You need to achieve CCPA (California Consumer Privacy Act) compliance. There’s just one problem. It is going to take resources and participation from multiple departments. Persuading people one at a time is not going to cut it. You need to win executive support for CCPA compliance. To win that support and keep your company out of hot water, use this short guide to CCPA compliance.
Note that we cannot provide legal advice. Instead, view this article as information to help you plan your approach to CCPA compliance. If you find yourself facing CCPA compliance problems, seek the assistance of a qualified legal professional.
Prepare Yourself First
You need to start by doing your homework on the CCPA first. Reading about laws and regulations may not be your idea of a good time. Fortunately, we have some good news for you. You can probably learn the fundamentals in less than a day. Depending on your situation, there are two routes to consider to get up to speed.
Perform Self-Guided Research on CCPA Fundamentals
Read up on the fundamentals of CCPA by checking out these resources:
- California Consumer Privacy Act (CCPA) (State of California). Start by reading the official documents about the law from California.
- A quick reference guide for CCPA compliance (Deloitte). This resource includes an analysis comparing CCPA to Europe’s GDPR (General Data Protection Regulation).
- 10 things you need to know about CCPA compliance (Compliance Week). Aimed at compliance professionals, this article gives a user-friendly overview of the law.
As you read through these materials, critically reflect on the following question: what does this mean for my company? For example, you might determine that the law does not apply to you. For instance, companies below a certain revenue threshold ($25 million per year at the time of this writing) are not expected to follow the law.
Leverage Company Specific Expertise
In larger companies, you might have specialized corporate areas such as legal and compliance that can provide further advice. Reach out to your internal network to ask for feedback on CCPA compliance. If your company does not have these resources, check with your professional network for tips as well.
Develop Your CCPA Presentation For Executives
Executives are busy people with a long list of projects and people to manage. That’s why you need to prepare in advance and choose a clear objective. To be clear, you want to avoid “educating executives about CCPA” as your goal. That’s equivalent to dumping a problem on their desk and walking away. Instead, include up to three options for a solution and your recommendation for the next steps.
To help you organize your executive presentation, use this step by step presentation development process.
1) What is CCPA, and why does it matter to our company?
Briefly define the CCPA’s main provisions and explain why it is relevant to your company’s situation. Remember, the CCPA does not apply to all companies, so your executives may have questions on whether or not the law is relevant.
2) What’s the risk of failing to act on CCPA compliance?
In this part of your presentation, make the pain of non-compliance with the California Consumer Privacy Act (CCPA) clear. At the time of this writing, the California government’s website states: “The Attorney General cannot bring an enforcement action under the CCPA until July 1, 2020.” If you are reading this before July, you have some time to get ready. If you are reading this after July 2020, you need to know the consequences of non-compliance.
There are two types of penalties associated with the CCPA. First, your company may suffer fines of $2500 to $7500. Second, the law empowers consumers to bring lawsuits for data breaches regardless of the harm done to the data. Given the scale of recent data breaches, these penalties could quickly become extremely expensive.
3) Options for CCPA Compliance
Present a few options for CCPA compliance improvement. The particular solution you choose will depend on your circumstances. In general, a successful compliance project will include coverage for people (e.g. training, change management, staffing), processes (e.g. to prevent and detect relevant issues), and technology.
Regarding technology to assist with CCPA compliance, consider Avatier’s software solutions such as:
Identity Enforcer: Improve your access lifecycle management
If an employee resigns or leaves a company on bad terms, they may be motivated to steal customer data. Such action may trigger CCPA penalties. To lower the likelihood of that scenario, use Identity Enforcer to manage identity and access management access throughout the user lifecycle. Specifically, make sure that you address inactive user risk.
Compliance Auditor: maintain flawless access management logs and more
Picture this. Your company is brought to court for CCPA problems. If you are unable to show any evidence of your IT security processes in operation, you cannot expect a good outcome in court. That’s one reason why you need to use Compliance Auditor. Use the system to systematically track and log all identity and access management changes requests.
4) Make The Ask
In the final part of the presentation, request for resources to improve CCPA compliance. Specifically, you may need approval to hire (or assign) a project manager, budget to purchase software and training. In addition, it is a best practice to assign responsibility for ongoing CCPA compliance to a specific department. If you have prepared a strong business case, you will win executive support! Your next move will be to start the compliance project.
Tip: You may only receive conditional approval to define the project scope. That is perfectly fine as a next step.
Kick off the CCPA Compliance Project
Your CCPA compliance kick-off meeting is an excellent next step to launch the project. Make sure to invite representatives for each type of relevant stakeholder: marketing, legal, compliance, IT and other groups you may identify. Outline the overall goal of the compliance project – protecting the company – and then engage your project team and stakeholders. You don’t need to present a fully formed solution. Instead, ask for ideas and then work with your project manager to build a solution.
