Other parts of this series:
- The Challenge and the opportunity of the California Consumer Privacy Act
- Designing a comprehensive data privacy and security program
- Meeting California Consumer Privacy Act requirements with existing capabilities
- Capabilities and controls for a robust data privacy program
- Privacy Regulations: What approaches are emerging from financial services?
- Addressing privacy regulation within a broader “consumer rights” program
In the first blog in this series, we looked at the evolution of consumer data privacy and security regulation and at some of the implications of the new California Consumer Privacy Act (CCPA), which is scheduled to go into effect in January 2020.
As we noted, our research indicates that consumers believe trust is a key driver of brand loyalty, but nearly six in ten (58%) of consumers surveyed said they would consider asking their financial services provider to delete personal data, even if it meant they would no longer be contacted or served as a customer. Companies must strike a balance between obtaining and using consumer data and making it clear to consumers (and regulators) that such data is properly safeguarded.
When viewed from the right perspective, the regulatory “burdens” of CCPA can be seen as opportunities to improve processes while expanding and strengthening customer relationships. For example, requirements that companies maintain detailed records on data processing can be addressed through enterprise-wide customer data mapping, which, in turn, can deliver more efficient data operations.
Similarly, improved privacy risk management can help companies address stricter governance requirements, leading to better relationships with regulators. Accountability for sharing data with third parties can be obtained by an optimized sharing strategy, which delivers more value from data sharing.
An important first step for companies looking at their CCPA response is to assess and evaluate existing capabilities in areas including:
- Data governance. Existing capabilities in identifying and governing sensitive data can help in the discovery and mapping of consumer data in an expanded program.
- Data protection practices. Practices such as encryption or authentication (which many companies have put in place in response to New York Department of Financial Services rules) or existing data loss controls can be leveraged when determining the scope of the program.
- Consumer communication channels. Processes for communicating with consumers regarding data management (for example, under the Gramm-Leach-Bliley Act or existing privacy notices) can be extended to address any unique requirements of the new program.
- Risk and control frameworks. Existing risk and control frameworks in areas such as compliance, third-party data and information security can be leveraged to accelerate the path to compliance in consumer rights.
In building a CCPA framework that can support broader consumer rights initiatives, companies can also learn from others’ experience in responding to the Global Data Privacy Regulation (GDPR) in Europe. It is clear, for example, that business involvement is essential to a successful response, as compliance is more than just a risk, IT, security or legal project. Cross-functional teams are necessary.
Companies also need to focus on the highest risks first, while developing a roadmap to address remaining areas. Compliance takes significant effort and organizations need to engage with stakeholders inside and outside the enterprise to create opportunities from CCPA investments.
In the next blog in this series, we will look at some of the strategic and operational components needed within a change programs to meet the expectations of CCPA.
To find out more about the CCPA please contact me.