CCPA is a complex, wide-ranging set of rules most organizations doing business with Europe need to follow. It goes deeper than that. California and others are adoptingrules identical to or close to CCPA. While it seems like CCPA is a lot to tackle, with large fines if you fail, you can get started by hitting the top areas first.
Here are ten steps to take – right now!
Your organization, and all relevant stakeholders, should be up to speed on CCPA rules – which are now over two years old. First thing to discover – do you fall under these rules? If so, all employees that touch sensitive data, and especially the IT department, should know these rules and how to follow them.
2. FIND OUT WHERE YOU STAND
Companies are in various states of CCPA compliance, ranging from none at all to complete adherence. Before embarking more deeply on your CCPA journey, find out where you stand right now. What are your policies and practices regarding data governance? Are they presented to the outside world in an open and transparent way?
If there is already data governance documentation, review this and use it as a starting point for further work. Under CCPA, this kind of documentation is mandatory. This is all part of a data protection assessment, which you can learn more about here.
3. WHAT DATA DO YOU HAVE?
Most every organization has at least some sensitive information, and chances are it needs protecting. IT should discover this information through a data audit, where it came from, where it resides, and who has access.
4. POSTING PRIVACY POLICIES
5.CREATE OR FINE-TUNE CONSENT PROCEDURES
6. DEALING WITH SUBJECT ACCESS REQUESTS (SAR)
Under CCPA, any person who has data about them held in your organization can file a SAR, which means you must gather that data, provide it to them, and delete it if requested under the right to be forgotten rule.
7. BUILD CCPA STAFF INCLUDE DATA PROTECTION LEADS
Just as you need to educate all those who touch or process sensitive data, your IT and executive
staff has their own responsibilities. A core decision is who has overall responsibility for data governance and compliance. At the same time, you need a point person to deal with regulatory authorities, who may or may not be the same person that manages governance.
8. DATA BREACH REPORTING
Blocking data breaches and reporting those that break through your barriers are key parts of the CCPA rule set. You need to have processes to prevent, investigate, report and respond to breaches. Blocking breaches is a top priority as fines are assessed for successful incursions. Having processes related to breaches can mitigate the monetary damages if one occurs.
9. KNOW WHAT RIGHTS DATA SUBJECTS HAVE
CCPA is all about protecting data and giving the data subjects deep rights. These include the right of access, right to be informed; right to restrict processing; right to data portability; the right to object, the right to not be subject to automated decision-making including profiling; and the right to erasure (the right to be forgotten).
10. CONTINUALLY UPDATE YOUR CCPA COMPLIANCE PLAN
It is clear that shops facing CCPA compliance need a plan that includes best practices
and policies. This is just the start. Regularly review the plan to insure it is current with your organization’s changes or modifications made to the regulations.
WHAT COREVIEW CAN DO FOR YOU
CoreScan from CoreView is a great tool for identifying data that falls under compliance rules. With CoreScan, it only takes a few seconds to audit your company’s documents for Personally Identifiable Information (PII), and a few quick clicks to meet CCPA compliance. Here are other key benefits:
CoreScan helps you find sensitive data so you can manage data risks and remain CCPA compliant.
With CoreScan, you can look through thousands of documents for sensitive information in mere seconds.
Whether you need to redact info or delete files, CoreScan makes it easy to locate issues and take action.
Risk scores help you prioritize a file’s threat level. Score more for credit card numbers, less for email addresses.
Scans can focus on particular folders, file types, PII and more, so reports show exactly where action is required.
This on-premises CCPA software solution offers a comprehensive review of all key documents.
Finally, thanks to CoreScan, a company like yours saved $550,000 by reducing a Subject Access Request response time from 20 days with four employees — to under five minutes with just one employee.