The nature of consumer data privacy is changing. With the California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020, companies that do business with California will have to abide by this strict regulation designed to protect customers.
The CCPA can be viewed as the sister legislation to the General Data Protection Regulation (GDPR). The legislation provides a unified set of rules that can give California consumers better control of their information.
How the CCPA impacts your business
Much like GDPR, CCPA outlines strict and detailed privacy controls and processes that companies must adhere to or risk significant fines. These types of strict privacy controls and processes include: notifying consumers before their personal information is being collected (this could be as simple as their name or as sensitive as their social security number), a 45-day window to respond to verified consumer requests, and a list of categories of types of data collected about consumers over the previous 12 months.
Additionally, organizations must either: generate at least $25 million in annual revenue, receive or share personal information of more than 50,000 California residents annually, and/or derive at least 50% of it’s annual revenue from the selling of California residents information.
The CCPA has the potential to impact organizations of all sizes that do business with California — whether your company is physically located in California or elsewhere — as its main goal is to protect California consumers rather than the organization. At the heart of the CCPA regulation are accountability, control, and transparency. Organizations must adhere to CCPA principles and demonstrate compliance.
Achieving compliance with CCPA is no simple task. This regulation has significant implications for how data is collected now, and in the future. Organizations need to evaluate all of their systems and processors to better understand how vendors use the consumer information of California residents. Initial compliance costs could hit organizations for up to $55 billion.
Is your organization ready for CCPA?
Recent research from Ethyca, a data privacy technology company, has shown that the majority of organizations doing business in California are not ready for the CCPA. Of the companies surveyed, 88% have failed to reach an adequate level of compliance, 75% are using entirely manual solutions to manage their data privacy, and none are fully reliant on software-based solutions.
These realizations have the potential to open organizations up to a large amount of risk, in terms of reputation, marketshare, and profitability. While it may cost organizations a lot to become compliant with CCPA, organizations have little choice but to address it — and in doing so redefine how they think about data privacy compliance.
The nature of regulations is changing, and the way companies think about compliance must shift as well. In the past, they tended to protect the organization rather than the consumer.
We understand that to begin tackling the CCPA, companies need to understand the scope of compliance and how to practically apply procedures to manage it. Becoming and staying compliant is a significant undertaking that requires participation throughout an organization. To accomplish this, organizations need to understand their risk profiles, manage and maintain data inventories, and demonstrate compliance without burdening all of their internal teams.
Achieve and maintain compliance
With these challenges in mind and the way that compliance is being redefined, we believe that the Smartsheet collaborative work management platform is uniquely positioned to solve a very complex problem.
We worked with Protiviti, a global technology consulting partner, to create a pre-built solution that delivers a framework for initial compliance and ongoing compliance monitoring and reporting with the CCPA. Our Accelerator for CCPA provides privacy, legal teams, and functional business owners the ability to operationalize and consistently demonstrate compliance with CCPA:
Roll out an operational program for compliance. Privacy teams can perform readiness assessments, drive internal training, and properly support stakeholders (and teams) that must participate in CCPA compliance.
Understand your risk profile. Functional business owners can provide privacy teams with the required information about their area in a streamlined and automated fashion, giving privacy teams a better understanding of where privacy risks may exist.
Effectively manage and maintain your data inventories. Privacy teams, legal teams, and functional business owners can easily work together to monitor and complete critical items like data inventories, gap assessments, and remediation plans.
Provide greater clarity and visibility. Privacy and legal leaders are better equipped to make decisions surrounding their organization’s compliance with the CCPA.
Take action in a timely manner. Organizations are able to effectively track and respond to consumer rights requests and consent management requests, and enact the appropriate remediation plan when necessary.
Quickly demonstrate compliance. When the Office of the California Attorney General requests proof of compliance with the CCPA, organizations can quickly and easily provide both regulatory reporting and incident monitoring and reporting.
As transparency, control, and accountability are core tenets of the CCPA, prioritizing the safety of consumer personal information is top of mind. The Accelerator for CCPA enables privacy leaders to apply an operational framework to consistently inventory, organize, report, and demonstrate compliance with the CCPA regulation.