Complying with GDPR and California’s New Privacy Law (CCPA) – Step 1
This is step one of a multi-part series on complying with the new privacy rules, both in Europe and, just recently, in California. Watch for further steps over the next several weeks.
While companies are supposed to be compliant with GDPR already, many are not and the California law’s effective date is still almost 18 months away. In either case, these tips should be useful in either case. With regard to California’s law, the steps needed are complex and far reaching, so getting started now is a good idea, even if the law changes a little bit before it goes into effect.
While there are many differences between the two laws, there are many similarities as well. These similarities allow us to cover major aspects of both laws together.
The core component of both laws is to give consumers more control – a lot more control – over what companies do with the data that is collected about them and, in many cases, sold. For both laws, while there are aspects of the law that only apply if your data is sold (with the term “sold” having an extremely broad definition), there are many aspects that apply even if the data is never, ever sold.
One of the requirements of the law is to give consumers a right to ask a company what data the company has collected about them, where the data is stored, who they shared it with and to obtain a copy of it.
Another right is, in at least some cases, to request that the company delete the data, again, no matter where it lives.
These rights make it critical that a company understands what data it has, where it lives and what the data “flows” are.
For both laws, it does not matter where the company is located, but rather where their customers are located. For GDPR, those customers who live inside the European Union are covered. For CCPA, those customers who live in California are covered. For CCPA alone, there are probably over a half million businesses that are impacted.
With all that background, here is our recommendation for step 1.
STEP 1 – CREATE A VENDOR DATA INVENTORY.
Our vendor data inventory or VDI process identifies all vendors that a company does business with – from the Post Office to some niche cloud based software service.
For each vendor, we collect information such as what type of data is collected, how it is shared, where it is stored, what the risk level of the exposure is, whether there is a contract with the vendor, who in the company is ACCOUNTABLE for that vendor relationship and many other fields.
Even for a small company, we have found that there are often 100-200 vendors in this list.
For larger companies, it could be up to a thousand.
The company identifies a point person to work with us and the process begins.
In many cases, we discover that NO ONE is accountable for a particular vendor relationship. In some cases, very few people are even aware that it exists.
Often accounting is a good place to start because usually, but certainly not always (Ex: Gmail is free) vendors get paid.
Of course, even the free vendors have to be accounted for. Also the vendors that are paid for by someone in a branch office on a personal credit card which is later reimbursed have to be captured.
One way to catch the personal credit card payment is for accounting to refuse to reimburse employees for these charges. Once the particular account is turned over by the employee to IT or vendor management and the company has control of the account and the data, then accounting will be authorized to reimburse the employee.
Remember, whether the account is free, employee paid for or company paid, the company still owns the liability in the case of both laws.
If this seems daunting, it can be, but we can make the process less painful.
Watch for the next step – create data flow maps.