Experts’ View on how to Comply with CCPA Security Requirements

We were on the ground at Synapse, Segment’s third annual user conference in San Francisco. The whole conference was extremely useful in that it covered how enterprises can better manage their customer data while complying with the privacy needs of the end-user and regulatory requirements. One of the sessions was a panel discussion on how to get your security story CCPA ready by security execs from companies like Segment, Gusto, Redox, and Alto Pharmacy. They discussed what California Consumer Privacy Act (CCPA) regulations mean for

your business and shared tactics to get prepared for CCPA. Here are some excerpts from the panel discussion moderated by Steven Nguyen from Segment.

Moderator (Steven Nguyen, Segment):

I think one area that will be shepherding more innovations is the Data Subject Access Request (DSARs). In the light of CCPA, the first reaction to a DSAR situation is “Oh my gosh, we got to respond to this request within 30 days, where is all this data?”

All companies want to comply with the law, but one aspect all companies need to think through is if a DSAR request is a valid request or not. It is difficult to tell people that they don’t exist in your systems; they are not a consumer in your system if you don’t know where all the data points are checked.

Ben Waugh, Redox:

In the healthcare industry, we already have dozens of regulations that we have to deal with usually. We have done an analysis that shows that you cannot comply with all of them at the same time because they contradict each other. It’s a challenge working on this. It comes back down to rather than to tackle these one at a time; we take all requirements, centralize them, try to figure out as many commonalities between them, and then work from that. That way, if you need to add in a new regulation, then you can do a gap analysis to know what it’s asking for, what’s there in our centralized policy stack already, and then you can take that as you go.

Moderator (Steven Nguyen, Segment):

In a recent study done by a very large privacy organization, the organizations that are prepared for CCPA will roll it out not just to California residents, 99% of them will roll it out to all US customers. Organizations are thinking ahead and are saying, “let’s not spend so much time to figure it out: who is the consumer? What’s the definition of a consumer in California? Let’s apply this across the board, everywhere in the US. So Fredrick, what should people think about automating in the next big privacy framework?

Fredrick Lee, Gusto:

Maybe I can elaborate more on some tactical things people can be doing. Are there things we can do to make the developer’s job easier? To be compliant with things like CCPA, can we do markup on things like the definition, so we know what data is sensitive according to the company. What can we do about where we store the data, to make it easier to understand, consolidate it? What I often hear from companies is, “oh, we started with one, but now the data is in 3 different data stores!” whereas it probably only needs to be in only one data store. It is easier to secure one thing than it is to secure three things. As new regulations come, we know where the data is, we can quickly service the request and make sure we are adhering to the data owner’s intent. This is the whole concept of companies shifting toward being a data custodian.

Moderator (Steven Nguyen, Segment):

Same question to you, Joy.

Joy Forsythe, Alto Pharmacy:

I’ve been working with HIPPA and focusing on following those privacy regulations. With HIPAA, sometimes, we end up not only giving people access to data but also the rights to amend the data. If we disagree with what consumers want to amend, we have to record that. There’s going to be more of these kinds of legislation, let’s prepare for that.

Moderator (Steven Nguyen, Segment):

What part of the CCPA readiness can businesses automate now so that they don’t have to go through a manual exercise next year for data collection, data inventory, etc.? What parts can we think about automating for the next piece of legislation?

Coleen Coolidge, Segment:

It’s everything from all the data you have on consumers, where you are getting it from, where you are sending it to, what its lifecycle might be, who in your company has access to that data. Many companies, who are preparing for CCPA, are doing the exercise of a very manual data collection putting customer data manually into a spreadsheet. If one more of these regulations come out and if companies do this manually one more time, that would mean a lot of rework. If you think that data is the bread and butter of your company, then treat it that way, make sure that there is a system that can be automatically updated anytime in different scenarios like:

● Adding/Removing a third party vendor that you send some data to

● Anytime there is a new group in your company that needs access to data

● Anytime you start collecting a new piece of data

It is essential to automate processes; otherwise, that spreadsheet that you went through so much trouble creating that took months and months will get utterly outdated in a few months. And when there is another privacy regulation, companies will have to redo the whole effort to comply with the new regulation. It is best to work proactively instead of reactively to the security situation, figure out a way to do things in an automated fashion.

It is not just everything company have built and all the data collection a company is doing but where is the company sending that data, have companies looked at every single third party and will they be able to track that down and will they be able to delete when they need to and know where all the data is spreading.

Moderator (Steven Nguyen, Segment):

Looking a few years ahead, there’s going to be a baseline similarity between CCPA and regulations in NY, Connecticut, and Massachusetts. So we have to figure out what those differences are and how to automate it. Let me ask our panelists about the one thing they want the audience to take away from this session, to prepare their organizations for CCPA.

Joy Forsythe, Alto Pharmacy:

The biggest thing is to make sure how these regulations are going to impact you, how you handle data privacy.

Ben Waugh, Redox:

Getting the culture right in the company, get folks to understand what they need to do, take the tools available to you, and have reasonable processes.

Fredrick Lee, Gusto:

My one big advice is that it is not data we are talking about, its people we’re talking about. Shift your culture to understand that you are a data custodian, not a data owner. You want to make sure that you do not surprise your customers. If you get the culture right, the philosophy right, then the technical aspects will solve itself.

Coleen Coolidge, Segment:

Getting control of your data: Where is all your data, where do you get it from, where is it going to, who has access to that data, and making sure it is kept updated. This needs to happen automatically and not by a person who could go on vacation or who could leave the organization. You need to turn it into a system that can be updated automatically.

Moderator (Steven Nguyen, Segment):

If I could say one thing, I’d say focus on CCPA and have a CCPA story ready on January 1. The reason is consumers are very empowered by this law, and they will stress test how ready organizations are when it comes to CCPA. Not saying you should have all the requirements in full, but have a story ready, have a process ready. The attorney general’s office will send out some info later this year, which states what it means to comply. More importantly, July 2020 is when enforcement starts, so you want to start much earlier than that.

With that said, that is our CCPA talk, and we hope you enjoyed it!