Countdown to CCPA: Steps to Start Getting Your Content in Compliance
The California Consumer Privacy Act (CCPA), set to go into effect in January 2020, will have a big impact on companies that do business in California or collect the personal information of California citizens. Driven by growing public demand for privacy, CCPA is the latest in a line of regulations that gives individuals greater control over how their personal data can be collected, stored, purchased, or shared by private companies.
Wondering what CCPA means for your business? Check out part one of our Countdown to CCPA blog series.
CCPA covers a lot of ground, from allowing consumers to deny the right to sell their personal data, to outlining how companies notify consumers about their privacy practices. California consumers will also be able to submit Verifiable Consumer Requests to find out what Personally Identifiable Information (PII) a company has collected about them, how it is used, with an optional request that it be deleted.
As a pending regulation, there is still a lot that is unknown about how CCPA will be interpreted and enforced, but that shouldn't stop companies from laying the groundwork for compliance. For many organizations, success will hinge on the ability to answer the three questions at the heart of CCPA: How much PII do I have? Where is it? Who has access to it?
This post will cover three tools you can use today to start answering these questions and get on the road to compliance:
Automated Data Discovery
Imagine the activities happening in a typical workplace: Marketing purchases and saves a new email list. HR compiles a spreadsheet to track job candidates. The office manager creates a document with customer addresses for holiday cards. In just one workday, hundreds of pieces of regulated PII were saved to the system -- multiply that by all your employees, each day, and the scope of the problem becomes apparent.
A typical small to medium-sized business houses upwards of 7 million files in unstructured repositories -- 10% of which contain some kind of sensitive or regulated content. Without an automated method of scanning and classifying the content of those files, it is virtually impossible to find all the PII on your system and effectively respond to a Verifiable Consumer Request or maintain the data privacy standards outlined in your published policy.
Verifiable Consumer Request Workflow
Under CCPA, a person has the right to request and receive all the personal data that a company has collected on them, obtain a copy of their personal data, and optionally request it be deleted. On the surface, locating and deleting an individual’s data from your systems may sound like a relatively simple task. While it’s often easier to query a structured database, unstructured repositories pose a unique challenge.
Unstructured repositories house millions of files that contain bits of personal information like names, addresses, email, credit card, and social security numbers. This information is often buried deep inside documents or spreadsheets and is intermixed with other customer data.
Workflow tools can help automate Verifiable Consumer Requests by scanning and surfacing files that contain personally identifiable information of individuals. For companies that receive a high volume of requests like retailers, tech platforms, and service providers, it can serve as a central location to create, track, and monitor these requests as they move through the system.
Sensitive Content Monitoring and Controls
CCPA isn’t just about responding to consumer requests, it is also about establishing and upholding standards related to consumer privacy. CCPA requires that companies annually evaluate and publish detailed accounts of the types of consumer data they collect and what that data is used for.
Establishing data use policies is the first step, but enforcing them is the harder job. With the rate of data growth, how can companies make sure that data is collected and stored in accordance with policies even as new data is constantly created? It makes sense to start from a secure content platform that provides built-in visibility and control.
Organizations that need to comply with CCPA should be able to monitor where sensitive content is housed, who has access to it, and how it is shared. Even better is the ability to apply minimum security settings to any files that contain PII, such as preventing downloading, or blocking external accounts from viewing that content.
The Bottom Line
CCPA is coming, and it’s not likely to be the final word on data privacy. As more regulations move toward becoming law, companies that prepare now will be well positioned to adapt to these requirements.
Schedule a demo today to see how Egnyte’s automated compliance workflows, rapid data discovery, and sensitive content controls can help set you on the right path.