Top 5 CCPA Privacy Do’s (and Don’ts)
There is a lot of talk about legal privacy requirements, the steps to implement a privacy program and technology that can assist. Here is a list of what we consider the Top 5 Privacy must do’s or don’ts.
1. Get rid of personal information that does not have a business purpose
The most important and least costly thing that a business can do to comply with privacy regulations is to reduce the volume of personal information stored by the business. This is called data minimization. In one stroke, this action reduces the risk of a data breach, reduces the work to establish and maintain a privacy program and reduces the work and cost to respond consumer requests. Know the purpose, restrict the use of personal information and delete personal information (PI) that does not have a clear purpose. This is mandated in the CPRA amendment to the California Consumer Privacy Act, the CCPA. That will not be enforced until January 1, 2023, but starting today is good for the business and it will be required.
2. Implement “reasonable” security practices and procedures
Privacy laws require that businesses implement reasonable security practices and procedures. These need to be reasonable to the business and reasonable to protect the personal information of California residents. These are steps that a knowledgeable person would take that would be fair to the business and fair to the individuals. They would include implementing administrative, technical and physical safeguards. After eliminating unnecessary PI, this is the next most important thing to do to protect the business (and residents).
3. Don’t advertise to the world that your company is non-compliant
Every business that must comply with a privacy law like the CCPA is required to provide a readable privacy notice to residents. The purpose of the privacy notice is to let residents know what PI is being collected, why it is being collected, who it is shared with and their rights. The privacy notice must be displayed publicly and for those businesses that have websites, the notice must be available on the website. If your business is required to comply and it does not have an accessible privacy policy, you are advertising to the world that you are not compliant.
4. Deliver on your self-regulation promise
A privacy notice is considered an agreement with consumers. Businesses that do not comply with their own privacy notice are breaking their agreement. Be smart. Say what you do and do what you say.
5. Accept that security and privacy is not a one-time event
Wouldn’t it be nice if you just needed to become compliant one-time and could then just forget about privacy and security requirements? But to serve customers and to be competitive, businesses change what data is collected, what applications are used and where personal and sensitive information is stored. There are outside changes also. Laws change and security threats change. As internal and external change occurs, businesses need to keep track of what PI is collected, its purpose, where it is stored, how they protect PI, notify and how they respond to resident requests about their PI. The least expensive way to deal with these changes is to focus on the Must Do #1 – if you don’t need it, don’t keep it. Otherwise, to minimize cost, we recommend that businesses take iterative steps to update their privacy and security programs.
#CCPA #Infosec #cybersecurity #privacy #GDPR
Other posts that may interest you:
https://assuredspc.com/2-steps-to-ccpa/
https://assuredspc.com/what-is-reasonable-security/