Public outcry over data breaches and misappropriation has resulted in regulatory responses – notably European Union GDPR and California Consumer Privacy Act (CCPA) – levying unprecedented reform. During October 2017, the final version of the CCCPA was signed into law. Many businesses are running out of time to understand what information is protected and comply to the new guidelines.
Businesses, particularly businesses in California, have less than three months to get their act together before CCPA goes into effect January 1st, 2020 and threatens hefty fines. Businesses are struggling trying to make sense of the new rules and how to comply to avoid penalty, while deadlines loom.
Digital Journal: What are the main implications from the California Consumer Privacy Act?
Buno Pati: Companies that meet certain requirements of revenue or processing consumer data will be required to review data they have collected and process it so they can respond to requests for access or deletion of information. As long as organizations do business with residents of California, they will also be held to the new privacy requirements. This is a major step for California residents to take control over their personal data that has been collected and work as a model for other states trying to draft similar laws to protect consumers.
DJ: What are the main challenges arising from the CCPA?
Pati: Companies underestimate how hard it is going to be just to organize their data in a manner where they can even implement processes to help them comply with CCPA. They focus more on the customer interaction part, but it is the underlying data plumbing that will be 80 percent of the work. This is where implementing an enterprise data operations and orchestration (EDO2) system will prove to be critical for success. They need a level of automation and data management agility that will provide a solid foundation on which the rest of their CCPA implementation will be built.
DJ: How will the relationship between businesses and consumers alter?
Pati:With data breaches and privacy violations reported on a regular basis in the press, we are seeing an erosion of trust on the part of consumers when managing their interactions and sharing of data with businesses. It is hoped that privacy regulations such as CCPA and GDPR will help establish consumer trust in businesses by providing a level of transparency and control with regards to personal data.
DJ: How should businesses be preparing for the CCPA?
Pati:The best way to fulfill CCPA requirements is to get started on automating as much of the processes as possible. This ranges from collecting the data, ingesting it into the CCPA data lake, normalizing it, automating the customer facing portal and automating the removal or anonymization of the data upon request. By centralizing the data and the processing of it to meet CCPA requirements, that makes it much easier to properly manage requests.
DJ: For businesses that have yet to do anything, what should they be doing first?
Pati:The actual process is much more detailed, but the basic concept that we are seeing is to first create a common repository or data lake of all customer data, including who is using it within the company, for which purposes, and what rights have been granted. The repository serves as a single source of truth, but is just the starting point for handling requests. It must also must maintain lineage documenting the original data sources so they can be tracked down later if data needs to be removed. Second, organizations need to create a portal that allows end users to make requests for how they want their data managed, including the ability to see what data the organization has, and the ability to make appropriate requests to remove all of it, some of it, restrict their rights to sell it etc. And last, once a consumer has made a request, the organization must have processes, both automated and manual, to either remove or anonymize the data.
DJ: Will other states adopt their own privacy regulations?
Pati: We are already seeing a similar bill introduced in New York and Nevada passed a privacy bill that went into effect in October. These are just the first few states that are moving to meet new expectations for privacy and we will see more states write their own versions of privacy law. As the voice of privacy advocates grows stronger, there may even be privacy regulations on a federal level.