Learn the practicalities of personal information collection and in what form(s) it should be inventoried and/or mapped.
The countdown continues. When the California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020, companies will need to produce personal information records when requested and, if permissible, delete the information from their system and instruct third parties to delete it as well. With a 12-month “look back” requirement, CCPA also demands companies locate and track personal information starting from January 1, 2019.
In the second of this three-part blog series on CCPA, we discuss how organizations that have implemented privacy safeguards in response to the General Data Protection Regulation (GDPR) can leverage some of that work to get a head start on data inventory. Even though the CCPA does not explicitly require it, a data inventory is a practical necessity to enable covered businesses to meet their consumer rights and data sharing requirements.
The benefits of GDPR’s Article 30
Article 30 of GDPR requires organizations to build and maintain a record of all business activities that collect, use, store, and otherwise “process” personal data.1 Most organizations use a Record of Processing Activities (RPA) of EU individuals, more commonly referred to as a personal data inventory or data flow.2 The RPA includes details such as categories of personal data, data subjects, purpose of processing, data retention periods, technical/organizational controls and often other data points, like supporting information technology (IT) systems and applications.3 Organizations that prepared for the GDPR by completing RPAs across all jurisdictions, including the U.S. and California, are at an advantage in preparing for CCPA.
Although CCPA does not explicitly mandate the creation and maintenance of a RPA equivalent, the process can be leveraged to track the footprint of a California consumer’s personal information. It also can help an organization start the process of identifying third parties that hold personal information and serve as service providers if it did not start the process during GDPR compliance efforts. These actions are key to preparing for CCPA’s transparency requirement and administration of consumer rights requests. It can also help the organization start to reassess its relationship with third parties and the associated risks.
Last, while not all information attributes, e.g., purposes of processing, will need to be captured for CCPA, most will. Many “GDPR” RPA automated tools are already being refined for CCPA purposes. KPMG’s experience with these tools can assist companies in operationalizing their efforts and planning for the future.
Where personal information lives
The California Attorney General delayed enforcement actions for six months - to July 2020 - however, companies will need to begin fulfilling requests starting January 1, 2020. IT and business departments must work hand-in-hand not just to locate and manage personal information but also to discover why the business collects and retains this information.
CCPA compliance requires companies to process right-to-deletion requests, but before they can either approve or deny requests, organizations must understand the data dependencies between systems and business processes as well as other legal and business requirements of the personal information inventory. While IT may know the types of personal information the business collects as well as where it sits and where else in the environment it may reside, the business knows why it’s collected, what the organization does with it, and why the business shares it with third parties. Understanding the information flow will help businesses process consumer management requests and deny certain deletion requests, based upon fraud protection and detection purposes, legal and tax purposes, or other reasons, such as scientific research.4
However, a process called “Shadow IT” challenges CCPA compliance. Many businesses keep informal records of personal information—in spreadsheets, files, and SharePoint—rather than utilizing the business-approved structured databases, e.g., client-relationship management systems. Before the company can honor customer rights requests and deletions, it must first address the Shadow IT by locating these sources and consolidating them. Very often, companies will need to capture both perspectives—the business and IT’s motivations and purpose behind housing personal information—and build or amend their inventory to address compliance, customer and business requirements.
Starting a data inventory and data map, along with a strategic and risk-based plan, can help businesses proactively manage and protect personal data the way consumers expect and be a differentiator in the market as similar laws are passed in the U.S.
Explore the fundamental synergies and critical variances of GDPR and CCPA in the first blog in our series on CCPA, “Accelerate CCPA readiness through GDPR capabilities.”
Our third and final blog, "Managing consumer rights," will delve further into detail on the different types of individual rights and the four stages of Consumer Rights Management. More information about our Privacy services.
1 Regulation (EU) 2016/679 of the European Parliament, April 2016, O.J. L 119.
2 O.J. L 119, p. 50.
3 O.J. L 119, p. 51.
4 California Consumer Privacy Act of 2018 (CCPA), Cal. Civ. Code § 1798.105(d), 2018.