In almost every client meeting I have had in the last 6 months, I get asked “What does the California Consumer Privacy Act (CCPA) mean for our data and data governance?” If you aren’t familiar, the CCPA is a law that provides consumers new rights regarding the collection of their personal data. It’s similar to the EU law GDPR (General Data Protection Regulation) that you might have heard of but it’s much stricter. In a nutshell, CCPA means that a consumer can go out and request access to all of their data, and they can ask for it to be deleted. What I find is that clients that are successfully implementing CCPA compliance programs are focused in the following 4 areas.
1. Legal Interpretation of the Law
You shouldn’t expect your technology team to understand the law and interpret it at a detailed level. You’ll need to engage your legal team to provide that guidance. For example, if you’re a financial institution and your customer wants you to remove all of their data — this may conflict with an existing regulation that says you need to keep customer data for seven years. So, how do you know what to delete? You can’t expect the technology team to answer that question. That's for the legal team and the business team to determine. The question that the technology team can answer is what the impact will be when you delete a customer’s data. It is likely going to have a cascading impact to multiple systems, and you are going to need technology support to help assess and mitigate the impact.
2. Program and Change Management
Once you have applied the law to your business, you’ll likely want to stand up a program associated with implementing and complying with these new regulations. Don’t neglect the change management and project management components that you will need for that. Large organizations will need to conduct analysis, remediate legacy systems, build new polices, and implement new technical solutions to comply. Engaging with the business, legal, and technology teams requires strong program management capabilities to keep each team organized, and you will need to call in your change management team to get buy-in on the policy and procedure changes that will be part of a successful compliance program.
3. Data Governance
You simply have to have strong data governance in order to comply with these regulatory laws – if governance is new to your organization, consider taking a modern approach to implementation. Strong governance means you have to have strict data governance policies, procedures, and process set up and being used. I find that many organizations do not have a governance strategy in place which immediately puts them behind when it comes to complying with these new regulations. Those organizations that have strong governance are able to answer the key questions that the business and legal teams will ask as they interpret the laws:
- What customer data do we store?
- Where does a customer's data live? And on what systems?
- What is sensitive information about a customer?
- Is this information that would need to be deleted or shared back with the customer?
- What's the intended use of this data?
Having the ability to easily answer questions about where data comes from, and how it flows through IT systems is critical. If your organization is audited by a regulatory agency, you need to be able to point to policies and procedures that show how you handle customer data, and ultimately be able to demonstrate that the actual data represents the policy – all things that a strong data governance program will provide.
4. Modern Technology
You’ll most likely need to make a technology investment to support the new data governance policies and procedures. One capability that you’ll need is to easily be able to produce a data set that shows all of a customer’s data together from across all your systems. You’ll need this customer level detail so that when a customer requests to see their data, you can provide it.
Providing a single view of customer data sounds easy, right? Most organizations have data spread across multiple systems that have been acquired and developed over time. These disparate systems make connecting customer data challenging at best, and impossible at worst. Data may be spread across on premises sources, as well as in the cloud, and may also be stored in specific cloud solutions such as Workday or Salesforce. Many organizations also still store data on mainframes that are costly to update , replace, or modernize. The bottom line is that it is difficult to integrate and connect all of those disparate systems – and that is exactly what is needed for compliance.
CCPA and GDPR force organizations to focus on governance, organize and curate data, and integrate data that was previously siloed. All this work will allow organizations to provide customer data when requested and delete it if asked.
The Silver Lining
The thing that people aren't thinking about is that this is a wonderful opportunity for you to connect all of your customer data in a way that gives you the ability to use it a as a competitive advantage.
Since the government is effectively making you undertake work you may have otherwise put off, it is a great time to as the question, “What can I do once I have all of my data connected?”. Being compliant means you also you’ll also have a richer set of customer data than you have today – data that can be used as an asset to accelerate your business. If you develop an upfront strategy and roadmap, you can comply with these regulations while also delivering business value through the connected, curated data the initiative will create.
How to get Started
CCPA goes into effect on January 1st 2020. Establishing a compliance program takes time, and many organizations are just now starting to develop their compliance strategy and roadmap. As you are developing a plan and working to understand how the law applies to your organization you should also consider conducting a data assessment. An assessment provides an analysis of how customer data moves through each system, how it is connected, and what processes and policies manage it. An assessment also provides recommendations for how best to address technology and data governance related gaps in your customer data processes — getting you one step closer to compliance.