Five things to do to Prepare for CCPA

Requirements for the California Consumer Privacy Act (CCPA) go into effect on January 1, 2020. Like GDPR, the CCPA is broad in its definition of “personal information.” It defines it as personal information that “could reasonably be linked, directly or indirectly, with a particular consumer or household.”

You won’t find the word “household” in GDPR. It implies that personal information doesn’t have to be tied to a specific name or individual (think home address, home devices, geolocation data, home network IP addresses, and the like).

GDPR lesson learned? Don’t do the same work twice.

Many companies started preparing for GDPR by hiring lawyers and consultants to do impact assessments, map out workflows, manually survey data sets, and introduce internal guidelines. This documentation is certainly important. But operationalizing GDPR and CCPA, such that compliance is automated, requires applying this work to a diverse set of data repositories—in addition to leveraging existing IT security tools, and other IT systems (e.g., SIEM, ticketing, data governance). Thus, it’s critical to get your CTO, CISO, data governance team, and chief privacy officer together to do it right the first time.

Five things to do to prepare for CCPA

  1. Establish a team, define responsibilities, and get your CxOs on the same page (business and technologists).
  2. Know which personal data you have and where it resides. Account for all data types—both at rest and in motion.
  3. Understand why and how you’re using your data, and be able to map it back to obligations such as CCPA and GDPR.
  4. Assess existing ticketing tools and other applications to help accelerate data subject access requests (DSAR).
  5. Operationalize and automate early. Use CCPA as an opportunity to apply data privacy automation to GDPR compliance, third-party data sharing agreements, and internal data use policies—on both personal information and intellectual property.

Highlights of CCPA compliance requirements, challenges, and how Integris responds

Using Integris Software, you can identify and tag personal data across any system, apply regulatory rules and contractual obligations, assess risk, and automate actions.

Summary Description
of Requirements for Sections 1798.100 and 1798.175
Data Privacy
Management Challenges
The Right to Access,
and Applicability Consumers have the right to request that a business that collects their personal information disclose the categories and specific pieces of personal information it has collected. Personal information isn’t limited to what’s collected electronically or over the internet; it also applies to the collection and sale of all personal information collected by a business about a consumer or household.
Not all personal data has an obvious tie back to a user ID (e.g., household data, GPS locations, voice to text, or follower lists on Instagram). Sensitive data has an  evolving nature. What’s considered a sensitive category or piece of data today may not be considered sensitive tomorrow, and vice versa.

Understanding derivative personal data is important, yet challenging. For example, food choices on an RSVP card can infer religion.

The number of sensitive data categories a business needs to track varies widely depending on its industry and specific business type.

Categories will often fall into different classifications and schemas (depending on the organization) and have different handling and access restrictions.

Companies may need to limit the sale or transfer of personal information based on its classification level.

Integris will never ask you to send us large customer data sets, because we assume all data is identifiable—even if it’s not directly tied to user IDs. By using a combination of contextual awareness, natural language processing, and machine learning, we map all sensitive data elements for complete and accurate results.Using machine learning, our deeper inspection identifies data down to the data element level so as to assess privacy, integrity, and handling violations.

Your data privacy landscape includes a detailed understanding of personal data categories, classifications, and individual data elements—including derivative personal data. You can even create your own definitions of sensitive data or let our machine learning make suggestions for you.

Integris’ ability to handle data in motion is key to helping you understand which data is entering or leaving your organization via data sharing agreements, and the streams and feeds your data scientists rely on for continuous innovation.

Summary Description
of Requirements for Sections 1798.110 and 1798.135
Data Privacy
Management Challenges
Right to Request Disclosure of Information Collected, and Compliance Obligations

A consumer shall have the right to request that a business that collects personal information disclose to the consumer the categories of third parties with which it shares personal information, and the specific pieces of personal information it has collected.

For consumers who exercise their right to opt out of the sale of their personal information, businesses must refrain from selling it.

There’s often a disconnect between what has been agreed to on paper by lawyers and what’s happening with the actual data. Often times, the people who negotiate the contract differ from those shipping the data, causing public embarrassment and loss of consumer trust.

Also, the way contracts are written is not necessarily the way data is represented. The word “location” might appear in a contract, but the data set contains latitude and longitude values. Therefore, businesses must account for how data elements might be combined to fit the legal terms on their data sharing agreements.

Integris continuously monitors your sensitive data against data sharing agreements, and ties relevant information back to contractual obligations.

We help you identify data and assign it to categories, giving it classifications such that you have granular control over the use and transfer of customer data.

Summary Description
of Requirements for Sections 1798.105, 1798.120 and 1798.130
Data Privacy
Management Challenges
Right to Deletion, Right to Opt Out, and Disclosure Obligations

Consumers have the right to request that a business delete any personal information it has collected about them.

Consumers can, at any time, direct a business that sells personal information to third parties to not sell their personal information. This is referred to as the right to opt out.

Businesses need to be able to associate information, provided by a consumer in a verifiable request,
to any personal information previously collected by the business about that consumer.

Not all personal data is tied to a user ID. Even without an ID the individual can still be identified in a data set. By simply mapping IDs to pre-existing metadata, businesses run the risk of creating a false sense of security about the data they have, which security parameters are being applied, and whether they’re in compliance with any regulatory mandate.  Integris operates at the data element level to inform you exactly what’s in your data set, not just what the metadata implies. The result? We’re able to support your DSAR effort and map data elements back to a specific consumer for complete and accurate results.

In addition, we can flag issues relating to data residency and retention, misclassification and mislabeling, and security issues, such as lack of encryption for highly sensitive data.

Integris makes it easy to respond to data subject access requests. Customer service reps can input data, find requested information, and share it back out with customers. They can preview DSAR reports, add private notes, and send them to the next step in your workflow.

Integris integrates with your existing ticketing system, and provides detailed logs for internal audits and compliance needs.