The European Union (EU)’s General Data Protection Regulation (GDPR) is about to celebrate its first birthday, and similar regulations scheduled to go into effect early in 2020 — such as Brazil’s Lei Geral de Proteção de Dados (LGPD) and the California Consumer Privacy Act (CCPA) — will press organizations to look more holistically at how they address privacy. Because I’m an optimist, I think it’s possible a U.S. federal privacy law could also be passed in the next 18 months. In my experience, modern data privacy readiness and controls are largely based on common privacy principles and practices from the GDPR, which began enforcement on May 25, 2018.
But what does that really mean?
Apply GDPR Best Practices to Your CCPA Readiness Plan
Let’s take a step back and look at several of the high-level overlaps between the GDPR and the CCPA as an example. Keep in mind that within each regulation there are fine points that clearly differentiate them. While those are beyond the scope of this article, we suggest seeking legal advice should you need further help on this topic. Here is a high-level review:
- While definitions vary, the general definition of “personal data” or “personal information” is virtually anything that can be used to identify an individual. Both regulations define and enumerate rules to enforce protecting an individual’s rights around his or her personal information.
- According to the important right of disclosure or access, individuals have rights to transparency around the collection of their personal data and also to receipt or deletion of the data altogether.
- The CCPA does not directly impose specific data security requirements, but establishes a right of action for certain data breaches caused by business failure to maintain reasonable security practices and procedures appropriate to the risk. Somewhat similarly, the GDPR requires appropriate technical and organizational measures necessary to ensure security appropriate to the risk.
As these basic overlaps between the GDPR and the CCPA illustrate, there is a set of common principles about transparency, including an individual’s right to access or request deletion of personal data, the need for security, and the potential for substantial penalties for noncompliance. While there are implementation differences between the various regulations — such as which organizations and individuals qualify, personal data definitions and individual rights (access, correction, deletion) — the IT best practices required to help your compliance program are largely the same. Some of these include:
- Security and privacy by design and by default;
- Locating, identifying and classifying personal data;
- Tracking personal data use via audit trails to demonstrate compliance;
- Providing for response capabilities to individual requests for access, correction, deletion and transfer of personal data and audit trails to demonstrate compliance;
- Implementing security controls according to risk (vulnerability assessments, access controls, activity monitoring, encryption); and
- Effectively preparing for and responding to breaches.
A Repeatable Framework for Protecting Regulated Data
In my experience as a practitioner, I find that it’s often helpful to follow a framework that guides you as you bring these best practices to life in your data privacy program. That’s why IBM created a five-step program to help you establish a repeatable process for protecting personal and regulated data, known as the Critical Data Protection Program:
Figure 1: IBM’s Critical Data Protection Program
When it comes to preparing for the CCPA (and other regulations down the road), consider what steps you can take as an IT organization and how you will be working with your privacy/legal/compliance organizations. Your privacy team will undertake many of these activities, including assessments, policy setting and creating business processes.
- Start by obtaining executive sponsorship and budgets to support your privacy program. The higher up the executive chain, the better. The changes you may need to make will cross organizational boundaries, so support from the top will be critical to your success.
- Next, assess and understand your obligations — in other words, do a gap analysis. This may mean seeking legal counsel. Review your existing privacy policies, notices and statements. Do you have them? Where are they presented, and when were they last updated? Are they clearly written and easy to understand?
- Create a cross-functional team. When it comes to implementation, be sure to have all the right stakeholders involved. Privacy is not just a security issue, or even just a privacy issue; your cross-functional team should include departments such as marketing and HR, for example, due to the potentially regulated data they may be dealing with.
- Regardless of regulation, you will need to know what personal data assets you store, where they are located and how they are used. You will hear this often referred to as a data map. Data discovery is an essential part of creating a data map; it’s the process of identifying, inventorying and mapping personal data and data flows across your organization. A data security solution can help automate the process to avoid approaching it manually — after all, who couldn’t use fewer spreadsheets and more time?
- Review data retention schedules. How long do you retain the personal data you collect? It should be either as long as required for a legitimate business need or as required by law.
- Document privacy compliance activities, including processing operations involving personal data.
- Develop audit capabilities and processes. You will be required to demonstrate what you are doing to address your compliance obligations. You will need a robust audit plan and process to monitor ongoing conformity and help mitigate risk, both internally and with your data processors and other vendors.
- Implement privacy by design and security by design. Although not spelled out in the CCPA, this is an important GDPR requirement and it can save you a lot of redundant work regardless of the regulation. Going forward, if you develop new services and systems, it is likely that you will be expected to embed — by default and by design — processes and features that will help ensure privacy of personal data.
- Create breach response and notification protocols. In the event of a breach with the GDPR, under certain scenarios, you have 72 hours to notify the regulatory authority. Other states and jurisdictions have varied timelines; sectoral regulations such as New York’s Department of Financial Services 23 NYCRR 500 also mandate 72 hours. Achieving these tight deadlines may depend on having defined processes and protocols in place for investigating, containing and responding to data breaches.
The bottom line is that approaching any privacy regulation requires a combination of people, process and technology. There is no one solution that can meet all needs. There are many technologies from IBM Security that can help — from data activity monitoring solutions to software-as-a-service (SaaS)-based risk analysis to encryption — and our privacy experts can help you get started in creating or augmenting your privacy program with services such as a CCPA readiness assessment.
Accelerate Your Readiness for New Data Privacy Regulations
Privacy regulations will continue to evolve, both in the U.S. and abroad. While there are many implementation differences, the IT controls and requirements for protecting personal data are largely the same. As you build out your program, don’t forget to leverage the existing investments you’ve made in preparing for other regulations — from both an organizational and technology perspective — to accelerate your readiness for new regulations.
With the right tools in place, you can implement a consolidated approach to help organize and automate your privacy controls program and, in the process, help build trust and accountability, whether with consumers, business partners or employees.
Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.