The state of California starts enforcing the California Consumer Privacy Act (CCPA) on July 1. With enforcement comes fines of $2,500 per compliance violation, which goes up to $7,500 if the violation is considered due to negligence. Californians can also sue you if their personal information is compromised through a data breach, again if due to company negligence.
Under CCPA, Californians have the right to know what personal information of theirs is collected, used, shared or sold by you; can ask you to delete their personal information; and can opt-out of the sale of their personal information.
CCPA compliance (like GDPR compliance before it and other government data privacy laws on their way) begins with you knowing all about your customers’ personally identifiable information (PII) data. You must be able to answer questions like:
- what data do you store?
- where is the data?
- who has access to the data?
- what is the data being used for?
There are many products and solutions out there that say they can tell you all about your data. When evaluating any type of data privacy or data identification software, make sure to ask these questions:
Are you scanning all of my data?
Some products just scan file names or column headers or rely on sampling. You need a solution that will deep scan and find all the nooks and crannies where PII could be hiding – such as servers, email systems
Can the solution learn as it goes?
A solution needs to go beyond the basic scan. Solutions armed with artificial intelligence and machine learning (AI/ML) see data dynamics and relationships, intentional or unintentional, that you may not even know exist. As it learns, an AI/ML solution can produce data rules, which become the basis for determining data quality.
What will the data scan deliver?
You should expect an inventory of your data assets and holdings with reports on data locations, quality, classifications and sensitivities. From these, you should be able to discuss how serious your data problems are, using the scan as the basis for your next steps. A determination of data quality upfront is an important time saver. It removes the need for lengthy discussions with your own personnel – your subject matter experts – on whether certain data values define quality. The solution should have already identified quality characteristics.
How long should a data scan take?
This pretty obvious question can have a wide range of answers, even depending on the size of the scan. Given comparable quality and size, the better solutions can take a few days to do the complete scan, compared to weeks for the others.
Will the solution continue to work for me?
Data privacy compliance is not a “one and done.” Data is constantly coming into your company. The solution should have the ability to remain in an ongoing role – a monitoring process for the inflow of PII going forward.
How can we help?
If you need someone to talk with about your CCPA preparedness, our experts are here for you. If we believe our solution will meet your needs, we can introduce our basic assessment offering – a “compliance health check.” We’ll do an inventory and assessment of the data you have in a way for you to understand your general risk and exposure.
We have the products and solutions to help your company work towards compliance with any data privacy laws. This includes Data Hawk – an accelerator and an absolute key technology for data privacy projects. Data Hawk is unique to the industry in its deep data scanning and data interrogation capabilities.