Osterman Research published a white paper titled, How to Comply with the CPRA that covers the evolution of data management, its implications for business, and what you can do to comply with regulatory mandates. Read on for key insights from the white paper.
In today’s digital landscape, data is our most precious commodity, whether we realize it or not. Organizations have more access to our data than ever before. With so much of our personal information floating from organizations to their highest bidders, it is important to understand what protections are out there.
Europe agreed. They initiated the General Data Protection Regulation (GDPR), a data protection framework that organizations handling data must comply with.
The United States hasn’t fully agreed yet. Instead, initiatives for data protection have happened at the state level. For instance, California initiated the California Consumer Privacy Act (CCPA). Further, they have extended the privacy legislation, which is known as the California Privacy Rights Act (CPRA).
What is the CPRA and Why Does it Matter?
The CPRA is virtually an expansion of the previously enacted CCPA for the residents of California. Before closing this blog post because you don’t live in California and your business doesn’t physically operate in California, hold on.
California has a population of over 39 million. The United States has a population of just north of 329 million. California has roughly 12% of the country’s population. Even if your business does not operate in California, chances are you have a significant customer base in the state, therefore CPRA applies directly to you and should be taken into consideration when defining your information management and governance strategy. (78% of organizations fall under these specifications.)
The CPRA applies to any organization that holds or uses personal data for California residents. Personal data includes, “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Long story short, if you have customers in California, you likely have personal information on California residents, therefore you need to comply with the CPRA when handling California residents' data.
This post isn’t meant to serve as an exhaustive explanation of the CPRA details, but rather as a guide with suggestions for effectively complying with the CPRA.
Effectively Complying with the CPRA
Within Osterman Research’s white paper are some surprising survey results that indicate many organizations are not equipped to adequately adhere to the CPRA. They also present some best practices for CPRA compliance:
- Understand the requirements
How do you follow what you aren’t aware of? The exact requirements for the data in your possession may depend on several factors, so being aware of which specific rules apply to your organization’s situation is pivotal to compliance. Knowing what is required will also give you a better idea of what kinds of tools and solutions you should put in place to help you in your efforts.
- Understand where your data is collected, processed, stored, and shared
According to Osterman Research, 1/3 of organizations don’t know where their corporate data is located. How do you know what data in your possession is under CPRA jurisdiction? Uncontrolled and unlocated data can create a blind spot in your regulatory compliance efforts. For example, under the CPRA, verified California residents have a right to request their personal data be deleted. If your organization has any of this personal data on employee-owned laptops or other endpoint devices, your entire business risks non-compliance. Get control of your data!
- Find the happy medium between process design, education, and technology for compliance
Compliance is a team effort. If your organization can design an effective and efficient process and join it with a competent team and the technology they need to be effective, you have yourself a recipe for compliance. Such tools could include those that help drive data discovery, encryption, secure data transfers, and automated processes, among others. If you already have such systems and technologies in place, great! Time to reassess. Then re-reassess. Always be looking to optimize your systems to stay up to date with current CPRA guidelines.
- Train your employees for compliance success
How can your organization effectively adhere to CPRA guidelines if your team doesn’t know how? Employees need to know what they can and can’t do with personal data. Spend the time to educate your employees on the specific guidelines your business must follow. Additionally, technology can aid you in your compliance efforts by providing you with inside risk analytics so you can know where your potential fires are before they even start, as it’s much easier to extinguish a spark than a forest fire. Focus on visibility, transparency, and honesty when it comes to personal data management. If you don’t leave your employees in the dark, they won’t put you at risk for regulatory compliance violations.
- Be ready for widespread CPRA practices
CPRA applies only to California residents so far, but that will most definitely change in the future as more states adopt similar laws. Many organizations are taking CPRA actions and applying to customers in the broader United States, a good first effort to prepare for widening regulations. If the process you design today can scale with you and the regulations you follow, it doesn’t matter what curveballs data protection laws will throw, you will be ready. Technology changes rapidly and laws are still catching up. Once they do, will you be ready, or will you be scrambling with the masses to patchwork an information management and governance strategy?
If there’s one thing you get from this article, it should be to prepare. Prepare now for the changing regulatory landscape that will dictate how we handle sensitive data. Don’t wait for regulations to get here. Handle your personal data responsibly now.
Micro Focus helps organizations do just this.
The Micro Focus Information Management and Governance portfolio are the core solutions every business needs to manage, protect, and secure their data, while enabling effective collaboration from anywhere, on any device.
We focus on the power of strategic insight so you can get a handle on your data and remain in compliance with the CPRA. Win. Win.
For more details on our Information Management and Governance portfolio of products, visit our website.
Read the full report.
We’d love to hear your thoughts on this blog. Comment below.
The Micro Focus IM&G team
Know your data | empower your people | drive your future