Where are you in your efforts to prepare for the upcoming California Consumer Privacy Act (CCPA)? If you’re like most companies, you’re either in the planning stages or still trying to wrap your heads around what you need to do. In our recent webinar, How Everteam Supports The Upcoming CCPA Data Privacy Regulation, we discussed the upcoming data privacy regulation and how you can prepare for it with a solid data governance foundation. Here are the highlights of that webinar.
Does CCPA Apply to Your Company?
“The California Consumer Privacy Act (CCPA) is a bill that enhances privacy rights and consumer protection for residents of California, United States. The bill was passed by the California State Legislature and signed into law by Jerry Brown, Governor of California, on June 28, 2018, to amend Part 4 of Division 3 of the California Civil Code…Amendments to the CCPA, in the form of Senate Bill 1121, were passed on September 23, 2018. The CCPA becomes effective on January 1, 2020.” (source)
Does CCPA apply to you? If you are a for-profit company that processes the personal data of California residents and either:
- Have $24 million in annual revenue
- Hold personal data of 50,000 people, households or devices
- Do at least half your revenue in the sale of personal data
The rights granted to consumers under CCPA are similar to those in the GDPR, but not identical. Which means that even if you comply with GDPR, you are not automatically in compliance with CCPA. It’s critical to understand the differences and how that affects how you do business today.
One of the key consumer rights in the CCPA data privacy regulation is the right to know what you have, where it was collected, and what it’s used for. That is where Ken Lownie, VP North America, focused his attention in this webinar.
A Path to Compliance
The first point Ken made is that you shouldn’t think this is all about CCPA. Privacy regulations are upon us, CCPA and GDPR are just the beginning. The key is not just to address CCPA but privacy generally. If you think and plan data privacy compliance overall, you’ll be prepared for what else is coming down the pike.
What does that mean though – plan for compliance overall? It means you need to have the fundamental capabilities in place for compliance. Do that, and you’re 90% there to supporting any data privacy regulation that comes along. What are the basics?
- Knowing where private information is located in your organization.
- Knowing whose information it is.
- Being able to identify and delete it.
Building the Foundation for Managing Privacy
The key to managing privacy is to know what information you have and keep track of it. If you are regularly monitoring for new information, then you’ll always have a view into what you are capturing and from where.
Building the Foundation for Managing Privacy
Ken outlined a two-step technology approach that can help you build this foundation.
Identify personal and private information
According to Bernand Marr in Forbes, 90% of data in the world has been created in the last two years.
Traditional records management take the same approach as paper records management – collect everything. But it can’t work that way any longer. There is simply too much information to organize and manage, and it’s popping up in many repositories across the organization including SharePoint, DropBox, Google Drive, OneDrive, Shared Folders, and more.
The good news is the technologies like machine learning, natural language processing, and AI can help greatly. File analytics solutions leverage these technologies and others to connect to your source systems and build an index (a catalog) of all information. This index includes not only file properties and metadata, but also the full-text of each document. A search capability enables you to search across repositories to better understand what you have or find the information you need.
Manage information policies
Once you have that information, or data, catalog, you then have a place to manage it using information policies. These information policies include retention and disposition rules, security, and others. In a poll during the webinar, it was found that 33% don’t manage retention rules and information policies, 33% use a spreadsheet, and another 33% have a tool.
A spreadsheet might help at first, but it’s not the best choice as a long-term strategy. It doesn’t provide a single version of the truth – there tend to be many versions of the spreadsheet hanging around, and it doesn’t store past changes to policies. Spreadsheets also don’t enable collaboration, and most policy work is done by a group of people, not a single person.
What you need is a purpose-built tool that will help you manage more than just retention rules, but also data lifecycles, related citations, security, responsible department and owner, location of information and so on.
A data catalog to manage information policies.
To demonstrate how file analytics and data catalogs work, Ken Crum, Everteam Solutions Architect, demonstrated two Everteam products: everteam.discover for file and content analytics, and everteam.policy for information and retention policy management. You can watch the full webinar on demand below, or you can request a customized demo of one or both products to see if they can support your ongoing compliance requirements.