In January we wrote about the forthcoming tsunami from the CCPA.
The CCPA undersea quake hits on January 1, 2020. Then the waves start crashing in from the tsunami. Be ready.
It is now almost June and your organization has seven months to be ready to respond to two types of requests:
- What data are you keeping about me? In 8folios.com we call this a Data Subject Access Request (DSAR, or SAR). Your organization must tell the requester what data about them probably exists in your IT landscape.
- Delete the data about me. In 8folios.com we call this a Right To Be Forgotten (RTBF) request. Your organization must delete agreed-upon data for the requester — this may be everything about the requester, but is more likely a defined subset of the data.
Moreover, your organization must be able to respond to both types of requests in a timely manner.
So, here are three fundamental errors to avoid when working toward CCPA compliance.
1. Mapping the physical.
Your organization needs to create and maintain blueprints. These blueprints tell you WHAT data is retained in your organization’s IT landscape, and WHERE the data is retained in the IT landscape. The WHERE is a crosswalk from the data to things such as Applications and Integrations (e.g. REST API).
So if your organization is blueprinting at the physical level (ie., tables and columns) for its transactional databases then the organization is boiling the ocean. Your organization probably increased the blueprinting work by a factor of 100x for little value.
Plan to blueprint the logical entities and attributes, starting with those directly relevant to a DSAR or a RTBF request. Then selectively blueprint the physical tables and columns as needed.
2. Forgetting to blueprint the dark data.
Your organization’s IT landscape includes both structured and unstructured data. The compliance plan likely includes the structured data in transactional databases, and probably includes unstructured data (e.g. PDF of a Medical Claim). What about the dark data?
Dark data may include log files, in-transit or temporary events such as a JSON message in a queue, archived copies of databases or batch files, and more.
Is blueprinting the dark data on your organization’s compliance plan?
Again, start with those items directly relevant to a DSAR or a RTBF request.
3. Expecting a small team to maintain the blueprints after January 1, 2020.
Your organization’s IT landscape will continue to evolve. What is your plan for a sustainable approach after go-live? If you’re not crowdsourcing the creation and maintenance of the blueprints then your organization will eventually succumb to the waves from the CCPA tsunami.
Crowdsourcing means letting multiple people create and maintain the WHERE (ie., the crosswalk from Data to things such as Applications and Integrations).
Control the WHAT (ie., the Data items) through a tightly-controlled governance process, but use a less-restrictive process to maintain the WHERE.
Don’t end up with a mess on your hands. Unlike the European Union’s GDPR, the CCPA defines fines to be paid to the requester if your organization cannot comply with a DSAR or a RTBF request, or cannot comply in a timely manner. Organizations that cannot comply will quickly become financial fodder on Reddit.
Easily build and maintain blueprints for IT.
Then achieve better outcomes by using that same information to solve common IT challenges, mitigate risk, and reduce incidents.