On June 28, California passed what might be called our version of GDPR - the California Consumer Privacy Act (CCPA) of 2018 (approved unanimously by the state Senate and Assembly today and signed by Gov. Jerry Brown). Starting Jan. 1, 2020, businesses could be penalized up to $7,500 for each violation. Votes for consumer privacy laws are coming fast and furious these days following the European Union's GDPR.
Someone said to me recently, that data used to be like gold, but now it's more like uranium, still very valuable but also highly radioactive.
Some of the requirements outlined in CCPA should be easy to meet as long as IT and security teams have data security and data incident response programs already in place. Sadly, there are plenty of organizations that have yet to fully implement either of those programs around data, and for some who have, they have likely only focused on current regulatory target data, like credit card data for PCI-DSS, healthcare data for HIPAA, or other specific data types where consumer private data is not generally included. In other words, while at least knowing the location of consumer private data, monitoring all access to it, and making sure it's not being accessed inappropriately is easy with the right processes, tools, and automation, the fact is, this type of data is generally ignored by other regulations, hence considered low priority by businesses today. This results in low adoption of security controls around such data and allows for a wide distribution and usage of it across an organization. Even shorter, this data is rarely monitored or protected, because it's considered unregulated, hence low priority, so various departments, business units and partners often have significant access to it without oversight.
Any new data regulation with corresponding fines will initiate a flurry of IT activity. Here's what we'll likely see first:
- Organizations will scramble to find their consumer private data. They will first try using manual processes, then quickly switch to automated data classification solutions to automate the activity.
- They will determine that this data, unlike PCI, health or financial data, is present in many different parts of the organization, likely both in their own environments, as well as, in the cloud. They will learn that the size of the consumer data estate is larger than any currently under regulation. Smart organizations won't get overwhelmed, and instead, after a little trembling and sweats, will begin strategic planning – going slow, to go fast, as my CEO would say.
- From the classification step one, “where” the data will be known, monitoring access to the data is the second easiest step but does require technology investment and some time to begin. This answers the “who,” “when,” “how,” and “what” of consumer data access.
- Now that they know where the data is, and know everything that happens to it, organizations need to identify when the data is used inappropriately. Given the volume of data today, this function is beyond manual controls, instead requiring machine learning to sift through millions and sometimes billions of data activity daily. This technology has been available for years, but rarely applied to consumer data as noted previously.
- Now the hard part. Organizations have to allow for consumer requests for sharing of where consumer data is used, why it's used, whether it's sold or shared with others, and the ability to completely remove specifically requested consumer data.
Why is item five so complex? Finding, monitoring and securing data is fairly passive given that security doesn't necessarily have to interact with databases or files. Knowing the “why” an organization has data, which partners have used the data, and building a program to take consumer requests to delete data and subsequently create a series of events within an organization to find and eliminate that consumer's data, depending on the size of the organization has vastly varying degrees of complexity. GDPR has a similar requirement.
Many large companies still have a long way to go in finishing the technical aspects of the EU's GDPR, and now California companies need to be ready for CCPA a year and a half later. It may seem a big demand on organizations, but in reality, it shouldn't be. Most global organizations have already built the framework for these same requirements to meet GDPR over the last few years, so there are plenty of materials, processes and products available to assist California companies with these similar requirements. Whether it's serendipitous or planned by California, following GDPR might have helped get organizations ready for CCPA.