When GDPR mandated Privacy Impact Assessments (PIA), lawmakers had the best of intentions. They wanted companies to understand how personal data is used in their business process. And, they wanted to see demonstrable proof – a tangible output – of privacy practices. Admirable in theory. But unworkable in practice.
GDPR’s PIA focus asked you to “boil the ocean”
Without clear definitions of “business processes” the scope of GDPR’s PIA challenge was beyond belief for many companies. To meet the requirement, they struggled to identify every system in their organization that contained personal data, including their enterprise tech stack and shadow IT.
Then, they set out to create a PIA for each one. Microsoft created 41,000 PIAs. Even a mid-sized company drowned in paperwork.
When everything is equal, you have to find everything. Everyone has a different opinion of where to start and there’s no end in sight.
CCPA’s customer-first approach drives prioritization
Now that companies are turning attention to the requirements of CCPA, the conversation has changed. We’ve seen a fundamental difference in the way they approach privacy management.
CCPA has no PIA requirement. There’s no need to create thousands of documents detailing every system and process across your organization.
Instead, CCPA’s primary focus is Subject Rights Requests (SSR), the right of a customer to request, change, or remove their personal information from your data stores. This approach puts the priority for managing personal data where it should be: creating trust with your customers.
Working backwards from the goal of processing a timely, accurate and clear SRR, you can focus on tech systems that directly impact customer data and communications:
- CRM systems like Salesforce
- Marketing and advertising systems
- Product usage data
- Technical support systems
- Billing systems
- ERP systems
- Customer communities
- Systems that provide customer data to you
- Third parties that process downstream data you provide
Once you’ve identified and categorized customer data throughout your data supply chain, you can ensure you have the capabilities to confirm and fulfill a customer’s data access request securely.
Our customers are saving thousands of hours spinning their wheels by prioritizing this way. They also reduce their risk more quickly by making sure they’re prepared for an influx of SSRs in 2020.
By the way, this customer-first approach isn’t limited to those preparing for CCPA. Companies collecting and processing European residents’ data are also using this method to knock out 70-80% of the work they’d need to do to produce GDPR’s PIAs. After starting with systems that touch customers, they can then move on systems that process employee and operational data.
Learn more about WireWheel’s SRR solution
You don’t need to boil the ocean to manage data privacy. Let’s talk about how you can achieve compliance, reduce risk, and build customer trust with WireWheel’s prioritized approach.