September 21, 2018 By Kacy Zurkus 4 min read

As enterprises around the world deal with legislative backlash following years of unfettered data collection, companies are confused about how to achieve compliance not only with the General Data Protection Regulation (GDPR), but also with California’s Consumer Privacy Act (CCPA). If you are one of them, rest assured that you are not alone in your confusion — and you’d better believe there’s more to come.

Several months after GDPR went into effect, 27 percent of companies reported that they had yet to start the GDPR compliance process, according to GDPR.Report. Still, the threat of additional regulations looms.

When the California legislation goes into effect on Jan. 1, 2020, more than 500,000 American businesses will be subject to the CCPA, according to a recent report from Varonis. In addition, 58 percent of companies have more than 100,000 folders open to everyone. Sensitive data is at risk, and in 15 months, companies will be required to allow consumers to review the data they have collected on them, demand deletion of data and opt out of having the data sold to third parties. Organizations face fines of $7,500 for violations.

Navigating the ‘American GDPR’

Since Labor Day weekend, two new state law amendments have come into effect. In its privacy statute, Colorado expanded the terms of what data will be protected. Additionally, the statute now includes a mandated 30-day breach notification. The clock starts ticking the moment the company discovers the breach. New York’s department of financial services similarly updated its cybersecurity guidance under NY State 23 NYCRR 500 Law.

The new requirements mandate risk assessments by application, as well as limits on data retention. The revisions added information access monitoring requirements and stipulated that all private information be encrypted, both at rest and in transit.

“The web of cyber data privacy laws continues to grow both in volume and complexity,” said Pravin Kothari, CEO of cloud security vendor CipherCloud, in an email interview. “These sort of regulations will need to be handled by Federal omnibus. The expense and risk to businesses in attempting to implement a rolling thunder of different regional and/or state data privacy laws will be overpowering.”

With increasing focus on regulations, the burden is falling on companies to manage and secure sensitive data while also providing customers greater control over their sensitive information. As if complying with GDPR and CCPA were not complicated enough, additional legislation is likely forthcoming in the U.S. — other states are bound to introduce their own laws, which sets a high bar for U.S. companies when it comes to data privacy.

There’s Still Time to Prepare for the Consumer Privacy Act

The good news is that Jan. 1, 2020 is still about 15 months away. While companies are all over the spectrum in terms of how far they have to go, there is still time to work through some of the confusion the market is sensing to iron out the compliance wrinkles.

“Determining the best practices for compliance with the upcoming laws depends in large part [on] how risk-averse companies are,” said Arshad Noor, creator and chief technology officer (CTO) of StrongKey. “Those companies that are already compliant with GDPR will find themselves well-prepared to deal with new acts across the U.S. in different states.”

While GDPR defines a data subject as a human being and any data above them, California defines the person as a human, business, entity or object, according to Noor.

“We tend to think of consumer privacy as my information, name, date of birth, gender, but California has created categories of data which include metadata, IP addresses and more,” Noor said. “It’s an interesting notion about privacy that I don’t think anyone has thought of.

Between now and 2020, a lot will be clarified about the different categories of data and the fundamentals of what needs to be protected. But don’t wait for clarification to begin moving toward compliance. The first step is to establish a policy that guides the company’s day-to-day practices. Once that policy is defined, Noor said, “Look at specific requirements of the law. Companies will have to have a link or button on the home page that allows a consumer to say ‘Please delete all my information.'”

Currently, the law requires that websites or businesses dealing with California customers allow those users to make a direct request of their right to be forgotten. That will be mandatory, so processes must be in place for compliance. Others stipulations are not as explicitly stated, so now is the time to start thinking about what companies should be doing. The law does provide for companies to collect data they need for doing business, which is why each organization needs to be able to identify what information they actually need.

Take a Minimalist Approach to CCPA Compliance

To start your CCPA compliance journey, identify where and how your organization’s data is stored and then begin the process of permanently deleting any clutter out of those systems and clearing it up.

“If it’s not necessary to conduct business, consider getting rid of that information,” Noor advised. “They need to know which applications use what data and where they have stored it. So, they should begin to take an inventory of the data, starting now.”

In addition, there may be residual information left after your cleanup, so it’s important to think about protecting what is left. At a minimum, companies should encrypt the information and eliminate user passwords from web applications. Many applications may have sensitive information, so companies need to identify that data and choose whether to keep what they have collected.

“They should define how they use the data and make that visible in their policy as well as in their notices to consumers,” Noor explained. “Be clear about what information is being collected, how it is used and to whom it is sold.”

Improving Compliance — and Guidelines

Once a policy is in place, the next step is to implement procedures. Identifying appropriate procedures requires asking questions such as:

  • How do I address requests from consumers in my ecosystem?
  • How do consumers delete their data?
  • What is the process for identifying all information across all systems?

By addressing these gaps now, you can keep from getting caught in the regulatory cold.

When California’s data breach prevention law was made public, most jurisdictions didn’t want to go anywhere near it. The legislature didn’t take long to issue federal law. While the U.S. government could choose not to propose federal privacy protection legislation, businesses should be working with congress to try to bring uniform law. Waiting for congress to act may take too long and could result in 48 more different pieces of legislation. Talk about a compliance nightmare.

Download the Forrester Study: “Data Privacy is the New Strategic Priority”

More from Data Protection

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today