We will look kindly on those that … demonstrate an effort to comply. If they are not (operating properly) … I will descend on them and make an example of them, to show that if you don’t do it the right way, this is what is going to happen to you.

 California Attorney General Xavier Becerra

California’s Attorney General (AG) means business when it comes to enforcing the California Consumer Privacy Act (CCPA). The AG will not pursue enforcement actions until July 1, 2020, which gives organizations extra time to prepare, but if you are required to comply, you must demonstrate an effort to comply before July. Data mapping is the best place to start scaling the regulatory barricades.

Let’s acknowledge the bitter truth up front: complying with information security and data privacy regulations is a major headache. It will take more time and money than you want to spend, so it’s tempting to do the minimum necessary and hope for the best. The problem is that complying with the administrative requirements of the regulations does not necessarily reduce the risk of a data breach; you may also need to examine your security controls.

Data Mapping for Compliance and Security

Data mapping will help with both compliance and security. For compliance purposes, data mapping is the process of discovering and classifying the data you collect, store, process or share so that it can be managed securely. With that information, you can perform a comprehensive risk assessment to identify vulnerabilities, and then develop appropriate security controls to reduce the risk of a data breach.

If your organization is unlucky enough to suffer a data breach, the information gained from data mapping will improve the efficiency of your incident response, allowing you to report breaches quickly and focus your efforts to remediate any damage done by the breach.  Additionally, fines are likely to be lower for organizations that demonstrate good faith efforts to prevent breaches. Data mapping, risk assessment and remediation, and incident response plans are key practices for securing your data and demonstrating efforts to comply with privacy regulations.

Data mapping is also the first step toward complying with the rights of individuals guaranteed in regulations like GDPR and CCPA. These rights, often referred to as “data subject access rights” or DSARs, typically include an individual’s right to know what information an organization collects or processes about them, request a copy of the data, request the data be corrected or amended, and request that the data be deleted.  In order to comply with those requests an organization must know what data they have, where it is stored, and who it is shared with. Data mapping customized for compliance allows organizations to respond to DSARs quickly and efficiently.

Customized Compliance

Recent privacy regulations seem similar, but there are many differences in their specific requirements. This makes it difficult for organizations to match their data mapping to the requirements of all the regulations that apply to them. The GDPR and CCPA are a good illustration of the sort of different requirements an organization might face. Here are some of the requirements relevant to data mapping and risk assessments:

GDPR

DSARs, described in Articles 13-22, include individuals’ rights to access, correct, delete, or get a copy of their data and to object to certain types of data processing.  Article 30 requires organizations to describe the categories of data subjects the data is collected from and the categories of data collected. They must also describe their data retention schedules, the purposes for which specific data is collected or processed, and the technical and organizational security controls protecting the data.

Article 35 requires organizations to perform a data protection impact assessment (DPIA) for any processing “likely to result in a high risk to the rights” of individuals. The DPIA must include a description of the processing operations, the purposes of the processing, an assessment of the risks, and measures to address those risks

Articles 44-50 describe requirements that must be met in order to transfer data outside the European Union without undermining the protection guaranteed by the GDPR. If your organization is transferring personal information of EU residents outside the EU, you may need to meet EU-US Privacy Shield requirements or establish Binding Corporate Rules (BCRs) to comply with GDPR.

CCPA

Sections 1798.105 – 1798.120 describe DSARs for California consumers. They have the right to know what categories of personal information a business has collected about them, the sources of that information, the purpose for collecting or selling personal information, the categories of third parties with whom the information is shared, and the specific pieces of information collected about that individual. They also have the right to request information be deleted and the right to prohibit the sale of their information.

Personal information is defined 1798.140 and it explicitly does not include publicly available information, which is defined as “information lawfully made available from federal, state, or local government records.”

The CCPA does not explicitly require data mapping, but responding to DSARs will require some mapping to identify sources and categories of information and to ensure compliance with “do not sell” requests.

Those are just a few ways that two privacy regulations differ. As more governments adopt new regulations or modify existing regulations, compliance details become increasingly complicated. Fortunately though, there are enough similarities, that if you are already compliant with GDPR, you do not have to start from ground zero to comply with CCPA, Brazil’s General Data Protection Law (LGPD), India’s proposed Personal Data Protection (PDP) bill or other similar regulations.  Modifying your existing your data mapping and other compliance measures should be easier than it was to implement them in the first place.

Best Practices

Ultimately, the fundamentals stay the same. If you are working toward regulatory compliance and/or better information security to decrease risk, you should concentrate on these five fundamental best practices:

1. Data: Identify all the personal information you collect and process, and collect any information, such as information sources or purposes of collection and processing, required by any regulations governing your organization.
2. Transfers: Identify any transfers of personal information to other countries or jurisdictions, and to any third parties. Make sure you know what regulations apply to any transfers and take steps to meet those requirements.
3. Storage: Assess the locations in which your data is stored and ensure that it is stored in compliance with any applicable regulations.
4. Access: Provide easy access to the information your legal or privacy compliance teams need to comply with DSAR requests.
5. Change Management: plan to re-evaluate compliance with any significant change to regulations you or any significant changes to the way you collect, process or transfer personal information. Your business managers, legal team, and privacy experts need to work together to ensure that you maintain compliance.

Infocomply can help you with both privacy and security compliance, using data mapping to identify the information you control in order to support GDPR required record keeping, respond to DSARs, and identify and remediate risks. Infocomply provides:

• Data Lifecycle Visualization: a searchable, sortable tabular data inventory developed to meet GDPR’s Article 30 Records of Processing Activities requirement. It is also ideally suited to tracking the footprints of a California consumer’s personal information in order to comply with CCPA data access rights.
• Gap Identification and Risk Remediation: a comprehensive gap analysis report, flagging risks according to their severity and likelihood, and recommendations for appropriate technical and operational measures to mitigate risk and maintain compliance. We also provide the tools you need to track and approve remediation activities and record evidence of compliance.
• Compliance Change Management: we update our platform in response to any new regulations or changes to existing regulations to make sure your data map includes every element you need to maintain compliance.

If you are required to comply with data privacy regulations, keep the ultimate goal in mind. Compliance is a costly headache, but the process can give you the information you need to better protect the privacy of your customers and employees and the security of your valuable data.