3 Data Privacy Fundamentals to Prepare for CPRA, CPA, & CDPA
If your business handles consumer data, chances are you’ve become conversant in consumer data privacy regulations such as Europe’s General Data Protection Regulation (GDPR) and California’s California Consumer Privacy Act (CCPA). Those data privacy laws offer a preview of new requirements coming your way in the months ahead.
On January 1, 2023, California will be amending and expanding provisions under the California Privacy Rights Act (CPRA) and Virginia will roll out its Consumer Data Protection Act (CDPA). Colorado is rolling out the Colorado Privacy Act (CPA) on July 1, 2023. More state-level privacy legislation is in the works for 2023 and beyond.
Do you think data privacy laws won’t impact your business?
Businesses that are so far untouched by data privacy regulations can expect to have a greater legal obligation to protect consumers’ data as more consumers demand privacy rights.
How can you prepare your business for so many different privacy frameworks? At this stage in the game, it pays to step back and look at the requirements on a macro level. You’ll see there are more similarities than differences among the various state laws.
Three “big-picture” privacy fundamentals
No matter how many privacy laws impact your business – no matter how many are enacted down the road – getting three fundamentals in place will set you up for compliance (and fewer headaches).
1. Understand where your data is and how to get to it
One requirement CPRA, CPA, and CDPA have in common is responding to Data Subject Access Requests (DSARs) and compliance reporting requests. That means you’ll need to be able to access, modify, and possibly delete data from backend data management systems that are hosting personal data. When you start receiving DSARs, you’ve got to know where the relevant data resides and how to efficiently access it.
If you’re like most companies, you have vast data warehouses, which often reside in silos. Customer data may be inside CRM systems, marketing databases, product databases, customer care logs, or other repositories. Employee data may live in HR, financial or healthcare systems. To uncover where all of this data lives, it’s important to run a data discovery and data mapping process to give you visibility to the systems that hold personal data and understand how the data flows.
Doing thorough data discovery and data mapping will provide you with a good data inventory and enable you to quickly query your data stores. This will make the DSAR process go smoothly in the future.
2. Understand how your data is used, who can access it, and ensure that usage aligns with consent and policies
Leverage the privacy impact assessment to be a step ahead as it will identify how all categories of personal information (PI) are collected, used, transferred, or disclosed and for what purposes. These categories may include:
- Sensitive consumer personal information (PI)
- B2B contact personal information (PI)
- Employee/contractor personal information (PI)
In addition to reviewing your own internal policies and compliance, it’s time to review how and what you communicate to consumers about your privacy practices. Above all, transparency is key when it comes to consumer privacy rights.
Some questions to ask yourself:
- Are you giving appropriate notice to consumers?
- Are your policies easy to find on your website?
- Where is consent required and how do you collect and manage that consent?
Just-in-time notices of data collection and use before you download a mobile application
3. Think about data privacy automation to operationalize your program for scalability
Now that you’ve got a good understanding of your data, it’s time to consider the speed and scale required to access it under the new privacy laws. No matter how well you’ve mapped your data and scrubbed your use cases, the sheer volume of consumer data requests and reporting requirements could crush even the most nimble business.
It’s virtually impossible to manually collect data at the scale, speed, and accuracy required for DSARs and ongoing compliance reporting. To have that level of granular supervision and control, you need an automatic way to log, classify, and validate your repositories of personal data that may be subject to DSARs. Now is the time to start exploring ways you can leverage technology to help build out your privacy program so it can scale for the volume and variety of DSARs and compliance requests you’ll receive under CPRA, CPA and CDPA.
Start exploring different technologies for automating your privacy program so you have time to choose a vendor that’s the right fit for your business. You’ll want to find a solution that can take on the heavy lifting as more and more jurisdictions enact privacy laws. Whether it’s managing DSARs or documenting the maturity of your privacy program, the technology should be capable of taking on those operational burdens.
Remember that consumer data probably flows beyond the (virtual) walls of your business and into the hands of third-party vendors. For example, it’s common to turn over customer lists to an external marketing company to run your advertising campaigns. Make sure your contracts with those vendors obligate them to the same data privacy and security standards that you maintain in-house.
If you’re reading this now, you’ve already got a head start
Congrats! You’re taking a proactive stance and place a high value on consumer data privacy. By assessing your current privacy practices, identifying gaps, and making plans to automate and scale your processes, you will be a step ahead. Get the moving parts in place now and you’ll be ready for any state laws that come your way.