The California Consumer Privacy Act (CCPA) comes into force in January 2020 and it is important to take steps to prepare for the new legislation. Since GDPR came into force, EU consumers have developed a greater awareness of their rights pursuant to the regulations, and expect businesses to comply accordingly. The same is bound to happen in the US as the introduction of new regulations, such as CCPA, will make consumers more aware of their rights and the importance of ensuring their personal data is not mishandled.
Be prepared for:
- Hypersensitivity from consumers regarding how their data is used
- A stream of communications from consumers in the months following the implementation of the Act
- Consumers misunderstanding parts of the Act and making demands which exceed the scope of the Act
- An expectation that consumer-facing staff know the details of the Act
- An eagerness to take action against non-compliant businesses
In the months following the adoption of GDPR, many businesses were inundated with requests from consumers demanding access to their data, while the businesses themselves were still struggling with compliance. One key lesson from GDPR is to ensure that everything and everyone who is consumer-facing, from staff to websites to email signatures, is in line with California Consumer Privacy Act compliance.
Four key steps to compliance with CCPA
1. Examine your current data protection methods
Take stock of all your organization’s data collecting and data storing processes. What type of information do you keep? Do you hold sensitive personal information? It must be clear what the information is used for in case a data subject requests that information. Further, analyze whether the personal information that you keep is necessary to hold. Lastly, any sensitive personal information, such as a consumer’s social security number, driver’s license number, credit card information and more, must be kept more secure than personal information. In most cases, sensitive personal information cannot be processed and stored under CCPA.
2. Investigate what causes problems
Analyze any data breaches or complaints you have received in the past and evaluate how your organization reacted. Did you deal with the breach immediately and in accordance with the California Consumer Privacy Act? Most of the time, you will find that there is room for improvement, so consider what can be done in the future. You should also see whether there were any individual employees or departments who were responsible for or contributed to the breach and come up with ways to improve staff training and knowledge of what to do in the case of a data breach.
3. Evaluate policies and training
What sort of data privacy training do you have in place and does it cover the CCPA 2018? It is recommended that all staff undertake training and, where possible, staff who deal with personal data as part of their day-to-day job should take training related to their role. This includes human resources, marketing and, in some cases, IT staff. Company data privacy policies should be reviewed and you should evaluate whether they are compliant with the Act and easy for anyone to understand. Is it clear from your training and policies how someone would go about reporting a data breach or the misuse of personal data? Identify where training processes and policies can be improved and make a point of reviewing this on at least an annual basis.
4. Understand the changes you need to make
Once your organization has established a plan to implement the changes that need to be made to your training, policies and data control processes, a concrete plan should be established to put these changes into effect. A step-by-step plan should be in place, with a clear timeline of when the specific changes need to be completed by. Dates should be booked to review the processes and someone should be appointed as Data Protection Officer (DPO) to oversee this process. The DPO can either be a current employee or someone appointed externally and they should have a sufficient level of authority, resources and knowledge to oversee the process. Further, they need to have buy-in from the entire organization to ensure they can easily carry out the necessary changes, even if they come at a financial cost to the company.
VinciWorks’ data privacy training suite
VinciWorks’ online data privacy training suite allows organizations to train their entire staff on data privacy. Our training suite includes an interactive data privacy course that covers the latest data privacy regulations in the US, a GDPR course specifically for US-based staff and a California Consumer Privacy Act course. Our core data privacy course, Data Privacy: Fundamentals, All our training can be customized to include company and industry-specific procedures, policies and contact people. Further, our data protection reporting portals allow organizations to create, track and automate all data protection registers, such as data audits, data breaches and more.