Heather Hobson photo

Heather Hobson is an author, consultant and founder of H Hobson Consulting.  She is a seasoned cybersecurity, risk, and privacy expert with years of experience in the banking, media and technology industries that include The New York Times, Citigroup, ABN AMRO and EMC. Heather splits her time between New York City and the Catskill mountains, exploring the world with her husband and their dog as often as possible.

Written by

Heather Hobson
June 17, 2019

How Mid-Size Companies Should Prepare for CCPA – a Tactical Checklist

Woman looking virtual monitors showing customer data privacy implementation

Last month we introduced you to How CIOs Should Plan for US Data Privacy Laws, discussing the complexity of the US data privacy landscape and highlighting the California Consumer Privacy Act of 2018 (CCPA) -- a sweeping piece of legislation poised to impact more than 500,000 businesses in the US alone. Today we’ll outline some of the tactical steps your company should take to ensure your compliance with the CCPA before its implementation deadline of July 1, 2020.

Before we begin, let’s be clear: we expect changes to the legal requirements. The CCPA describes future regulations to be passed, and it’s already received legislative corrections and amendments (including pushing the enforcement deadline from its original January 1, 2020 to the current July 1, 2020). More amendments are expected to roll out in 2019. However, with the current law already in place and set for enforcement in July of next year, it’s critical to get started right away to make sure you’re prepared. With penalties ranging from $100 - $7,500 “per violation”, a breach involving a million users could potentially bankrupt a billion-dollar corporation. The stakes for compliance are high.

This CCPA Checklist has three main phases: Preparation, Action, and Evaluation & Improvement

  • Preparation
    1. Get the buy-in of your key business stakeholders. Senior management’s full support is critical to making CCPA compliance work, because although the compliance program may be costly and time-consuming, CCPA violations have the potential to be financially devastating.
    2. If you don’t already have one, hire a Chief Information Security Officer with a strong background in Privacy. Preparation for the CCPA means you have to have someone with the expertise to do it properly. For smaller companies, this might mean hiring a Virtual CISO; for larger organizations, it might mean bringing in an expert with GDPR background to support your current CISO. The technology side privacy experts will need to work closely with your Legal department’s privacy experts throughout the process.
    3. Perform an internal business function review to identify all Personal Information being collected, used, and stored by your organization. Assess the types and scope of Personal Information being collected. Don’t forget that the CCPA also applies to employee data. You need to offer all individuals the right to access their data with the right to be forgotten and to withdraw their consent to disseminate their data.
    4. Review your organization’s internal policies and procedures around collecting Personal Information. Make sure that your data collection is necessary for a business purpose and identify everywhere that you are collecting or storing unnecessary Personal Information.
    5. Perform a third-party review to identify all vendors, partners and service providers that have access to, or manage the storage or collection of, the consumer Personal Information your business has collected. Review all contracts with them and identify the gaps.
    6. Establish success criteria to measure and report on each of the tasks in your company’s implementation. Metrics could start with raw implementation details and mature with the program:
      • Are we on track to meet CCPA requirements by the deadline?
      • How many privacy professionals and other subject matter experts do we have working on the CCPA? This should include technical and legal experts, as well as system and process professionals working on the CCPA project.
      • How many systems have we evaluated for CCPA requirements (i.e. percentage of overall systems)?
      • How many third-parties have we evaluated for CCPA requirements (i.e. percentage of total third-parties)?
      • How many Personal Information stores have we identified? How many do we plan to eliminate?
      • How many privacy or data protection incidents have we had that meet certain monetary thresholds (e.g. costing more than $X in aggregate this year, or more than $Y in any single incident)?

  • Action
    • Update your internal and online privacy policies to meet CCPA requirements.  
    • Create and revise your processes, tools and procedures to ensure your company can respond to consumer requests regarding access to, deletion of, and information related to the sale/disclosure of, their Personal Information. Be sure to include your software development process and your technology acquisition process in these updates, so that all new applications will be compliant with the CCPA.
    • Implement security enhancements as needed to provide access to Personal Information according to the principle of least privilege.
    • Implement the tools that can process consumer requests you receive, including the opt-out. If you have a wide variety of systems containing personal data, this will probably require establishing a central Personal Information register, or at the very least a list of all the places where you have Personal Information. There are a number of third-party privacy tools that can support you in this effort, that can handle the operational day-to-day details around the collection and management of Personal Information, as well as provide an interface for consumer requests on your website.
    • Train your staff, particularly those who will handle consumer Personal Information and all customer-facing staff. Train them not to put Personal Information in comments fields or other unstructured formats, how to handle consumer requests and inquiries, and so on.
    • Amend third-party contracts with vendors, partners and service providers where necessary. Your legal department may create a boilerplate amendment to simplify this process, or it may need to work with each vendor in detail.
    • Identify any business areas that will be too costly to remediate and make plans to shut down those functions before July 1, 2020. Eliminate any unnecessary Personal Information data stores.
    • Put processes in place to notify everyone, including regulators, consumers, employees and partners, in the event of a data breach.

  • Evaluation & Improvement
    • Conduct periodic third-party audits on vendors, partners, and service providers to ensure their compliance with the CCPA.
    • Define ongoing program metrics to measure and report successful adherence to CCPA requirements.
    • Report and manage Personal Information data breach incidents.
    • Ensure the ongoing quality and integrity of the central Personal Information register.

The CCPA is the first salvo in a barrage of privacy laws across the US. Meeting its requirements will not only protect your organization now, it will also prepare you for future privacy legislation by centralizing and standardizing your Personal Information data program.  

 

Heather Hobson photo

Heather Hobson is an author, consultant and founder of H Hobson Consulting.  She is a seasoned cybersecurity, risk, and privacy expert with years of experience in the banking, media and technology industries that include The New York Times, Citigroup, ABN AMRO and EMC. Heather splits her time between New York City and the Catskill mountains, exploring the world with her husband and their dog as often as possible.

Written by

Heather Hobson

ITO trends report