California Consumer Protection Act and Data Governance Initiation Steps

California has the largest economy of any US State. In fact, if it were its own nation, it would be the fifth largest economy in the world with a GDP of $2.9 trillion Forbes (2018). It's quite obvious then, any new regulations and rules passed by the State with its 40 million population would certainly have a noticeable impact to many Organizations who serve its residents.

California Consumer Privacy Act is one such regulation that will go into effect on Jan 1, 2020 to protects its residents of their Privacy and Protection rights. My attempt here is to elucidate the need to build an effective Data Governance Framework not just to meet regulatory compliance requirements but also to effectively manage the burgeoning of data ingestion's with effective Business Processes, Controls, Fit for Purpose of the data sets in Analytics & Reporting thus increasing the trust factor coupled with reduction in Cost.

CCPA

Californian residents will have following rights from Jan 1, 2020 under CCPA

• Know what personal information is collected about them for the prior 12 months by Organizations 
• Know whether their personal information is sold or shared for a business purpose and to whom for the prior 12 months 
• Access their personal information, with limited rights to delete or opt-out of sales 
• Equal service and price even if they exercise their privacy rights

Comply

Any Organization which meets any of the following criteria needs to comply with CCPA

• Any Organization whose Annual revenue is in excess of $25M 
• Obtains data of 50K of Californian residents annually 
• Derives over 50% of revenue from selling California residents personal data

PIA Impact Study

Every Organization dealing with Californians residents’ information can potentially perform a Privacy Impact Assessment (PIA) by answering the following key questions.

• Is the Customer information storage dispersed and # of copies exists with its own flavors?
• Who all have access and Is there some level access controls with audit on their usage with PI attributes contextually anonymized?
• What are the legal or compliance business processes that surround the PI information and its data sharing agreements Internally and Externally?
• Are there policies built around Business context as well the Legal context for usage of Customer PI information?
• Is there a tribal knowledge among the various Departments and its line of business that needs to be articulated, standardize and documented?
• Are there Data Stewards or Owners who manage and identify PI attributes with knowledge of risk remediation steps to be taken for any breaches?

PIA study will enable Organizations to built Use Cases which can then be prioritized. Executive Sponsorship and Support is very crucial as this initiative endeavors cross functional communications with different groups and often is a Journey rather a Sprint.

Checklists

Preparing a checklist could be taken as the next step to capture the requirement details from identified Department Stakeholders and Data Stewards

• Controller Checklist to assess Lawfulness, Fairness and Transparency of individual rights, data security, data transfers and data breaches
• Processors Checklist includes documentation, accountability as well approach to individual rights on the Processors side
• Information Security Checklists includes how businesses handles management and Organizational Information Security
• Direct Marketing and Records Management Checklists
• Data Sharing and Subject Access Checklists
• CCTV Checklist on Close Circuit Television and Internal Cameras installed and its impact on privacy of Employees & Customers

Data Protection Impact Assessment (DPIA)

Start small and identify business lineage of importance to the Organization based on the checklist findings of relevant Use Cases. One may also utilize templates provided by tool vendors like Collibra Data Governance Center, IBM InfoSphere Information Data Governance, SAP Master Data Governance to document your Processes and Workflows

• Conduct Risk Assessment to check and assess the maturity of risk management framework with any predefined workflows 
• Identify and validate if the Processors of Individuals data rights are in alignment with the CCPA
• Identify Remediation Plans to control or identify reduction in steps of risk severity aspects for any breaches with accountability to boot
• Validate if there is a built-in sufficiency mechanism of technical and Organizational measures to help assess threshold scores
• Identify Sharing risks of data with external party and its remediation actions

Non-Compliance of CCPA

The major risk for any Organization for any breach is the loss of Trust and its Reputation impacting its growth more than monetary fines as indicated in the CCPA

• The following are monetary fines laid out in the CCPA
• $100 - $750 per consumer per incident or actual damages whichever is greater 
• If Organizations fail to cure any alleged violations within 30 days the following fines are enforced
• 2,500 in civil penalties for each violation
• 7,500 for each intentional violation

Residents Consent and Rights

Organizations do not need a consent from data subjects to use their data. However, safeguards and provisions need to be in place besides provisions for the subjects to implement any Right to Erasure or Right to be Forgotten provisions. Although there are some exemptions, but these depend on case to case basis and certainly does not provide any business with carte blanche to keep or use Customer information.

Finally, there are already many such Regulatory & Compliance Laws in place including New York Cyber Security Regulations, GDPR for European Countries, PIPEDA in Canada, China’s Cyber Security Law and potentially many more are in the horizon. As a result many Organizations are in already in some pipeline of building a robust Data Governance over its Data Assets with Process & Access Controls with ample Risk mediation actions.