How Can Business Intelligence Leaders Adopt CCPA Compliance?
A New World in Analytics is Dawning
Since the 1st January 2020, the California Consumer Privacy Act (CCPA) has come into effect. After GDPR came into play in 2018, and following major data privacy breach scandals such as the Cambridge Analytica Affair, California is taking the lead in the USA for data privacy. Since GDPR, individuals have been educated and been given new rights, making compliance the number three challenge for CISO’s across the world. Business Objects CCPA Compliance will impact a lot of organizations and these organizations will have to implement or update their processes in the way they manage personal data. A new data privacy world has emerged and it will be of no surprise when other states and countries follow suit.
Business Intelligence and CCPA
Data is the number one asset for most companies and brands in the world, and Business Intelligence (BI) is all about transforming data into insights for business. As BI leaders, you’re collecting and processing personal data and so, you’re subject to comply with these new data privacy standards. As experts in BI, we have gathered what you need to know about this new law, why it is important to comply with it, and what you could, or should I say, must do, to comply. We helped customers in complying with GDPR when it came into effect, so we can also guide you through the steps to be CCPA compliant.
The CCPA is a new data privacy law that establishes rights for California consumers, defined as “a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations. A Californian resident is “an individual who is in this state for other than a temporary or transitory purpose” as defined in the California Code of Regulations. The law applies to entities that do business in California and meet one of several criteria related to revenue, data processing, and other factors.
Personal data as defined by the CCPA is “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”. Personally Identifiable Information (PII) includes personal identifiers such as, geolocation data, email addresses, online handles, internet browsing history, search history, purchasing history, user preferences, names, alias, postal addresses, social security numbers, IP Address, customer profiles, etc.
Thanks to CCPA, here are some of the new rights for Californian consumers:
- Data Deletion: the right for data to be deleted across the whole business system.
- Data Disclosure: the right to access their information.
- The Right to portability: the right to have their personal information in a readily usable format to be able to then transmit this information to another entity without hindrance. This is specifically for electronic access requests.
- The Right To Know: the right to be informed of how, why and where personal data is collected or shared.
- The Right to Opt-out: the right to withdraw from personal data being resold.
Who Does It Impact
CCPA Compliance will impact every “business” (a for-profit legal entity) that handles data related to California residents. It applies to profit entities that match one of the following criteria, no matter where you are based in the world:
- Your organization generates more than $25 million in gross annual revenue.
- Your organization handles personal information of at least 50,000 customers, households or devices.
- Your organization generates more than 50% of the revenue from monetizing data.
Why Should You Act
You should be acting right now! California may be the first in the United States to put a data privacy act into place, but other states are working on their own data privacy rule too. On a more global scale, Japan and Brazil are following suit; it’s becoming a real global phenomenon. So, if you are already adhering to CCPA Compliance then you will be well placed when other state regulations come into effect.
However, those who are not ready, need to act now, as the CCPA gives residents the right to request the data that a company has collected over the past 12 months. This means that companies need to have data tracking processes in place from the very beginning to be able to meet any of the requests.
On a BI level, BI is used to distribute data, including personal data, to business users and third-parties, making it even more sensitive and subject to caution. Ignoring this new privacy act increases the risk of being caught, and violating the law comes with a fine of up to $7,500 per violation for the company. Companies do have a 30-day period to cure the violation if possible, but why take the risk at all if you can avoid it altogether?
Moreover, with these new standards, consumers now also expect transparency from brands. Companies not adhering to that will lose customer trust, and so, compliance here can gain a significant competitive advantage.
What You Should Do
Data privacy is becoming a global phenomenon and so the best way for organizations to move forward is to build a global privacy program. Focus not only on CCPA Compliance but on a broader program that could also fit with future state or foreign regulations.
We’ve put together a list of actions and processes that you can implement to be CCPA compliant:
- Define the PII categories in your BOBJ environment
- Locate and tag universes and documents that contain PII, and view the complete data lineage
- Document where those PII are located in both Universes and Documents
- Keep track of PII shared to third parties through publications
- Document your permissions (universe restrictions, access to folders and documents)
- Review your security: does the right person have access to a specific set of data? Eventually, you could update the security with business owners. Reduce exposure so that only habilitated users can access personal data.
- Monitor user behavior, accesses, and suspicious activity on your BOBJ environment
- Track permission changes over time and continually review data accesses
- Implement a way to be capable of documenting data flow and data accesses in a usable, transferable way
- Manage third-party risk by disclosing the categories of third parties you share data with. If you face a request for deletion you must also ask the third party to do so.
CCPA Compliance gives new rights to customers and forces businesses to comply with it. Any company that collects and uses personal data for analytical purposes is subject to the obligations under this new law. Businesses must now make sure that any personal data is identified across their business intelligence landscape. This includes where it is stored and who can access it. They need to be able to document the data in an easy and shareable way. Here at 360Suite, our solutions can help you go through the necessary steps to succeed at complying with CCPA.
You may not be subject to this new privacy act today but one day you will be — this is just the tip of the iceberg. Implement a global data privacy program now to enhance your customer experience and mitigate any unnecessary risks.
Do you need help in identifying personal data and creating data flow documentation?
Our experts can help you.
This article is not legal advice to comply with CCPA for your company. It provides background information to help you understand this new law. If you would like legal advice on this subject, please consult your legal department. The full legal text can be found here.