For those companies who have customers in California – independent of where the company is located – or are doing business in Europe, you have new privacy regulations to deal with. While California’s law doesn’t go into effect for another 16 months and it is possible that there will be changes to the law before it goes into effect, it is important to start getting ready for the law because complying with all of the requirements will take a significant effort. For businesses operating in Europe, you should already be compliant with GDPR.
Step 1 was to create a vendor data inventory (see article here).
Step 2 was to create a vendor cyber risk management program (see article here).
Now, here is step 3.
Step 3 – Map the flow of data between systems and between vendors.
Both CCPA and GDPR have requirement to delete data, stop processing data and provide a copy of data that you have, in a machine readable format if possible, if the user requests it.
You have to do this quickly and you have to track and document what you have done.
If you do not know what data you have, who you share it with and all of the places it may be stored, you are unlikely to be able to comply with these laws and you could wind up getting sued.
Where it is stored, for example, could include on web servers, on internal servers, on workstations and at cloud service providers.
Building and maintaining a map will assist in designing the process of complying with those requests when we get to those steps.
If you need assistance with this, please contact us.