Achieving 100% complete CCPA compliance is a worthy goal. It is not always practical to achieve. There are limited IT security and compliance resources. Your own customer data and systems may make compliance challenging as well. That said, it would be irresponsible to simply give up and ignore your CCPA compliance responsibilities. Instead, you need to build a thoughtful CCPA compliance exception process.
Key Principles About Exceptions in Compliance and IT Security
For cybersecurity to succeed, you need to identify and protect every asset, process and person in your organization. At the same time, other considerations such as technology development, productivity needs and project work sometimes require exceptions. Before saying yes to a security or CCPA compliance exception request, it is critical to keep these principles in mind.
1) Policy exceptions increase risk exposure
Theoretically, if your organization allowed dozens or hundreds of exceptions, your policy would become an empty shell. Also, each CCPA compliance exception you approve creates more work for your managers to review and oversee these requests. Exceptions tend to require more judgment to use effectively. For instance, a junior developer with limited security expertise may need additional support if they obtain approval for a CCPA compliance exception.
2) Exception requests need a clear business rationale
Exceptions to a critical business policy should not be approved lightly — for example, an employee who wants an exception “just because” should not receive automatic approval. Instead, managers should challenge the request and ask the employee to demonstrate why an exception is required. As a rule of thumb, put the burden of proof on the requestor to show why the exception is needed.
3) Exception approval requests need to be approved appropriately
To ensure enterprise consistency, we recommend that all CCPA compliance exceptions should be reviewed centrally. For example, you might send all of these requests to a single manager in the IT or IT security department. In the case of large exception requests (e.g. more than 100 records or whole systems), escalate this request for executive review.
4) Manage the exception lifecycle
Start with the principle that exceptions are temporary by design. Approving a security exception for three months to allow for a security upgrade is reasonable. However, if there is no follow up process, that exception could remain in place for years after the project is over. To avoid a gradual weakening of your IT security protection, apply a regular review and closure process for exceptions. At a minimum, establish an annual review process for all CCPA compliance exceptions. If there are a large number of exception requests, review these requests for closure more often.
Tip: Make a note to review all exception requests periodically. If there is a large number of exception requests coming through, you may need to adjust your training or systems to reflect organizational needs better.
CCPA Compliance Exceptions: Examples To Consider
The exact type of exception requests you receive will depend on your internal company policies and your risk appetite. If you have a low appetite for risk, make it more challenging to get exception requests approved.
1) Technology Projects
Completing a technology project usually requires a change to your regular working practices. Let’s say you are moving from one marketing automation platform to another. During the migration and testing process, you may need to make copies of customer data to test the new system. In that situation, a short CCPA compliance exception may be reasonable.
2) Analytics Projects
Anonymized data analytics will only take you so far. You may decide to apply machine learning and other advanced techniques against your customer data files. To explore such analytics projects, a small-scale pilot project is one approach. Using all of your compliance safeguards to such a test may not be feasible. In that situation, a brief exception request may be considered.
3) IT Security Testing
Many companies use penetration testing, security audits and related techniques to evaluate their security. In these types of tests, you may decide to leave a small amount of customer data in the “open” during the test. Such a decision could simulate real-world conditions such as an employee neglecting to follow privacy protection. There is risk associated with this type of high fidelity security testing, so the exception should only be allowed on a short-term basis.
4) CCPA Compliance Policy Optimization
When you first create a CCPA compliance policy, you may not get it exactly right at the start. Your policy may be too difficult or restrictive to operate effectively. In that case, you may need to allow exceptions while you update the policy to align it with business requirements. Ideally, this type of exception request will be minimized by testing your CCPA compliance framework with a pilot group of users before rolling out across the organization.
Streamline CCPA Compliance Exceptions With Software
There are software tools that make CCPA compliance more comfortable to manage. Consider user access management as an example. You may have an internal guideline that restricts access to customer data to the sales department. However, a marketing employee may request data for analytics. Manually tracking the system access request with a spreadsheet and email is not practical or safe. Instead, use a system like Compliance Auditor to changes in a single book of record.
Next Steps For IT Security After CCPA Compliance
Meeting the requirements of a specific regulation or rule matters. However, governments create laws to apply to many different situations. Achieving compliance with CCPA, GDPR or other legislation is not enough to develop a full IT security program. Ultimately, you need to carry out your security risk assessment and build a program to manage those risks.As you develop your program, your team might start to feel overwhelmed with the workload. For example, forcing employees to wait on hold for password resets is no longer a best practice. Instead, you should consider providing more convenient options such as an IT security chatbot, which can fulfill password requests 24/7. While we’re talking about passwords, make sure you equip your employees with relevant training, or they may fall into bad habits like password reuse disease.
