The Biggest Mistakes Companies are Making Under the CCPA
The CCPA (California Consumer Privacy Act), officially launched on January 1, but with enforcement regulations still not finalized, some provisions of the law have not yet been implemented.
If your organization is stuck playing ‘catch up’ to comply with CCPA enforcement on July 1, here are a few key efforts that will have the biggest impacts on your compliance. This includes:
• The ability to respond to consumer requests for data
• Preventing and managing breaches of personal data, and resulting fines and professional risks
• Maintaining proper preservation of data needed for civil or criminal litigation
These critical gaps tend to track with the biggest mistakes that many companies are currently making to comply with the CCPA.
Mistake #1: Failure to connect “Right to be Forgotten” with Retention Regulations
There’s been a lot of buzz circulating the July 1 deadline, as well as the overall cost of companies completing these requests. It’s critical that your company has an updated data inventory to allow teams or individuals in charge of fulfilling these requests to quickly and efficiently find the required information across enterprise shared drives and physical hard drives.
With all of this to work through, plus the data potentially changing hands multiple times, mistakes are easily made. What if a company receives a request for deletion, but the data requested is already bound by another law or regulation, like a legal hold? Deleting data that could be relevant to anticipated or pending litigation can have devastating consequences. That’s why it’s important your company or organization establishes procedures to handle “right to be forgotten” customer requests and retention regulations under the CCPA.
Mistake #2: Too much paper, not enough security
For many small and mid-sizes businesses, file cabinets and paper records are still a variety. Enterprises that have been around for decades may still have unchecked boxes of documents and paper records that no longer serve a business purpose. However, it’s still data, and needs to be produced during a consumer request, and paper records have played a key role in recent data privacy litigation. Here’s why:
The CCPA doesn’t delineate between electronic and paper data. Whether it’s paper or digital, the question for most businesses remains the same: Why is the data being retained in the first place? Has its business purpose been fulfilled? If so, it’s a hazard to keep this information.
Lax enterprise retention enforcement has the potential to become an even bigger problem for some organizations. Retention standards play a key role in the third mistake many companies are making.
Mistake #3: Retaining too much data and the risk of security breaches
It’s simple: Data you don’t have can’t be breached. You can’t protect data you don’t have and you don’t have to spend time fulfilling customer requests for deletion if retention standards are in place and enforced.
Although the best-case scenario is that a company doesn’t suffer a data breach, they actually occur on a regular basis. Breach violation costs under the CCPA can be detrimental to your business. While the CCPA doesn’t have a retention standard the way the GDPR does, the fine of up to $750 per data subject showcases what an unsustainable cost a data breach of 10,000 individuals or more could cost.
While we are still in the early stages of data privacy regulations, we’ve seen enough evidence that building and enforcing retention policies can help prevent enterprises everywhere from becoming the next big horror story.