10 Steps To CCPA Compliance

CCPA is a complex, wide-ranging set of rules most organizations doing business with Europe need to follow. It goes deeper than that. California and others are adoptingrules identical to or close to CCPA. While it seems like CCPA is a lot to tackle, with large fines if you fail, you can get started by hitting the top areas first. Here are ten steps to take – right now!

1. EDUCATION

Your organization, and all relevant stakeholders, should be up to speed on CCPA rules – which are now over two years old. First thing to discover – do you fall under these rules? If so, all employees that touch sensitive data, and especially the IT department, should know these rules and how to follow them.

2. FIND OUT WHERE YOU STAND

Companies are in various states of GDPR compliance, ranging from none at all to complete adherence. Before embarking more deeply on your GDPR journey, find out where you stand right now. What are your policies and practices regarding data governance? Are they presented to the outside world in an open and transparent way?
If there is already data governance documentation, review this and use it as a starting point for further work. Under GDPR, this kind of documentation is mandatory. This is all part of a data protection assessment, which you can learn more about here.

3. WHAT DATA DO YOU HAVE?

Most every organization has at least some sensitive information, and chances are it needs protecting. IT should discover this information through a data audit, where it came from, where it resides, and who has access.

4. POSTING PRIVACY POLICIES

If you fall under GDPR, you must have a privacy policy showing that you comply. That same policy is checked off when people visit your web site.

5.CREATE OR FINE-TUNE CONSENT PROCEDURES

Having a GDPR privacy policy is just the beginning. You need to get actual consent from outsiders, so-called data subjects, for any data processing – and this consent has to be detailed, specific and able to be audited This consent has to be easy to give, and just as easy to take back. Finally, document all instances and records relating to consent.

6. DEALING WITH SUBJECT ACCESS REQUESTS (SAR)

Under GDPR, any person who has data about them held in your organization can file a SAR, which means you must gather that data, provide it to them, and delete it if requested under the right to be forgotten rule.

7. BUILD CCPA STAFF INCLUDE DATA PROTECTION LEADS

Blocking data breaches and reporting those that break through your barriers are key parts of the GDPR rule set. You need to have processes to prevent, investigate, report and respond to breaches. Blocking breaches is a top priority as fines are assessed for successful incursions. Having processes related to breaches can mitigate the monetary damages if one occurs.

8. DATA BREACH REPORTING

Just as you need to educate all those who touch or process sensitive data, your IT and executive staff has their own responsibilities. A core decision is who has overall responsibility for data governance and compliance. At the same time, you need a point person to deal with regulatory authorities, who may or may not be the same person that manages governance.

9. KNOW WHAT RIGHTS DATA SUBJECTS HAVE

GDPR is all about protecting data and giving the data subjects deep rights. These include the right of access, right to be informed; right to restrict processing; right to data portability; the right to object, the right to not be subject to automated decision-making including profiling; and the right to erasure (the right to be forgotten).

10. CONTINUALLY UPDATE YOUR CCPA COMPLIANCE PLAN

It is clear that shops facing GDPR compliance need a plan that includes best practices and policies. This is just the start. Regularly review the plan to insure it is current with your organization’s changes or modifications made to the regulations.
Related Resources

We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.