The European Union’s General Data Protection Regulation (GDPR), implemented in 2018, set the bar for data protection worldwide. This November’s proposed California Privacy Rights Act (CPRA) closely mirrors the GDPR’s approach with three mainline items not included in the existing California Consumer Privacy Act (CCPA). These additions elevate the privacy protections of California residents, setting a model for US commerce, including:
Data protection by design and default. Known as “privacy by design” in the EU’s GDPR, this familiar business practice would be required by law. Planning for data protection and privacy should be accounted for in every stage of business for the security of both the company and its consumers.
Record of data processing activities (ROPA). As outlined in the GDPR, this data inventory tracks the purposes of collecting personal data, parties with access to data, and how long data will be retained.
High-impact data processors to perform regular risk assessments. A Data Protection Impact Assessment (DPIA) is required under the GDPR any time a business begins a new process that involves “a high risk” to personal information. These projects can include using new technologies or tracking people’s location or behavior.
Does Your Organization Need to be CPRA Compliant?
“Whether your business is in California or not, the first step is to determine whether or not you need to be compliant. This requires leaders to know what type of data they are managing and whether there are any California citizens within their data sets,” says Shawn Rogers, VP of Corporate Marketing at TIBCO, a provider of big data and software integrations.
Data compliance is not only encouraged for customer relations; failure to comply with CCPA puts organizations at huge risk for fines up to $7,500 per violation. Roger adds, “From there, California business leaders need to make sure they are compliant with all elements of the CCPA, as was required by July 1, 2020.”
Rogers says it is critical for you and your clients to understand the privacy and security practices of your organization’s vendors and external service providers. “Understanding if your providers or vendors are vulnerable is critical, seeing as your legal liability could be dependent on the third-party providers you use to deliver your managed services,” he adds.
When vetting vendors, organizations should ask for a policy on how the third-party processes protected data and demand proof of compliance with appropriate standards for their industry.
Getting Ahead of the CPRA Curve
Privacy and data protection matter to consumers. In a 2019 California Privacy survey, 88 percent of residents backed the CCPA, and many supported more federal oversight on privacy laws. In addition, privacy and data protection directly correlates with the purchasing patterns of Americans.
Rogers cautions, “Regardless whether the data you manage possesses a California resident or not, your business should still be moving toward a compliant structure. As our society continues to rely more heavily on data, data transparency is what we are moving toward. Whether your business is in support of the CPRA or against it, the smartest thing to do at this time is preparing for it to pass.”
The Future of Data Security
If not in place already, organizations need to develop a system that supports data transparency. Rogers concludes, “As definitions and restrictions change surrounding sensitive personal information, geolocations and behavioral advertising, changes in software will inevitably have to be adjusted.” This means enterprises are expecting privacy-by-design solutions from software providers, as well as privacy protocols that work with their complex, integrated IT landscape.
The regulatory climate is trending toward data protection and privacy, GDPR in EU, California’s CCPA, and now the proposed CPRA. Though a central federal privacy law does not yet exist in the US, several states are putting regulations in place and making existing standards more comprehensive. Catch up with CPPA and get ahead of CPRA both for the sake of your business and your clients.