CCPA imposes plenty of legal and technical challenges – requiring the adoption of new policies, procedures, disclosures, third party agreements, data mapping, security practices, and operational capabilities that satisfy consumer requests based on their new rights. Businesses can meaningfully reduce their risks under CCPA by taking a principled approach to compliance that is tailored to their organizations’ needs. Depending on what stage of compliance a business is in, our team can do it all or augment what’s already in place (existing teams, tools and practices, etc.) to assist businesses become and remain compliant. Given the changes that CCPA requires, and the broader definition of PI that it applies all organizations will go through all phases.
Our Approach for CCPA Compliance
High level CCPA Implementation Plan – Six Phases
I. Initial Framework: Create the organizational privacy vision and mission statement (or augment what is in place), including defining the scope of the business’ privacy program to include CCPA, and structuring the privacy team with relevant stakeholders. Identify existing privacy and security standards followed, data protection team (identify and/or provide a team leader), develop (augment) the organizational privacy framework, educate the team, and proceed to the next Phase with appropriate members of the team.
II. Discovery, Assessment and Planning: Based on the expanded definition of PI, categorize and conduct data mapping to organize a business’ data inventory including needed metadata (source, type, category, location, retention and uses of data) as it moves across various systems within the business. Review the encryption, redaction, security and other controls used. Review how liability is shared across third party contracts. Based on what is discovered we conduct and produce a gap analysis to assess risks and remediation needed within the current business’ processes, policies, procedures and controls.
III. Develop Privacy Framework and Program: Using the gap analysis of Phase II, after consideration of risk and ROI with key stakeholders, we prepare and plan changes based on new CCPA consumer rights (including incident response and process, remediation, and risk mitigation to drive priorities and order of follow-up activities). Design new processes, policies, controls, practices and tools to mitigate identified risks and enforce controls, and to scale and probably automate needed operational processes. Develop the metrics to measure and monitor both compliance and risk.
IV. Perform/Implement: Put into effect the newly designed framework and program. Test, measure, manage and evolve controls for potential errors and gaps.
V. Continued Compliance: Continually evaluate processes, procedures, and policies. Ensure business and employees have proper certification, insurance, and training. Perform Privacy Impact Assessments (PIAs) as needed.
VI. Cure and Defend: Provide needed technical and legal support in the event of needing to cure a violation or defend against a claim.
Our process is iterative, with the goal of creating a comprehensive solution that is delivered incrementally; we work together to reduce the highest risks and threats first. It is not unusual to discover high-risk low-cost remediation opportunities as early as Phase I, and proceed to perform them while moving in parallel with the rest of the compliance program.
It is likely that adoption of purpose-built tools will be advisable for many aspects, such as data discovery, characterization, satisfying customers’ requests. We are experienced working with both commercial and open source tools to manage privacy, provide appropriate security controls, redact and encrypt data, control access to databases, etc.
We have identified, evaluated, and used several products that facilitate operationalizing the management of customer requests. We will review with you some of these options (tools, products) to operationalize the organization for CCPA once we better understand your needs.
Education, high level discovery, high level roadmap; often fixed bid after questionnaire is reviewed.
Goals are focused on Phase I with a high-level version of Phase II to better understand the effort that is needed to reduce risk as well as to become compliant. Every company is different, with different risks and different policies, processes and controls already in place.
The focus of an initial engagement will be to:
- Review your questionnaire and ask clarifying questions to better understand your gaps and risks
- Get your key stake holders to understand the CCPA
- Identify first quick steps that will reduce your downside risk and help you start on becoming compliant.
- Build a very high-level version of Phase II, without tooling. We try to obtain enough understanding of your security, data mapping, PI management, policies and operational capabilities related to CCPA to create a high-level road map
We start with capacity building and discovery, especially around the areas of PI and risk of breach.
Organizations need to establish cross functional teams, representing key stakeholders, to coordinate their response to CCPA’s elevation of requirements around the management of consumer privacy.
The ideal team should have direct executive sponsorship, very strong management skills, understanding of the applicable privacy laws and enforcement strategies, data management, data encryption, and security expertise and it should be able to work with internal and external authorities as needed. To help launch such a team and undertake the necessary discovery and early Phase implementation, EC Wise and KDV will provide human resources with needed expertise, skills, and training.
It is important to understand that early decisions with respect to how you categorize your data and establish its use, will affect what you may need to delete, what will be exempted, and what additional upsides from the data may be obtained.
- Assist with the establishment and training of privacy team with respect to CCPA Compliance
- Work with key members of the privacy team on CCPA Compliance discovery, particularly PII (based on CCPA’s broad definition) data discovery and classification (including categorization and usage as needed for CCPA compliance), gap analysis to create input into creation of an early risk mitigation plan. This plan will provide a prioritization roadmap and help keep future efforts practical.
- Identify and help define the policies, processes and practices your organization will require to operationalize the execution of consumers rights and disclosures and to enable the organization to become more compliant while reducing the risk of fines and unnecessary costs.
- Carefully document the analysis of not just what we discover and how we plan to comply, but also the decision process, to help demonstrate the organizations reasonable and appropriate behavior.
- Whenever we work on compliance-based activities, especially during discovery, we recommend our mutual efforts be reviewed by experienced privacy attorneys and fall under lawyer-client confidentiality.
- We will start the work with the organization to identify and understand potential impacts, usage, policies and protection of PII (personally Identifiable Information as classified by applicable privacy laws) throughout the enterprise. The privacy team will need to work with and review PII flows, source, usage and sharing in Marketing, HR, IT, Security and provide guidance to legal (especially related to vendor contracts).
- Review and make recommendations on two 3rd party IT providers, potentially transferring risk to third parties
- Initial high-level gap analysis and roadmap
- Enough understanding to identify significant risks and scope
What we learn during our Introductory Engagement usually changes some of our recommendations for early focus as well as the effort needed to reduce risk and become compliant.
We may be able to bring in open source and low-cost tools to facilitate discovery and mapping and our GAP analysis in Phase II. We are familiar with a spectrum of tools that can be brought to bear, to increase automation, but the selection tends to be company situation specific. During each Phase, risk and alternative approaches and costs will be discussed.
We historically have long term engagements with our customers.
We will, if desired, continue to provide all the training (new tools, policies, operational processes and mitigation strategies decided upon), services (legal, data mapping and management, security and privacy controls) and technologies needed to support the data protection team during the execution of Phases II to IV to become compliant, Phase V to remain compliant and VI if needed.
To schedule a complimentary one-hour introduction and obtain our compliance questionnaire, please email firstname.lastname@example.org and indicate your interests.
For more information please contact: Jack Hakim – 415-226-8858
Or click a link below:
“EC Wise was a great choice for Kaufman Dolowich & Voluck because they understand how to build in privacy by design and deeply understand CCPA (for non-lawyers). EC Wise is very experienced and excellent at data management including data mapping, securing data, securing the enterprise and implementing and auditing security and privacy. Under CCPA, data without a purpose shouldn’t be saved. With their background in machine learning, they can identify all available data and how it can provide business value, also adding to the top line when performing data mapping services for CCPA”.
If you want to learn more about CCPA, check out our white paper, “California Consumer Privacy Act (CCPA), Why You Need To Start Now!” We describe the new consumer data rights, obligations, processes and controls to fulfil those rights, and the risk of significant fines and statutory damages for non-compliance.