Complying with CCPA – What are some of the landmines?

Deborah Kish Data breach, Data security, Privacy, Uncategorized

I was talking to the press recently about the potential landmines for compliance with CCPA and it got me thinking.  So I thought I would share my thoughts.

I think one of the first things is that a lot of companies don’t know how to interpret the law. We saw that with GDPR for the year prior to it going into effect. CCPA is a lot like it, but there are likely still questions.

Secondly, is the DSRs (Data Subject Requests) or the right to be forgotten. People are very in tune with their privacy these days and will want to act on it, not only for the reduction of spam, but for the identity theft potential. The requests will likely come too fast and companies with a lot of data containing personally identifiable information (PII) – the very thing those DSs will be after them for – will find themselves in a position where they don’t know where to start.

Thirdly, most have also not started tackling unstructured data that may contain that PII. Most companies are working on dated data governance policies to begin with and haven’t updated systems, process, procedures, included unstructured data, and don’t have the tools in place to properly protect data. So they will need to first, find what data they have (whether it is dark or otherwise), and get rid of it based on its age and usefulness.

On a separate, yet related note, I listened to a webinar recently by AITE Group, and as with most research organizations, the privacy regulation subject was touched on.  Since California has set their privacy regulations wheels in motion, and there are 11 other states that are making changes for the stricter, the U.S. is seemingly having problems with standardizing privacy laws across the nation.  Arguments around who will enforce (which, by the way, was  a common question with respect to GDPR), and how can’t be decided on.  And this makes sense.  For Europe, there are 27 member states, so they will enforce their own vs. the U.S. – we are one country.  So while I do believe that there does need to be a national data privacy law, I am not holding my breath.

There are probably more, but these are the first that come to mind based on my 20, some odd years of experience.

The best way to comply with CCPA and similar privacy regulations is to classify sensitive data as confidential and immediately encrypt it.  This protects the data, controls user access and tracks the file wherever it travels.  Rather than relying on complex classification processes to control what users can or cannot do, this approach optimizes classification and streamlines a path to protect and control your most sensitive data.  You also don’t have to worry about location anymore, since the file is always encrypted and access controlled.