Governance Risk and Compliance

CCPA Compliance: What Data Controllers Need to Consider

[Cloud Compliance, Advanced, 5 minute read, Governance Risk and Compliance]

When the California Consumer Privacy Act (CCPA) came into effect on 1 January, enterprises were forced to think again about the way they protect personal data in the wake of more new data privacy legislation.

They've been presented with new IT challenges where, just as regulations have been tightening up, they've been storing information on an increasingly diverse range of storage systems and data formats.

Not all solutions are up to the job or geared towards the modern cloud landscape, where companies store data in a huge variety of structured and unstructured forms. As a result, CCPA compliance calls for a new breed of data protection tooling—with features that can perform the following functions.

In our previous post about the CCPA, we discussed the key features of the act and practical steps data controllers could take to comply with the legislation. In this follow-up post, we turn our attention to data protection technology that can help meet those compliance objectives.

Identify Sensitive Data in Any Storage Environment

Until recently, enterprise data protection predominantly focused on traditional business applications and database management systems that were generally under IT control. But new data protection regulation guidelines, such as the GDPR and CCPA, are far more explicit about the nature of data your company needs to protect.

As a result, you can no longer ignore the vast amounts of text-based data your company hosts elsewhere. Much of this comes in the form of shadow IT—through ungoverned use of cloud-based storage services and productivity tools, such as Office 365, Google Drive and Evernote.

Many employees use these services to store sensitive data, such as names, home addresses, medical records, legal contracts and intellectual property, blissfully unaware of your company's security and compliance obligations, or that this risks sensitive data exposure.

So the only practical way to keep track of all this data is to use a solution that can identify sensitive data in any storage environment, giving you visibility over your entire storage inventory from a central point of control.

Alternatively, you could use a number of different tools designed to work with each individual service. However, this can not only be a logistical nightmare, but also lead to blind spots in your data protection coverage.

Process Right-to-Access Requests

The CCPA has granted new privacy rights to California citizens, who can now request the personal data you store about them. You must provide this information promptly and, under normal circumstances, within 45 days. In addition, California residents can also request you delete their data.

In the case of either of the two rights, you can only decline a request under certain conditions and must administer requests free of charge. It's therefore essential you're able to remove or retrieve information about a customer as quickly and efficiently as possible. But, without the right tooling, this can be a complex and protracted process involving a multitude of business departments and extensive manual labor.

A data protection platform that's fit for purpose will give you a complete picture of the data you store about your customers, so you can access all the required information in seconds or minutes rather than hours, days or even weeks.

It should also be able to quickly export that data. This should be in a user-friendly format the customer will easily understand.

Locate Unprotected Personal Data

The Californian state can impose a civil penalty of up to $7,500 per violation on any company that is in breach of the CCPA and fails to address the requirements of the law within 30 days. In addition, any California citizen will also have the right to pursue damages of up to $750 per incident in the event of exposure. So not meeting CCPA compliance goals can be costly.

In view of just how many consumers could be affected by a contravention, this could add up to a huge potential fine. However, protecting your company's data is no easy challenge. You have to share information with customers, suppliers and service providers as part of the day-to-day running of your business. Because so much of this data is exchanged in varying formats, such as emails, MS Word documents and MS Excel spreadsheets, data privacy can be difficult to govern.

Data protection solutions should be able to recognize sensitive data within these different media formats. Not only that, but they should also understand the nature of that data and categorize it accordingly.

In an enterprise setting, this is essential to ensuring blanket compliance, by making it quick and easy to delegate data protection responsibility to the appropriate department within your company.

For example, HR teams tasked with the responsibility for protecting employee and job applicant details will be able to quickly identify unprotected personal information that comes within their remit and, where necessary, request prompt remedial action by your IT department.

Offer Regulation-Specific Functionality

Data protection tools are only as good as the people that use them. So if you're not utilizing them correctly, or to their full potential, you could be guilty of serious compliance oversights that put your company in breach of the law. In particular, users may not fully understand what data they should protect to be compliant with a very specific and complex data privacy regulation.

Enterprises need to adopt applications that support regulation-specific functionality and make it harder to make mistakes—where all the user has to do is specify the legal framework they want to comply with and the software does the rest.

Get The Right Tools to Address CCPA

New data privacy laws, such as the CCPA, have rewritten the data protection rulebook. Existing rule-based solutions are no longer fit for purpose. They're simply not cut out for the new generation of mass-market cloud-based storage services and cannot understand the context of the data they store.

In addition, it's important to periodically review your storage systems to ensure they provide the right level of security and meet the requirements of the CCPA and other regulations that may apply to your organization. CCPA compliance calls for tools that go beyond simply matching terms and categorizing data. For Cloud Volumes ONTAP, Azure NetApp Files, and Amazon S3 users, those tools all come with Cloud Compliance.

Cloud Compliance is a fully featured data privacy mapping solution that will help you assess the risk to your data through capabilities:

  • Advise you of any unencrypted volumes.
  • Understand the data on those volumes and identify any sensitive data.
  • Tell you the number of data subjects affected and the nature of the risks involved.
  • Automatically respond to data subject requests.

Cloud Compliance is an AI-driven data mapping technology that can understand the context of data and drill down to exactly the information you need to protect in any cloud you store it in. This helps cut the costs of protecting your data to meet data protection compliance requirements because it eliminates manual processes.Above all, they should have the capability to analyze and interpret data in any type of storage environment.

Cloud Compliance Free Trial

-