This article originally appeared February 10, 2020 in the Orange County Business Journal.
January 1 signaled the beginning of a new data privacy age in the Golden State, as the California Consumer Privacy Act (CCPA) created tailored regulations for residents and organizations doing business in California or with those located in the state.
These new regulations may be confusing to organizations of any sizes, but small businesses especially. Most small business owners haven’t thought about the insurance level or the ramifications of a data breach, yet 75% of them come from small businesses.
While the law went into effect in January, the California Attorney General will likely delay enforcement until July, so it’s never too late to gain a better understanding of new data privacy laws, assess current security measures and implement new policies to ensure future compliance.
Know Your Customers’ Data Rights
The CCPA has a long list of items it defines as Personally Identifiable Information (PII) – which includes everything from name and household information to biometric data and internet activity – and it gives consumers greater control over the collection and use of PII. It’s your organization’s responsibility to have prominent, publicly-posted contact information with a path to a Data Privacy Officer who can assist individuals in accessing, updating or removing their personal information, and with opting out of marketing materials and the sale of their data.
You Must Also Hold Your Vendors Accountable
The requirements for data privacy security extend out from your organization and into all the third-party vendors you use in your day-to-day operations. If your customer or employee data is shared with a third party, it’s your responsibility to ensure it complies with all applicable data privacy regulations. To protect your organization, all Service Level Agreements (SLAs) should be updated to reflect your specific data privacy requirements, and how your organization expects your customers’ data to be handled.
Creating a Data Privacy Policy and Maintaining Compliance
Liability insurance may not be enough to cover your company in case of a data breach or lawsuit. That’s why it’s important for your organization to take every measure possible to protect the business and comply with data privacy regulations. Start by creating a Data Privacy Policy that classifies PII and defines the necessary usage of PII, as well as describes the data flow process (collection, usage, retention and destruction). In addition, create a Security Awareness Training to give to employees upon hire and annually that addresses data privacy. These tasks are critical for California companies going forward. For help protecting your company and customers, reach out to BPM’s IT Security Advisory group for data privacy compliance information today.
Sarah Lynn is a Partner in BPM’s IT Security Advisory practice, which helps businesses around the country identify cybersecurity threats, minimize liabilities, prepare for audits and more. She has nearly two decades of advisory experience and has extensive experience assisting clients with data privacy compliance. To learn more, contact Sarah Lynn at [email protected].
