With the enforcement date for the California Consumer Privacy Act (CCPA) just a few months away, organizations are starting to feel the pressure. For startups and small- to medium-size businesses — who lack the robust budgets and extensive resources of their larger counterparts — the path to CCPA readiness can appear daunting.
In our recent webinar, we partnered with Royse Law to present “CCPA: How Startups and SMBs Can Prepare Without Panicking,” exploring strategies to help smaller companies prepare for California’s sweeping data privacy law. Let’s review common pitfalls that can hinder these organizations’ compliance efforts, as well as strategies for how small businesses can prepare for data privacy regulations.
Common pitfalls in data privacy preparation
Pitfall #1: “We’re too small to show up on regulators’ radar.”
Even though Facebook and Google tend to dominate headlines related to data privacy, all organizations who gather and process personal data of California residents must be prepared for CCPA. Keep in mind that the EU’s first major GDPR fine was levied against a small Portuguese hospital for failing to properly restrict access to patient data. Also remember that CCPA includes a private right of action for failure to prevent data breaches (which proposed amendments may expand to cover other violations), so customers and other data subjects will be watching just as closely as regulators.
Pitfall #2: “We don’t have the personnel or the budget to meet all the requirements by January 2020.”
One of the common myths about CCPA is that preparing for it requires a massive budget and a huge staff. Many startups and smaller companies actually have an advantage over large enterprises, in that small shops generally don’t have sprawling legacy systems to rein in before they can get a handle on their personal data practices. And while sophisticated software packages can save time and effort in identifying and classifying personal information (especially for large organizations with huge amounts of data), many SMBs can do the job just as effectively using simpler, more cost-effective tools. Finally, keep in mind that you don’t need to do everything at once. Address the areas of greatest risk first, then prioritize the rest and work your way down the list.
Pitfall #3: “The law is still changing, so there’s no point starting now.”
This pitfall is by no means limited to small companies, but we hear it so often from businesses of all sizes that it’s worth addressing. It’s true that CCPA has already been amended once, and additional amendments are working their way through the legislature. While the details of the law may be adjusted between now and January 2020, the rights it grants to residents of the state — and your obligations to honor those rights — are unlikely to change significantly. That means that whatever happens in the legislature, you will still need to get a handle on what personal data you have, how you acquire it, where it’s located, what you do with it, and where it goes, both within and outside of your organization. This effort takes time, so the sooner you get started, the better prepared your organization will be, especially since CCPA requires a 12-month look-back for data access requests.
Strategies for small businesses to prepare for data privacy regulations
For many small to medium-sized businesses and startups with limited resources, the “new normal” of data privacy leaves them feeling overwhelmed and unsure of where to start. Below are three key steps that can set SMBs on the road to CCPA readiness without breaking the bank.
1. Understand the law
Understanding CCPA — to whom it applies, whose data is protected, which data it covers, and what it requires — is a vital first step in your readiness plan. The law applies to any for-profit organization (regardless of where the company is based) that handles personal data of California residents and that meets at least one of three criteria (to view the criteria list, see our overview of CCPA). The law also encompasses a broad definition of personal data — much broader than the traditional understanding of “personally identifiable information” (PII) — and covers all California residents, not just customers or “users.”
Some businesses mistakenly assume that complying with GDPR automatically means they’re ready for CCPA. While GDPR readiness will give you a head start in preparing for the California law, there are key differences between the two regulations — for example, in restrictions on data sharing for commercial use — that need to be accommodated.
2. Understand your data lifecycle
Many companies focus on data privacy from the legal and security perspectives, which are definitely foundational, but are missing the focus on their data. To address the legal and security aspects of CCPA compliance, you first need to understand your complete data lifecycle. Actions such as implementing reasonable security practices and updating privacy policies require an understanding of what personal data you have, where it’s located, who has access, how it’s processed, and where it goes (internally and externally).
Once you understand your data lifecycle, you’ll be able to identify the gaps that need to be filled to align your organization with CCPA requirements. (To learn more about the connection between legal and IT in preparing for data privacy regulations, read our whitepaper: “Data Management: The Missing Link in Preparing for Data Privacy Regulations”.)
3. Be vigilant
When your initial CCPA readiness plan is complete, it can be tempting to sit back and relax … but in many ways, the work has just begun. Your business is always evolving, as are technologies and even interpretations of the law, and your compliance status can change from one week to the next. In some cases, compliance can be undone by a single uninformed employee. That’s why it’s vital to monitor for triggers that can impact your compliance status and to ensure that you have operationalized the policies, so they are being followed and employees receive continuous training.
Like what you see?
Executive Team member Jill Reber is a nationally recognized expert on data privacy — particularly GDPR, CCPA, and other data protection laws — and has spoken on the topic at conferences sponsored by American Banker, International In-House Counsel Journal, and other national and international organizations.
Executive Team member Kevin Moos is recognized for his experience with knowledge management systems. He has lent his expertise to several prestigious industry panels on enterprise content management and other topics.