The California Consumer Privacy Act (CCPA) was introduced in January 2020, with regulation enforcement applying from 1 July. The far-reaching regulation is a state-wide data privacy law that regulates how businesses – anywhere in the world – handle the personal information of California residents.
The CCPA gives California residents the right to opt out of having their data sold to third parties and the rights to request disclosure and deletion of data already collected. It also gives them the right to be notified, and to equal services and price, as regards their rights around data handling. You can read more about the Act’s requirements and remit here.
Noncompliance has stringent penalties, potentially resulting in fines for organizations of $7,500 per violation and $750 per affected user in civil damages.
Companies Are Struggling to Comply With the CCPA
In spite of the potential consequences of noncompliance – which you might expect to incentivize organizations to get to grips with the legislation – research shows that many organizations are struggling to comply with CCPA requirements.
A survey carried out by Ethyca and TechGC in June found that over half of general counsels felt their organizations were not prepared for the CCPA.
The issues they faced included difficulties with tracking and mapping the data they hold. These challenges are compounded because processes – like the process for answering consumer requests under the Act – are often handled manually.
Commenting on the survey on law.com, Cillian Kieran, founder and CEO of Ethyca in New York, noted that each consumer request to have their data erased can take a corporation eight to 10 hours to complete.
Another survey of 121 US-based companies showed that poor compliance is due not just to a lack of understanding of what’s needed, but to other issues including a lack of automation. The survey, by cybersecurity and cloud services company Akamai, identified challenges including:
- A lack of understanding about what a CCPA compliance program should cover
- Struggles to operationalize the compliance program – turning the paper-based process into reality
- The challenges posed by different data owners using separate systems, which can make it difficult to automate the process
- A lack of education and understanding of the Act and its aims, which hinder a culture where protecting customers’ privacy is second nature
Lessons for Wider Compliance from the CCPA
Companies’ struggles to comply with the CCPA offer a timely example of the challenges when implementing compliance programs – but these challenges are in no way confined to the CCPA.
The shortcomings caused by a reliance on manual processes, for instance, are relevant for any organization that needs to meet mandated governance, risk and compliance requirements.
What can we learn from the issues CCPA compliance spotlights? What do they tell us about the ways companies approach and measure compliance, and the additional challenges of managing compliance processes manually?
Lesson 1: Understand What Your Compliance Program Needs to Look Like
The Akami survey found that a lack of understanding around what a CCPA compliance program should comprise was an obstacle for many organizations. This can cause paralysis, with businesses reluctant to take the first step if they’re not clear on the actions needed.
If this sounds familiar, understanding the 5 stages of an effective compliance program will help; although programs and objectives in different organizations will vary, the 5 stages provide a framework around which most compliance programs can be built.
Lesson 2: Make Sure Your Program Can Be Operationalized
Creating an effective compliance program on paper is one thing. Bringing it to life in a real-world business can be quite another. You need to ensure your operational processes are visible and understood; nobody can be expected to comply with a procedure if they’re not familiar with it.
Similarly, everyone involved needs to understand the ways you measure compliance and be able to identify any transgressions. Your compliance monitoring processes need to be transparent and well-communicated.
Many organizations are turning to compliance software solutions to help here, with their automation, mandated checks and built-in risk management procedures increasing robustness and reducing the chance of regulatory breaches.
Lesson 3: Ditch the Manual Processes
A good compliance program has unimpeachable data at its heart. However, many organizations operate in silos, with data owners using different approaches – and often in totally separate systems – to capture and store processes, compliance monitoring data and other information.
This causes two problems – first, the challenge of collecting, aggregating and comparing the data in question, and second, the difficulty of automating processes managed in different ways across the business.
As we said upfront, managing operations and compliance processes manually can cause significant problems, with the risk of errors and omissions increased due to human error.
Not only can the efficiency and efficacy of your processes be hindered, but failing to automate your processes can also cause problems if you are found to be in breach of regulations.
It’s far easier to prove that you have the correct risk mitigation measures in place if you can generate evidence with your approach via a compliance solution. Conversely, relying on manual processes is likely to give legislators far less assurance that any transgression is a ‘one off’ and not a mistake you’re likely to repeat.
Take Steps to Reduce Your Reliance on Manual Compliance Processes
The benefits of compliance solutions, then, can be considerable. Strengthening your governance, risk and compliance (GRC) performance; making it easier for your employees to comply (and mandating compliance to lock-in cultural change); evidencing your approach and supporting a continuous compliance program improvement via robust and comprehensive MI.
To request a demo of Diligent’s market-leading compliance software solutions, please get in touch with us.