In June 2018, the California legislature passed the California Consumer Privacy Act (CCPA), the second major data privacy law to emerge within a two-year period. As businesses prepare to comply with the California law, the experience of many companies in preparing for GDPR — and mistakes they made along the way — can offer some valuable insights.
Lesson 1: Start early
When GDPR was first announced in 2016, many companies ignored it until a few weeks before the enforcement date of May 25, 2018. Once those businesses did give the law some attention, they realized that compliance isn’t simply a matter of implementing quick, surface-level changes such as adjusting privacy policies — it requires them to rethink the way they handle personal data. As a result, they found themselves playing catch-up; many missed the deadline and are still working on implementing their compliance plans.
With a projected enforcement date of January 1, 2020, CCPA gives businesses a generous amount of time to comply … but given the extent of actions required, making an early start is always advisable. It’s also important to understand CCPA’s “lookback” clause, which requires you to disclose personal data collected, sold, or disclosed over the previous 12 months. So if a customer requests a disclosure when the law goes into effect in January 2020, you will have to provide data going back to January 2019. If your organization does not currently have the capacity to respond to such a request, the time to address it is now.
Lesson 2: A segmented approach Is not a long-term strategy
In their efforts to comply with GDPR, some organizations segmented out their data subjects who are EU residents and implemented policies and processes for those individuals’ data. Then along came CCPA, and now they have to go through a similar process for their California data subjects.
It’s important to note that CCPA will probably not be the last data privacy regulation your organization will have to address. New laws are springing up in numerous U.S. states and in countries around the world, and it’s just a matter of time before another set of requirements lands on your organization. You could address each one individually by segmenting data subjects … or you can build solutions that apply to all of your customers and employees and make adjustments for new laws as necessary.
Lesson 3: Changes will come, but the basics will stay the same
Some companies took a “wait and see” approach to GDPR, anticipating significant changes that would require them to start over with their compliance plans. The EU Article 29 Working Party did issue some clarifications and minor edits, but these did not significantly affect a company’s basic need to understand its personal data and align its data practices according to GDPR requirements. Some procrastinators learned this too late to meet the deadline.
California has already released some minor amendments to CCPA, and more changes are likely to follow when the legislature reconvenes in January. However, the chances of broad-based changes that will significantly affect your compliance strategy are slim. You will still need to know where all of your customer and employee data is and what you are doing with it.
Like what you see?
Executive Team member Kevin Moos is recognized for his experience with knowledge management systems. He has lent his expertise to several prestigious industry panels on enterprise content management and other topics.