CIOs: Are you Ready for the California Consumer Privacy Act?

Take these three steps to start building a privacy program that will help you satisfy the privacy regulators and your customers. 2020 is just around the corner.

Guest Commentary, Guest Commentary

June 3, 2019

4 Min Read

Today, consumers are increasingly conscious of how companies use their data. They may even choose whether to use a company’s product or services based on that company’s privacy notice.

In a recent consumer sentiment survey on technology and data privacy conducted by Propeller Insights on behalf of Snowflake, 96% of respondents said a company’s data protection policy is extremely important to consider before engaging with that business. Nearly three quarters (72%) said they would not choose a company that doesn’t meet data policy regulations, and only 4.5% said they do not consider data policy when choosing a company.

The General Data Protection Regulation (GDPR) in Europe has already altered how companies collect, track, use, and store personal data. Now, the US is getting ready for the California Consumer Privacy Act (CCPA), which comes into effect on January 1, 2020. The CCPA will give Californians the right to request that companies delete their personal data, know whether it is being shared and the categories of companies it is shared with, and “opt-out” of having their data sold to third parties.

Amid growing privacy concerns and tighter regulations, it’s becoming clear that chief information officers and their IT teams must put privacy programs in place and develop transparent policies around how they manage personal data. Given the ever-increasing volume and complexity of data that companies work with these days, that can be an onerous undertaking. Get started with the three-step process outlined here:

1. Take inventory of your data

It's critical for businesses to know where all their data is stored and how to access it. Even companies that have conducted data inventories for GDPR compliance may find out that their data inventories and mapping have quickly become outdated.

For example, many organizations store data in multiple locations: on-premises or cloud-based data warehouses, data marts, or servers. With different teams and departments copying and sharing that data, often simultaneously, and both internally and with external partners, it becomes an extraordinary challenge to respond to individuals’ requests to find and delete their personal data.

To address this so-called “hidden copies” challenge, organizations must conduct a comprehensive data inventory. This process starts with creating a list of every type of data the organization owns, licenses, uses, or touches in any way. That includes customer data and,for software as a service (SaaS) organizations,service data (also called usage, or metadata: essentially, metrics on how customers use the company’s product or service). The goal is to foster responsible and transparent data stewardship: to understand and catalog allthe personal data your organization collects, uses and stores.

One of the best ways to do this is to implement an enterprise metadata repository that tracks not only the data inventory but the lineage, or flow, of the data. Only then can you determine with any certainty where an individual’s data is stored. To keep this information current, the organization then needs an active metadata management program, with the requisite staffing.

2. Vet all vendors to make sure they are compliant

Another thing: It's not just you. Under CCPA, consumers have a right to know which other companies have had access to their personal data.  Organizations that rely on third-party vendors must ensure those vendors are managing personal data in a way that complies with CCPA. That means updating contracts, if need be, to require vendors to meet any data subject rights requests received by the organization and/or to ensure they are not selling consumer data. In some cases, businesses might have to make the difficult decision to terminate relationships with vendors that cannot demonstrate compliance or that are unwilling to agree to contractual obligations.

3. Treat privacy with respect, gain customer loyalty

With its comprehensive rules concerning the processing of personal data, the GDPR continues to be the gold standard for data protection. The CCPA adds another layer of privacy obligations for organizations that collect, use and sell personal data of California residents. Whether or not they fall under the jurisdiction of either the GDPR or CCPA, companies would be smart to implement a data privacy program and proactively implement appropriate controls to safeguard the privacy and security of the personal data they collect, use and store. Widespread concerns about recent uses of personal data by companies, and a few high-profile data breaches, have shown that companies can significantly damage their reputations if they do not act as responsible stewards of their customers' personal data.

In the digital age, an approach that combines compliance with a purpose to provide an even greater customer experience by building trust through transparency and a robust privacy program will be a superior competitive advantage.

Kent Graziano is the Chief Technical Evangelist for Snowflake and an internationally recognized expert in data modeling and agile data warehousing. He is an award-winning author, speaker, and trainer, in the areas of data modeling, data architecture, and data warehousing. He is also an Oracle ACE Director - Alumni, member of the OakTable Network, a certified Data Vault Master and Data Vault 2.0 Practitioner (CDVP2), expert data modeler and solution architect with more than 30 years of experience, including over two decades doing data warehousing and business intelligence (in multiple industries).



About the Author(s)

Guest Commentary

Guest Commentary

The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT professionals in a meaningful way. We publish Guest Commentaries from IT practitioners, industry analysts, technology evangelists, and researchers in the field. We are focusing on four main topics: cloud computing; DevOps; data and analytics; and IT leadership and career development. We aim to offer objective, practical advice to our audience on those topics from people who have deep experience in these topics and know the ropes. Guest Commentaries must be vendor neutral. We don't publish articles that promote the writer's company or product.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights