- Hire Talent
- Find Work
- Legal Software
Learn about how to get your company prepared for GDPR and CCPA
The California Consumer Privacy Act went live on January 1, 2020, leaving many companies scrambling to prepare. The law will impact an estimated 500,000 companies, although many suspect the reach of the regulation will be much larger.
Below are some quick tips to get your company CCPA ready!
CCPA (California Consumer Privacy Act) is a broad regulation that applies to for-profit entities that
To meet the "doing business in California" threshold, companies do not actually need to be operating in Cailfornia. For example, they will satisfy this prong if they maintain mailing lists that include California residents, ship goods to California, or collect digital user information about California residents. Given the population of California is 50M, this puts a ton of businesses at risk.
Finally, in-house counsel should be aware that the definition of personal information is very broad. The definition is any information that "identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Have a game plan. Companies are all over the board in terms of their compliance. Some are fully compliant, others are waiting to see how the regulatory landscape plays out. Even if your company is in the latter category, make sure you're keeping up-to-date with what work needs to be done in the future.
Subsidiaries. Many companies have a variety of business units and/or subsidiaries to keep track of. This can oftentimes mean that the compliance function, contracts, and vendor compliance programs are disconnected. Make sure that you have a team member who is responsible for ensuring compliance across all areas of your business.
Where is your data? Figure out where your data is housed! This is oftentimes a very tricky question for companies to answer because data is housed not only in your own internal tools but across a variety of vendors and suppliers. Consider bringing in a data privacy consulting firm if your internal team is unable to do this.
What is personal data? Do training!! The first step to empowering your team (both the legal team and other business functions) is making sure they understand the foundations of the regulation.
Pace Yourself. Don't attempt to tackle all areas of privacy compliance at once. We'd recommend working with leadership to develop a privacy compliance roadmap so that you're setting achievable and realistic goals for your compliance program.
Give leadership options. Management is often concerned with how much compliance programs will end up costing the company. In addition to compliance vendors that may need to be brought in, the cost of training staff, locating data, and bringing business processes and systems into compliance can be costly. To mitigate this, ensure that you're giving leadership multiple options for tackling privacy compliance problems.
Tackle high-risk areas first. Companies are typically in a stronger position if they tackle the most important areas of compliance first. Those areas include: data subject access requests and breach response.
Below you'll find a roadmap for getting your company into data privacy compliance. This model can be adjusted for your individual company's needs.
Phase 1: Present State Analysis
Phase 2: Plan + Recommendations
Phase 3: Implementation
Phase 4: Maintain