In our increasingly digital age, organizations collect, process, manage or broker a significant amount of personal data. Until recently, consumers have placed a certain amount of trust in those organizations to keep that data safe. However, over the past several years, recent high-profile data breaches (e.g., Facebook, Cambridge Analytica, Target, Equifax, etc.) have called into question whether that trust has been misplaced and whether regional or federal governments should impose more robust standards.
The European Union has already taken action with the General Data Protection Rules (GDPR) which went into effect in May of this year. These rules impact any company that collects or processes the personal data of EU citizens. In the US, more recently, California passed the Consumer Privacy Act (CCPA) which will impact the majority of organizations that do business in the State of California. This includes investor-owned electric and water utilities.
Specifically, the CCPA applies to for-profit businesses that collect and control California residents’ personal information, do business in the state of California, and that satisfy one or more of the following thresholds:
Broadly, the CCPA provides for the following new rights for California residents:
Currently, the implementation deadline for the CCPA is January 1, 2020, however, the requirements of the law will likely evolve over the next year or so. Indeed, an amendment was already signed into law in September which (among other changes) delays the CA Attorney General’s ability to bring an enforcement action until July 1, 2020.
The broad rights as outlined above are likely to remain intact however, which makes adhering to the spirit of the regulation (rather than the letter) the most sensible approach. This means organizations must undertake an assessment to understand their privacy capability gaps and how ready they are to meet the new regulation.
We know from experience, having helped over 50 organizations come into compliance with GDPR, that organizations need to take a more proactive approach to managing personal data and implement the following capabilities to be prepared for CCPA.
With less than 15 months to address all of the implications of this new law, an initial capability assessment should be followed by a detailed gap analysis to identify specific areas that need to be addressed. A plan of action or roadmap can then be developed which will allow organizations to be clear about the specific steps that need to be taken when it comes to governance, processes, organizational structures, capabilities and technical requirements.
James Harvey is an analytics and digital expert at PA Consulting
A global movement towards increased data privacy is changing the way companies do business. Are you ready for the new era of data privacy?