Lessons Learned from GDPR to Prepare for CCPA Compliance & Future Regulations
In May 2018, a monumental regulation came into effect that is setting a precedent for future data privacy standards. To protect consumers, the General Data Protection Regulation (GDPR) outlined a new set of rules for data collection, storage and usage for companies that operate in Europe. Following GDPR, the California Consumer Privacy Act (CCPA) was signed into law in June, helping consumers understand how companies are using their data and requesting that companies delete their data. With the countdown to CCPA in full effect, companies must start preparing for compliance by January 2020 if they haven’t already begun.
Preparing for a new regulation and implementing compliance processes into a company’s ecosystem now enables companies to ultimately save time and money in the future, but there are many challenges to consider. Through our governance, risk and compliance experience and helping businesses prepare for GDPR, there are several lessons we learned that can help your company ease the transition into CCPA compliance:
Understand how it affects your entire company. When we examined how data protected by these regulations is stored and moves throughout a company, we saw two important characteristics: Data access was not significantly controlled within a company and some units had legacy access to data that no one knew about.
While certain departments believed that they did not have access to any private data, we determined that they did have access – they just weren’t using it because they didn’t need to. You should perform a full enterprise analysis to see if there are any access points to data that should be eliminated. C-level support is essential for this, and each internal team must work together to ensure data flow and usage is properly documented and tracked. Processes and procedures must be uniform across the enterprise to make sure that only authorized individuals have access to personal information. Departments must monitor and comply with the applicable regulations, and the enterprise as a whole should also be monitoring data usage and access across departments to ensure compliance. To adhere to regulatory requirements, you can implement well-designed data processing platforms and solutions to manage data access requests, as well as to gain a view of enterprise consent management.
Budget appropriate funds as soon as possible. When it comes to regulatory compliance, there are many factors that play a role in budgeting, so it’s important to start planning as soon as possible. New regulations make a huge impact on any organization’s digital ecosystem, and process and solution implementation can take months. The complexity of the solutions necessary for every company’s unique requirements is proportional to the complexity of the company. This means that the larger and more complex the company is, the more work needs to be done to ensure compliance. As new data flows in or lack of data control needs to be addressed in overall development, you will have to adjust their plan and budget accordingly. Also, when new legal opinions on any given regulation emerges, the regulatory requirements may change and, in turn, change the scope of work that is necessary to achieve and manage compliance. Given the variables that come along with planning for compliance, organizations should account for a significant buffer in their budget.
Understand How Non-Compliance Will Impact Your Company. Privacy rules are becoming increasingly complex, especially in the US, and while their origins may be at a state level, their impact is global. It’s clear that CCPA is more complex than GDPR. Other regulations, such as SOX, Dodd Frank and HIPPA, have introduced more stringent rules than past regulations as well. For example, unlike GDPR, CCPA has rules for companies that track device and household information. Also, CCPA enables consumers to opt-out from companies selling their personal information, while GDPR does not directly let people opt-out. With unlimited penalties that are associated with CCPA, mistakes can be extremely costly. The penalties for CCPA non-compliance can reach up to $7,500 per customer, so the cost of penalties for non-compliance will likely be much higher than the cost of ensuring compliance for each customer in the long run. Working closely with a technology services partner who understand the details of each regulation will enable you to implement processes and solutions that are flexible and more cost effective for your specific business requirements.
For Companies that Need to Comply with CCPA, the Clock is Ticking. In order to prepare for and manage compliance effectively, companies must implement future-proof, end-to-end solutions that are agile enough to respond to changes in requirements and new regulations. As more and more states in the US gear up for similar regulations in the pipeline, including Hawaii (SB 418), Maryland (SB0613), Massachusetts (SD 341), Mississippi (HB 2153), New Mexico (SB 176), New York (S00224), North Dakota (HB 1485) and Rhode Island (S0234), companies need to act fast and avoid last minute work on preparing for regulations of this magnitude. If not, they risk many sleepless nights and potential heavy penalties that come along with not being ready for compliance.