An ounce of prevention can meaningfully reduce risk for companies under CCPA. The cost of non-compliance of CCPA can be very large.
CCPA introduces significant legal and technical challenges; it requires new policies, procedures, disclosures, 3rd party agreements, data mapping, security, new operational capabilities to satisfy customers requests based on their new rights and other preparation for compliance.
In California Consumer Privacy Act (CCPA), Why You Need To Start Now! We described the new rights, fines, statutory damages, other requirements. We mentioned that CCPA authorizes a limited private right of action (and class action through proxies) for consumers whose personal information has been breached. The statutory damages due to a breach are between $100 and $750 per consumer violation. Although it is may be required be compliant compliant, it is expected that far more class action suits will occur than prosecutions from the attorney general’s office, which might change your focus on what you do first to become compliant.
We can help at every step to identify your compliance gaps, and put a mitigation plan in place especially around breach prevention and mitigation. Getting started, developing a plan and taking initials steps toward compliance gets you that ounce of prevention. We can help close the gaps including implementing every policy, security and operational task needed.
Given the newness and nature of CCPA, compliance will require a fair amount of legal work that should be done either by or under the guidance of seasoned privacy lawyers. Although we can work with your existing legal team, we have found it is wise to involve lawyers who are experienced in successfully litigating privacy cases.
We teamed up with Kaufman Dolowich & Voluck because their seasoned litigators and legal practitioners routinely assist clients with current and emerging privacy laws, including CCPA compliance, regulatory advice, developing and drafting policies, assisting in the legal aspects of all audits, preparing data retention policies, contract and arbitration agreement review, security breach and crisis response, and litigation. They team with us to conduct compliance training for employees as well as reviewing insurance coverage matters related to privacy and cyber risks.
Depending on where an organization is and what they need, our team (KDV and EC Wise) can do it all or augment (existing teams, tools and practices, etc.) to assist your company in becoming and remaining compliant.
High level CCPA Implementation Plan – Five Phases
I. Build program and identify the data protection team, identify or provide a team leader, start discovery and educate team, and proceed with appropriate members of the team.
II. Discovery and planning: Assess risks, policies, controls and gaps, prepare and plan (including risk mitigation plan, which will drive priorities and order of follow-up activities).
III. Use discovery and risk mitigation plan to identify and design new policies, controls, practices and tools to mitigate risks and enforce controls and scale needed operational process
IV. Perform/ Implement – Test, measure, manage and evolve controls
V. Demonstrate continual compliance, evaluate compliance reporting, certification, insurance
The focus of an initial engagement will be to create that first ounce of prevention that will reduce your downside risk and help you start on becoming compliant. We start with capacity building and discovery. Organizations need to establish cross functional teams, representing key stakeholders, to coordinate their response to CCPA’s elevation of requirements around the management of consumer privacy. The ideal team should have direct executive sponsorship, very strong management skills, understanding of the applicable privacy laws and enforcement strategies, data management, data encryption, and security expertise and it should be able to work with internal and external authorities as needed. To help launch such a team and undertake the necessary discovery and early phase implementation, EC Wise will provide human resources with needed expertise, skills and training in the following areas:
- Assist with the establishment and training of privacy team with respect to CCPA Compliance
- Work with key members of the privacy team on CCPA Compliance discovery, particularly PII (based on CCPA’s broad definition) data discovery and classification (including categorization and usage as needed for CCPA compliance), gap analysis and creation of an early risk mitigation plan. This plan will provide a prioritization roadmap and help keep future efforts practical.
- Define the policies, processes and practices organization will require to operationalize their execution and to enable the organization to remain in compliance while reducing the risk of fines and unnecessary costs.
- Carefully document the analysis of not just what we discover and how we plan to comply, but also the decision process, to help demonstrate organization reasonable and appropriate behavior.
- We will include a small provision to establish a retainer for outside counsel. Whenever we work on compliance-based activities, especially during discovery, we recommend our mutual efforts fall under lawyer-client confidentiality.
- We will work with the organization to identify and understand potential impacts, usage, policies and protection of PII (personally Identifiable Information as classified by applicable privacy laws) throughout the enterprise. The privacy team will need to work with and review PII flows, source, usage and sharing in Marketing, HR, IT, Security and provide guidance to legal (especially related to vendor contracts).
It is likely that adoption of purpose-built tools will be required for many aspects, such as data discovery, characterization, satisfying customers’ requests. We have long experience working with both commercial and open source tools to manage privacy, provide appropriate security controls, redact and encrypt data, control access to databases, etc. We have identified, evaluated, and used several products that facilitate operationalizing the management of customer requests. We will review with you some of these options (tools, products) to operationalize the organization for CCPA once we better understand your needs.
What we learn during early discovery usually changes some of our mutual starting assumptions.
Currently we expect to bring in open source and low-cost tools to facilitate discovery and mapping and our GAP analysis in phase II. During each phase, risk and alternative approaches and costs will be discussed.
Although we are flexible, in our recommended approach, we plan to produce the following deliverables:
- Initial findings
- Initial meetings, review and report on 3rd party IT providers
- Initial high-level Gap Analysis
- Discovery Results
- Inventory of all usage of data, and data categories
- Inventory of all PII data
- PII Data mapping, usage, sharing, exposures
- Dataflow mapping
- 3rd party risks
- GAP Analysis re compliance
- Risk mitigation plan, which will be collaborative based on costs and resources available
Once discovery, gap analysis and a high-level mitigation plan is in place: ????
- We work iteratively, with the goal of creating a comprehensive solution, but delivered incrementally; we work together to reduce the highest risks and threat vectors first. Hence, the process is not linear, but has dependencies requiring an ordering within subtasks.
- We will provide all the training, services (legal, data mapping and management, security and privacy controls) and technologies needed to support the data protection team during the execution of phases I to IV.
To get started for a free 1-hour introduction and assessment, please fill out the compliance questionnaire.
For more information please contact: Jack Hakim – 415-226-8858