Written by Kapil Khadgi
ServiceNow Practice Head at Royal Cyber
California Consumer Privacy Act (CCPA) compliance will strengthen the data protection mechanisms and ensure that the California region residents will have more control over their personal information and how organizations will collect, save, and use data.
Data is more influential and powerful in today’s world. With companies increasingly collecting and using consumer data, the government is taking notice and establishing new regulations that focus on data privacy and security. The new rule, CCPA, passed by the State of California, came into effect in January 2020, and its enforcement started in July 2020. CCPA is a California-specific law for profit organizations conducting business in the region. This act follows the European Union’s General Data Protection Regulation (GDPR) footsteps that outline the individual’s data privacy requirements.
Even though companies are trying to comply with CCPA, there is still a long way to go. A comprehensive solution that can help companies achieve compliance, boost the consumers’ confidence, and expand data-based research and products will ensure smooth implementation of CCPA.
ServiceNow provides a comprehensive Governance, Risk, and Compliance (GRC) solution that helps companies address CCPA. GRC monitors applications that interact with personal data and ensures that it meets the California residents’ requirements and complies with the Act’s requirements.
The following are the capabilities of the ServiceNow GRC solution:
Implementing solutions and complying with CCPA requires organizations to follow best practices. Some of them are:
1. Understand data - At the beginning of your compliance journey, understand data, comprehend its landscape, and identify personal information in applications and systems. The organization must ensure that they don’t collect and store any personal information in their database. They must also ensure that the data saved in the database when combined should not recognize an individual. The found personal information must be categorized as sensitive and vetted by the legal or the data privacy team.
2. Manage rights of consumers - The main objective of CCPA is to grant individuals the right to protect their data. The organizations must try to fulfill the criteria by defining clear roles and responsibilities and processes that satisfy consumer rights. Organizations must establish an automated approach to verify and validate personal information to protect consumer rights. Organizations must also audit their records and track SLAs for consumer requests. Automated emails to consumers for confirmation, clarifications, SLAs, etc., must be followed. A data repository or store that saves all the personal information about the consumers must be encrypted so that the figures is not misused by anyone in the organization.
3. Manage vendors - Organizations involved in collecting and selling personal data with vendors must establish processes to adhere to the CCPA requirements. It is essential to collect documents from the vendor while onboarding, capturing privacy notice disclosures and privacy regulatory compliance details. The vendor contract must list the circumstances under which they will share the consumer's personal information, the liability in case of breach or violation, and data security measures to protect data. Organizations must conduct regular audits and build a termination policy in case of CCPA breach.
4. Archive and retain data - According to the CCPA, the consumer’s personal information must be archived and retained for a particular period. Once the time decided is over, the organization must delete the archived information from the system. Organizations must set up a data archival and retention policy for various data categories to decide the time of data disposal from the repositories. Businesses must also define rules and a RACI matrix to operationalize the data retention policy.
5. Training and monitoring - After implementing the solution, the staff of the organization must be trained on data privacy and CCPA requirements so that they can handle the queries well. Organizations must build training material for CCPA queries and SOP for rights fulfillment. They must also create flyers, emailers, and manuals to spread CCPA awareness among the organization's employees. Businesses must also establish an ongoing monitoring mechanism to ensure CCPA compliance is in place and employees adhere to the CCPA requirements. Data Privacy Impact Assessment must be conducted periodically or on the adoption of new business processes. A clearly defined RACI and validation and sign-off policy must be established for risk mitigation and acceptance by the compliance team.
6. Reporting to government authorities - CCPA imposes fines in case of breach by organizations. Organizations must use reporting dashboards to track metrics and see which areas are not compliant. A breach monitoring mechanism will help in monitoring the violations through a central dashboard. Businesses will also be able to foresee risks and issues that may arise, track their progress, and mitigate them with mitigation strategies or control measures.
With an increase in the number of regulatory requirements and complexity around them, organizations find it challenging to comply fully with CCPA. Organizations need holistic solutions that can automate the CCPA compliance process. Royal Cyber uses the NOW platform’s capabilities to prepare organizations for the future and navigate a minefield of possible risks with the help of customized solutions designed specifically for clients worldwide.
Royal Cyber has also partnered with OneTrust, which provides free tools to automate CCPA compliance programs. Our team can do the ServiceNow and OneTrust integration in 1-2 days, enabling organizations to identify areas where customer’s data is kept and used. The integration streamlines the organization’s ability to engage and respond quickly to consumer requests regarding cookie compliance, preference management, and policy management. Are you looking to implement CCPA in your organization, connect with us at info@royalcyber.com