Tag Archives: CCPA

Complying with GDPR and California’s CCPA – Step 3

For those companies who have customers in California – independent of where the company is located – or are doing business in Europe, you have new privacy regulations to deal with.  While California’s law doesn’t go into effect for another 16 months and it is possible that there will be changes to the law before it goes into effect, it is important to start getting ready for the law because complying with all of the requirements will take a significant effort.  For businesses operating in Europe, you should already be compliant with GDPR.

Step 1 was to create a vendor data inventory (see article here).

Step 2 was to create a vendor cyber risk management program (see article here).

Now, here is step 3.

Step 3 – Map the flow of data between systems and between vendors.

Both CCPA and GDPR have requirement to delete data, stop processing data and provide a copy of data that you have, in a machine readable format if possible, if the user requests it.

You have to do this quickly and you have to track and document what you have done.

If you do not know what data you have, who you share it with and all of the places it may be stored, you are unlikely to be able to comply with these laws and you could wind up getting sued.

Where it is stored, for example, could include on web servers, on internal servers, on workstations and at cloud service providers.

Building and maintaining a map will assist in designing the process of complying with those requests when we get to those steps.

If you need assistance with this, please contact us.

Facebooktwitterredditlinkedinmailby feather

Complying with GDPR and California’s CCPA – Step 2

Last week I started a series on steps to comply with both the E.U.’s General Data Protection Regulation or GDPR and California’s new privacy law, the California Consumer Protection Act or CCPA.  To find Step 1, go to this post: https://mtanenbaum.us/complying-with-gdpr-and-californias-new-privacy-law-ccpa-step-1/  .

This week, on to Step 2 – CREATE A VENDOR CYBER RISK MANAGEMENT PROGRAM .

Some companies have a vendor risk management program.  For the most part, these programs focus on compliance – is the vendor appropriately licensed?  Do they have liability insurance?  Possibly, depending on your industry, are they on any of the Treasury Department’s terrorist watch lists?

None of this deals with cyber risk.  That requires a completely different set of questions and a completely new process.

The process starts with the VDI list created in step 1.

Using that list, you can then rank each vendor as to the cyber risk that vendor represents to the company.    The ranking can be simple – red, yellow, green or high, medium and low.

Now that you have the vendors sorted, you need to review the vendors based on that risk ranking.  Start with the high risk vendors.  For most companies, that alone will be a significant task.  Create questionnaires; send them out; review the results.   Some vendors will have certifications like our Business Cybersecurity Certification or the SSAE 18.  Those need to be reviewed.  For SSAE 16 and 18 certifications, you need to look for what areas of the business they excluded, although it may be a shorter list to see what areas they included.  You will likely need to follow up with vendors to get your answers back.

For some high risk vendors you may want to conduct a site visit, especially if they are critical to your business.

Once you have done that, you need to work with the vendors to remediate any deficiencies.  You need to set up a system to track each vendor’s progress or, possibly, lack of progress.

Once that is done with the high risk vendors, you can move on to other vendors, but plan on this first step taking a while.  Probably a long while.

Facebooktwitterredditlinkedinmailby feather

Complying with GDPR and California’s New Privacy Law (CCPA) – Step 1

This is step one of a multi-part series on complying with the new privacy rules, both in Europe and, just recently, in California.  Watch for further steps over the next several weeks.

While companies are supposed to be compliant with GDPR already, many are not and the California law’s effective date is still almost 18 months away.  In either case, these tips should be useful in either case.  With regard to California’s law, the steps needed are complex and far reaching, so getting started now is a good idea, even if the law changes a little bit before it goes into effect.

While there are many differences between the two laws, there are many similarities as well.  These similarities allow us to cover major aspects of both laws together.

The core component of both laws is to give consumers more control – a lot more control – over what companies do with the data that is collected about them and, in many cases, sold.  For both laws, while there are aspects of the law that only apply if your data is sold (with the term “sold” having an extremely broad definition), there are many aspects that apply even if the data is never, ever sold.

One of the requirements of the law is to give consumers a right to ask a company what data the company has collected about them, where the data is stored, who they shared it with and to obtain a copy of it.

Another right is, in at least some cases, to request that the company delete the data,  again, no matter where it lives.

These rights make it critical that a company understands what data it has, where it lives and what the data “flows” are.

For both laws, it does not matter where the company is located, but rather where their customers are located.  For GDPR, those customers who live inside the European Union are covered.  For CCPA, those customers who live in California are covered.  For CCPA alone, there are probably over a half million businesses that are impacted.

With all that background, here is our recommendation for step 1.

STEP 1 – CREATE A VENDOR DATA INVENTORY.

Our vendor data inventory or VDI process identifies all vendors that a company does business with – from the Post Office to some niche cloud based software service.

For each vendor, we collect information such as what type of data is collected, how it is shared, where it is stored, what the risk level of the exposure is, whether there is a contract with the vendor, who in the company is ACCOUNTABLE for that vendor relationship and many other fields.

Even for a small company, we have found that there are often 100-200 vendors in this list.

For larger companies, it could be up to a thousand.

The company identifies a point person to work with us and the process begins.

In many cases, we discover that NO ONE is accountable for a particular vendor relationship.  In some cases, very few people are even aware that it exists.

Often accounting is a good place to start because usually,  but certainly not always (Ex: Gmail is free) vendors get paid.

Of course, even the free vendors have to be accounted for.  Also the vendors that are paid for by someone in a branch office on a personal credit card which is later reimbursed have to be captured.

One way to catch the personal credit card payment is for accounting to refuse to reimburse employees for these charges.  Once the particular account is turned over by the employee to IT or vendor management and the company has control of the account and the data, then accounting will be authorized to reimburse the employee.

Remember, whether the account is free, employee paid for or company paid, the company still owns the liability in the case of both laws.

If this seems daunting, it can be, but we can make the process less painful.

Watch for the next step – create data flow maps.

Facebooktwitterredditlinkedinmailby feather