CCPA is in full effect and - as of July 1, 2020 - is being fully enforced. The “wait and see” game is officially over and organizations must be fully compliant in order to avoid regulatory fines and negative publicity. There are many requirements set forth by the CCPA, and building a strong compliance plan can be daunting. Not only does the compliance plan need to be set-up for future growth and changes, but it also needs the flexibility to produce on-demand, customized reports to provide to stakeholders.
TrustArc has helped organizations of all sizes and maturity with CCPA compliance from simple assessments to full automation. Investing time upfront to perform the proper analysis and planning is key to feeling confident that your CCPA compliance program will efficiently and effectively mitigate risk while meeting business objectives.
Join this webinar to see how TrustArc CCPA solutions help organizations of all sizes and maturity achieve and maintain compliance.
This webinar will review:
-Stages of CCPA program maturity
-TrustArc CCPA solutions for every stage of compliance
2. 2
● We will be starting a couple minutes after the hour
● This webinar will be recorded and the recording and slides sent out later today
● Please use the GoToWebinar control panel on the right hand side to submit any
questions for the speakers
Thank you for joining the webinar
“CCPA Compliance from Ground Zero: Start to Finish with
TrustArc Solutions”
3. 3
Speakers
K Royal, FIP, CIPP/US / E, CIPM, CDPSE
Associate General Counsel - Privacy Intelligence
TrustArc
Beth Sipula, FIP, CIPM, CIPP/US
Director, Consulting
TrustArc
5. 5
CCPA Overview
5
California Consumer Privacy Act
● Passed in June 2018 and revised later in September
○ then revised in October 2019
● Broadest privacy law in the U.S.
● Impacts any business with data on California consumers, households, or devices
● Regulations submitted to Office of Administrative Law
● Meanwhile, California Privacy Rights Act is on the November ballot
Top Provisions of the CCPA
● Expanded scope: people and data
● Transparency and notice
● Individual rights and “Do not sell my personal data”
● Private right of action
6. 6
California Privacy Rights Act - CPRA
6
● Ballot initiative - https://www.caprivacy.org/
● Definitions
○ Consent, contractor, share, sensitive personal information, and business definition
amended regarding applicability within those sharing branding
● Rights
○ Correction and limit use and disclosure of SPI
● Third parties / service providers
○ Notice at collection, contractual obligations, requires levels or protection,
cooperation on consumer requests, flowdown provisions
● Security
○ Explicit provisions, “reasonable” and “appropriate to the nature” of PI, annual audit
of cybersecurity with submission to the Consumer Privacy Protection Agency
8. 8
Notice and data processing activities - online and in person, internal and external
● A business that collects a consumer’s personal information shall,
○ at or before the point of collection,
○ inform consumers as to the
■ the categories of personal information to be collected and
■ the purposes for which the categories of personal information shall be used.
● A business shall not collect additional categories of personal information or use personal
information collected for additional purposes without providing the consumer with notice
consistent with this section.
Additional Elements
● Be informed of rights
● Reasonably accessible
● Clear and conspicuous link (do not sell)
Transparency - Overview
9. 9
Know the requirements
Follow the requirements
Update and Review
Develop Process: Identify elements - online and offline, Provide notice,
Quality checks, Update as needed, Review regularly
Data inventory and
practices
Know Your Data
Internal
and
External
Notice
https://www.w3.org/WAI/standards-guidelines/wcag/
Transparency - Compliance
10. 10
Individual Rights - Overview
Right to Know /
Request Access
Right to
Non-discrimination
Right to Opt OutRight to Delete
Plus, portability (easily accessible format) and notice.
CPRA adds right to correction.
11. 11
Know Your Data ResponseIntake
Develop Process: Intake, Internal Routing, Response (substance and form)Data inventory
Individual Rights - Compliance
12. 12
Third Party Management - Overview
Service Provider definition
○ processes information on behalf of a business
○ to which the business discloses a consumer’s PI
○ for a business purpose
○ pursuant to a written contract
○ provided that the contract prohibits:
■ retaining, using, or disclosing the PI for any purpose, including commercial purposes,
other than for the specific purpose of performing the services specified in the contract
for the business
Third party definition – anyone who is NOT
○ Under contract with restrictions on
■ Selling the PI
■ retaining, using, or disclosing the PI for any purpose, including commercial purposes,
other than for the specific purpose of performing the services specified in the contract
for the business
■ Retaining, using, or disclosing the information outside of the direct business
relationship between the person and the business
○ Includes a certification of understanding the restrictions and will comply
13. 13
Third Party Management - Compliance
Identify Identify the third parties that interact with personal
information, at some point along the information lifecycle
Assess Assess risks associated with the third party, classify
based on risk, identify mitigations in place
Address Address actions needed by priority, assign
responsibility, mitigate
15. 15
Platform
Capabilities
PRIVACY OUTCOMES
Regulatory Insights and Monitoring
Privacy Program Insights
Risk Management
Benchmarks and Planning
Consent Management
Privacy Rights Management
Breach Response
Audit and Assurance
Compliance Monitoring
Awareness
Task Management and Action Plans
Reporting
DataCapture
Applications
External API’s
KNOWLEDGE BASE
Data Inventory Hub My Company Info Tracker Scans
Intelligence
System(IoP)
Libraries
TrustArc Privacy and Data Governance Accountability Framework
Law and Regulatory
Standards Repository
INTELLIGENCE ENGINES
Risk Management - Compliance
TrustArc Data Privacy Management Platform
Deep Intelligence + Complete Automation
17. 17
Privacy Management Journey
Predict and
Prioritize
• Privacy roles and
team built
• Management reviews
formalized (int/ext)
• Cross-functional
process and
automation in place
• Real-time monitoring
in place
Managed
Semi-Automated
• Functional team
identified
• Procedures and
processes
implemented
• Business
communicates
processes internally
Defined
Document
Sharing
• Some policies
centrally managed in
silos
• Some procedures and
processes
• Leadership
awareness but
resources are limited
Repeatable
Usage & Expertise
IncreaseEfficiency&Effectiveness
Spreadsheets and
Decentralized
• Decentralized
• Informal, inconsistent
procedures and
processes
• Reactive
• Leadership
awareness limited
Ad Hoc
Continuous
Improvement
• Leadership engaged
on privacy team
outcomes
• Continuous
monitoring & risk
assessments
• Risk-aware enterprise
and embedded
controls
• Remedial actions
taken to ensure
compliance
Optimized
Based on AICPA/CICA Privacy Maturity Model
18. 18
Poll Question
18
Where are you in your CCPA privacy management journey?
● Ad Hoc
● Repeatable
● Defined
● Managed
● Optimized
19. 19
Privacy Management Journey
Predict and
Prioritize
Managed
Semi-Automated
Defined
Document
Sharing
Repeatable
Spreadsheets and
Decentralized
Ad Hoc
Continuous
Improvement
Optimized
Individual Rights Request
Vendor Termination
Client Request
Potential Incident
20. 20
Privacy Management Journey: Ad Hoc
Spreadsheets and
Decentralized
• Decentralized
• Informal, inconsistent
procedures and
processes
• Reactive
• Leadership awareness
limited
Ad Hoc
*Based on AICPA/CICA
Privacy Maturity Model
Knowledge: Understand the internal and external environment and what data,
jurisdictions, standards/rules, business activities apply and how. Begin to educate leaders
and prioritize efforts.
Main Goal
Vendors, current practices, data, leader knowledge, priorities.
Focus Area
Document third parties and systems, conduct third party and company risk
assessments, determine which requirements apply, assess preparedness,
create policy and standard library, prioritize and track remediation activities.
TrustArc
23. 23
Privacy Management Journey: Repeatable
Document
Sharing
• Some policies
centrally managed in
silos
• Some procedures and
processes
• Leadership
awareness but
resources are limited
Repeatable
*Based on AICPA/CICA
Privacy Maturity Model
Build Components: Identify functions critical in a privacy program, begin to address gaps,
enhance knowledge across select functions within organization.
Main Goal
Organizational data and internal policies, individual rights, consent and
transparency, transborder data flow.
Focus Area
Data Inventory and DPIA assistance, outsourced Privacy Office, Enterprise
Certification, APEC Privacy Recognition for Processors.
TrustArc
26. 26
Privacy Management Journey: Defined
Semi-Automated
• Functional team
identified
• Procedures and
processes
implemented
• Business
communicates
processes internally
Defined
*Based on AICPA/CICA
Privacy Maturity Model
Operational Efficiency: Continue to address compliance issues and formalize the privacy
program; identify opportunities to increase efficiency and scalability through automation.
Establish a privacy culture and communicate externally.
Main Goal
Continue to close high priority gaps: DPIAs/PIAs, individual rights, transparency,
third party management, incident response and breach, transborder data flow
issues.
Focus Area
Document business processes, conduct DPIAs/PIAs, review third parties,
review risks and track activities, manage individual rights.
TrustArc
29. 29
Privacy Management Journey: Managed
Predict and
Prioritize
• Privacy roles and
team built
• Management reviews
formalized (int/ext)
• Cross-functional
process and
automation in place
• Real-time monitoring
in place
Managed
*Based on AICPA/CICA
Privacy Maturity Model
Consistency and wisdom. Run an effective and efficient privacy program;
implement internal and external management/operational reviews.
Main Goal
Consistently manage processes to review and refresh program data; gather
and make decisions based on program data.
Focus Area
Run automated assessments and refresh activities on a regular basis, review
program metrics/report/adjust privacy program plan; Establish oversight,
monitoring, and executive/board reporting supported by technology.
TrustArc
30. 30
Privacy Profile
Demonstrate privacy compliance
and accountability to customers,
partners, and the public through
participation in a TRUSTe
Assurance Program
Determine which Assurance
Programs will mitigate your
international data transfer risks
Prepare to demonstrate
compliance and accountability
with Your Policy and Standards
Library and Operational
Templates
Monitor and audit privacy
compliance and accountability
with Attestor
31. 31
Privacy Management Journey: Optimized
Continuous
Improvement
• Leadership engaged
on privacy team
outcomes
• Continuous
monitoring & risk
assessments
• Risk-aware enterprise
and embedded
controls
• Remedial actions
taken to ensure
compliance
Optimized
*Based on AICPA/CICA
Privacy Maturity Model
Continuous Improvement: Review progress internally and compare with peers.
Main Goal
Regularly review and refine all privacy program component risks, goals, and
activities. Compare results with other organizations, new expectations in the law
or marketplace. Report and adjust.
Focus Area
Leverage results of technology-supported monitoring, benchmark against
others, and make adjustments.
TrustArc