Pub. 5 Issue 1

30 Data Privacy Compliance and CCPA BY TOM TOLLERTON, SENIOR MANAGER | DHG IT ADVISORY B reaches of confidentiality of consumer data, either by malicious third-party attack or by inappropriate use, continue to dominate news headlines. In the absence of comprehensive fed- eral data privacy law, many state govern- ments are introducing laws that would require organizations to take steps to protect personal information and limit how organizations use that data. Legislatures in over a dozen U.S. states have introduced, or are debating, data protection and privacy laws. As these emerging laws are passed and take effect, leaders of businesses in all indus- tries should be assessing their data privacy program and implementing processes and technology to comply with fundamental privacy principles. California recently passed the first state data privacy law called the Cali- fornia Consumer Privacy Act, or CCPA. CCPA was modeled closely after the European Union’s General Data Protec- tion Regulation, or GDPR, which took effect in May 2018. Like GDPR, Califor- nia’s law is considered very expansive, potentially adding significant burden on businesses that maintain operations in California or businesses operating in other states that may handle California consumer data. Organizations that handle consumer information as part of business opera- tions need to consider the applicability of CCPA. There are three key thresholds that determine whether an organization is sub- ject to CCPA data privacy requirements. An organization that handles California consumer data must meet at least one of the following thresholds: 1. Annual gross revenue exceeding $25 million. 2. Handling of 50,000 records an- nually of personal information of California residents, households or devices. 3. Annual revenue of 50 percent or more, derived from the sale of California residents’ per- sonal information. If your organization is subject to the requirements of CCPA, it is important to begin performing diligence efforts to achieve compliance by Jan 1, 2020, the date the law goes into effect. 1. First, an assessment should be performed to understand the na- ture and use of data within your organization, documenting key classifications of data, associated business processes and systems, as well as key users and third parties that may have access to the data. 2. Second, a gap analysis should be performed against key re- quirements of CCPA or other data privacy laws, to clearly outline the organization’s pre- paredness for complying with key privacy obligations. 3. Establish formalized plans for re- mediation of compliance gaps and assign responsibility for maintain- ing the data privacy program as new laws and regulations emerge. The data privacy professionals within DHG IT Advisory team are experi- enced with advising leaders of complex organizations on achieving compliance with security and privacy laws, including CCPA, GDPR and the HIPAA Security and Privacy Rules. Leveraging broad industry experience, our team offers tailored and cost-effective recommenda- tions to help achieve compliance. 