Six things to consider before CCPA goes into force

Netwrix, provider of a visibility platform for data security and risk mitigation in hybrid environments, highlights six things organizations should start doing today to achieve compliance with the California Consumer Privacy Act (CCPA) before it goes into effect on January 1, 2020.

The CCPA reflects the increased attention data privacy is getting in light of the GDPR, Facebook’s Cambridge Analytica scandal and the overall upsurge in personal data breaches. It requires businesses to ensure the security and privacy of all personal information they hold about California residents and households.

Together with Osterman Research, Netwrix established the following list of things that organizations should do today so CCPA does not take them by surprise:

1. Determine whether you have to comply. The CCPA’s scope is broader than one may think. Even if an organization is located outside of California, it has to comply with CCPA if it handles the personal data of California residents. Organizations are advised to check the standard’s criteria for entities that have to comply.


2. Learn what data you have. Although the CCPA does not become effective until January 1, 2020, as of that date, consumers will be able to request information about the personal data companies have collected for the preceding 12 months. That means that organizations need to have categorized the data they store and ensure they have a complete view of information protected by CCPA — ideally, by January 1, 2019, but in no circumstances later than January 1, 2020. Therefore, businesses should consider adopting a data classification solution to find out what kind of data they store that is protected by CCPA, where it is located, how it is handled and who has access to it.


3. Refine your data management processes. All organizations subject to the CCPA must establish strong data management processes, including keeping clear provenance on where personal data has come from and who it is about, and proactively deleting data that is no longer required for future processing.


4. Get ready to respond to data access requests. Organizations need streamlined processes in place to address consumers’ data access and deletion requests. Specifically, they need to be able to identify where an individual's personal data is being used, why it is being stored or processed, and its provenance. Trying to manually satisfy data access requests from thousands of data subjects will be costly and time consuming.


5. Invest in security from threats. Organizations should apply appropriate mitigations to regulated data. This can be achieved by deploying data-centric audit and protection (DCAP) technologies, user behavior analytics (UBA), security information and event management (SIEM) solutions, next-generation firewalls, and the like.


6. Establish a data breach notification policy. Businesses must have mechanisms to identify a data breach, notification and escalation pathways, and documented processes for providing notice within the timeframes required.

The time to achieve compliance with the CCPA by January 2020 is running out fast, so organizations must gain full visibility into all information they have, discover which regulated data they store, and ensure that they are able to protect it against compromise.
Steve Dickson, CEO of Netwrix

To learn more about how to achieve CCPA compliance, read the white paper by Osterman Research: https://www.netwrix.com/go/osterman_research