The United States is introducing new privacy laws that apply to businesses that collect and store consumer and employees’ personal data. The California Consumer Privacy Act, set to go into effect on January 1, 2020, essentially creates new consumer rights, and therefore new obligations for businesses.
There are four important questions that in-house counsel can ask to help determine their readiness for complying with the CCPA and other pending privacy regulations.
Do we really know our data? Effective and defensible compliance begins with a data inventory — developing it if you don’t have one, organizing it if you do. How you develop your data inventory will directly impact your ability to meet your obligations, demonstrate diligence with regulators and defend your compliance efforts against plaintiffs’ attorneys.
Can we respond to data subject access request? Under the CCPA, companies have 45 days to respond to fulfill and manage a DSAR. Nearly 60 percent of data breaches are caused by third parties. Many companies don’t have a handle on who their vendors are and what data they own. Part of your data inventory should include an understanding of who those third parties are, and to what company data they have access.
Are we keeping data longer than necessary? Personal data you don’t have cannot be breached. A clear way to mitigate a lot of organizational risk is to get rid of data that has met your business, legal and regulatory obligations.