cornerstone of compliance with the GDPR, CCPA, and other equally demanding data protection laws.

Data inventories are directories for managing sensitive data throughout the enterprise.  This article shows how to leverage those inventories for compliance with the CCPA, GDPR, and similar laws and regulations.

See how Spirion can help you meet your compliance obligations with data protection. Download the CCPA whitepaper, How Spirion Advances Compliance with the California Consumer Privacy Act of 2018 (CCPA).