Preparing for CCPA: 4 Data Privacy Best Practices to Follow
by Sarah Harvey / October 22nd, 2019
The California Consumer Privacy Act has been regarded as the United States’ strictest data privacy law of our time, and yet, many organizations still don’t know where to start with their compliance efforts. Does the law even apply to them? How can they ensure compliance? What are the steps they need to take? While no one journey toward CCPA compliance is the same, we’ve rounded up four data privacy best practices that you can follow to help with your CCPA compliance efforts. Let’s take a look at what those are.
4 Data Privacy Best Practices to Help with CCPA Compliance
Between GDPR, PIPEDA, CCPA, and the plethora of other data privacy laws going into effect, there are a few data privacy best practices that organizations can follow. When it comes to preparing for CCPA, we suggest following these four best practices:
1. Create an internal privacy framework
An effective internal privacy framework is the foundation of your organization’s data privacy compliance efforts because it lays out what and how you’ll comply with CCPA. Typically, when an organization creates an effective internal privacy framework, they’ll take the following into consideration:
- Notices and disclosures
- Access (internal and external)
- Breach notification
- Consent
- Risk
- Designated responsibilities
- Data retention
- Vendor management
2. Do more with less data
When it comes to complying with any data privacy law, minimizing the data you collect, use, store, and transmit is critical. Why? Because data minimization is typically a regulatory requirement, and it reduces your liability when it comes to protecting personal information. How do you do more with less data? You can start with data mapping, which will allow you to know what you have and what you absolutely need. Performing data mapping exercises can help identify situations where you need less personal information. Consider the following data minimization tactics:
- When the function you provide could be performed without certain personal information
- When the personal information is no longer needed
- When the personal information is only needed from a subset of a population
- When personal information is only needed for a subset of a population
3. Automate compliance efforts
Automated tools can be helpful for complying with data privacy laws, including CCPA, but should not be an end-all be-all solution. To make compliance efforts easier, though, organizations might consider using privacy compliance automation tools to perform the following tasks:
- Automate processes for consumers to access, delete, export, copy, or correct their personal information
- Automate data mapping tools
- Automate data protection impact assessment processes
- Automate subscriptions to manage consent and opt-out requests
4. Get specific about your internal and external privacy posture
Data privacy laws are known for being ambiguous, but that does not mean that the privacy policies your organization creates should follow suit. Instead, they should clearly define the types of data you’re collecting, the purposes for collecting the data, how you’ll share the data with third parties, how you’ll retain the data, access rights to the data, and security safeguards you’ll implement to protect the data. For CCPA specifically, privacy policies must also include a “Do Not Sell” button on your website if you sell personal information to third parties. In addition to this, organizations must be sure to explicitly define what types of data will you share, how they share it, what activities they are using the data for, and what kinds of obligations you have to support client or vendor compliance with privacy regulations in your contracts.
Ultimately, the key to preparing for CCPA compliance boils down to these following these four data privacy best practices: start with broad privacy goals instead of focusing on one specific requirement from the law; minimize the data you collect, use, store, and transmit; take advantage of good automation tools, but don’t solely rely on them during your compliance efforts; and make specificity in your privacy policies and contracts a priority. If you’re looking for more guidance on your CCPA compliance efforts, let’s talk about how one of our Information Security Specialists can help.
More CCPA Resources
Privacy Policies Built for CCPA Compliance
California Consumer Privacy Act vs. GDPR: What Your Business Needs to Know
