Possibility
Explore our work: what we do, how we do it, and the value we create for our clients.
Impact
Culture
Possibility
Explore our work: what we do, how we do it, and the value we create for our clients.
Global Shifts
Empowered consumers
Healthier humans
Future organisations
Business for better
Safer societies
Sustainable world
Industries
Consumer and manufacturing
Defence and security
Energy and utilities
Financial services
Government and public sector
Health
Life sciences
Transport
Services
Set growth strategy
Build brands, products, and services
Reimagine AI, digital, and data
Improve organisational performance
Deliver complex programmes
Empower your people
Impact
Culture
Insight

When it comes to CPRA, act now to win the race

By Richard Watson-Bruhn

Following approval on 3 November 2020, the California Privacy Rights Act (CPRA) will officially replace the current California Consumer Privacy Act (CCPA) on 1 January 2023. It brings California much closer to the European GDPR standards, introducing substantial new requirements for firms with operations or customers in The Golden State.

As with GDPR, it’ll be those who ready themselves earlier that’ll be best positioned to succeed and gain a competitive advantage. When GDPR was introduced in Europe, too many organisations left vital preparation too late, resulting in a mad and costly rush to become compliant, distracting from everyday operations – and leaving customers and suppliers questioning the competency of these organisations.

So, while the change seems a long way down the road, it’ll be those who set off early who’ll be able to integrate delivery into business as usual rather than costly project work. This will lower implementation costs and enable them to steal a march on the competition. And prompt fulfilment will better protect their consumer data, showcase compliance and offer an opportunity to add value by building customer trust.

Implementing a plan early

The next two years are crucial for leaders to prepare for CPRA. We’ve outlined three key attention areas to act as a framework for a smooth transition in January 2023.

1. Technical groundwork

Maximising BAU remediation is paramount. Start identifying any systems and third-parties which hold personal information, and consider if they have the capacity to action the new and modified personal rights set out by CPRA. By finding gaps now, you’re likely to avoid any surprises or delays down the line.

You should also look to begin assessing your organisation, plugging system and third-party gaps, and understanding what might be considered sale or sharing under the new CPRA rules.

Making technical changes to enforce a retention approach is something a lot of firms currently overlook. Going forward, consider how to build this in from the start so you are prepared for new CPRA requirements to inform consumers of the retention period for each category of their personal information, and ensure adherence to this. It’s the approach we took when a multinational pharmaceutical company sought our help to prepare for GDPR and implement a new data privacy framework.


2. Legal groundwork

As soon as possible, start working with your legal teams to update the language in your third-party contracts, so new contracts use the right language from the start and don’t need costly remediation closure to the effective date.

Notices will also need to be updated, to reflect new requirements, including retention periods, where sensitive personal information is collected and how it is being used, as well as covering new personal rights. However, as the update to notices will not be required until closer to the time, we recommend organisations start by consolidating to a central notice, enabling easier updating closer to the CPRA effective date.

3. Privacy team groundwork

Organisations processing personal information – presenting a significant risk to the privacy or security of an individual – will be required to conduct annual cybersecurity audits and regular risk assessments. We recommend running a cybersecurity maturity assessment early, using an appropriate framework such as NIST or ISO27001, to identify and prioritise the remediation of any gaps.

It’s also worthwhile risk-assessing some of your known high-risk processes, like those that handle SPI, for example, and ensure the appropriate privacy controls are in place. Look to establish and maintain an inventory of your processes that handle personal information, by making sure your business is ready to provide you with the relevant information required to do so.

Finally, engage with your leadership team and wider organisation about privacy in general, such as the impact on day to day obligations. Open a discussion and consider how workshops and training sessions could help embed the importance of the upcoming change attached to the CPRA. Privacy is a deeply relatable topic affecting every one of us, with better management being beneficial across the board.

It’s worth remembering too that CPRA, just like GDPR, isn’t a one-off exam, but will become an ongoing way of being. This is a chance to get ahead of the pack. Those who strike out early and steady will reap the rewards and avoid the frantic rush. And early investment will maximise BAU delivery, lowering your overall compliance cost while building continued trust with your customers.

About the authors

Richard Watson-Bruhn PA financial services expert
Connect

Explore more

Colleagues working in front of multiple screens
Insight

Data privacy in a quantum world

As quantum computers creep ever closer to widespread adoption, organisations must start planning for quantum-secure privacy now.
Colleagues working in front of multiple screens
Insight

Are you really ready for Security as a Service?

Insight

Intelligent, collaborative and effective: three ambitions for the UK’s defensive cyber operations

Insight

Building the UK as a digital pioneer

Contact the team

We look forward to hearing from you.
Get in touch

Get actionable insight straight to your inbox via our monthly newsletter.