When the General Data Protection Regulation (GDPR) was enacted more than a year ago, it was far reaching, and many organizations were caught off guard because they thought it didn’t apply to them. But in fact, it did. Now the California Consumer Privacy Act (CCPA) is about to go into effect (Jan. 1, 2020), and any enterprise that does business in the state of California will need to change the way they manage personal information.
California has the fifth largest economy in the world. In fact, it’s actually bigger than that of the United Kingdom. Why is this relevant? Well, given the size of California’s economy, this legislation will clearly have a considerable global impact. It will tip the scales on privacy around the world. To prepare for the CCPA and other future data security legislation, organizations must focus on identifying the types of personal information they have and evaluating the flow of that data coming in and going out of the organization. Getting a handle on the flow of your sensitive data is also a great early step toward avoiding a breach, regardless of the regulations you need to follow. More importantly, it is the foundation of a solid data privacy strategy, which should be the end goal for global enterprises.
The objective of these guidelines is to provide you with some pragmatic thoughts around preparing for CCPA. They are based on conversations we had with security and data executives at enterprises worldwide regarding what’s worked best for them to address CCPA and other pending data privacy regulations.
1. Break Down Data Siloes
As organizations mature, departmental silos naturally emerge as the business evolves and expands into different areas. As part of this evolution, each business segment develops its own way of generating, collecting and managing data. However, when it comes to data protection strategies and meeting privacy regulations, businesses must break down these internal walls to consistently protect data across the entire organization. Privacy is an organization-wide initiative and stakeholders need solutions that have an impact in all areas.
Data protection solutions themselves should not be siloed either. The most successful programs take advantage of the data security frameworks and processes that already exist in individual departments. For example, instead of simply focusing on identifying and categorizing data to help meet CCPA mandates, consider the security technologies already in place and how data categorization can integrate with them to drive further success from a security standpoint. Consider how data context through classification and categorization can be used in other areas of the business or to power existing security technology investments – such as cloud access security brokers, data loss prevention solutions, encryption technologies or next-generation firewalls.
Implementing a cross-departmental data security solution can also be a real boon to business. Who knows what useful data might be sitting over in another department? If security solutions are implemented in a siloed fashion, however, an organization will not only increase its risk of noncompliance but will also lose an opportunity to create deeper awareness about what data protection means for each aspect of the business.
2. Create Rich Metadata
Metadata is the glue that connects all data within an organization. Metadata enables organizations to flag sensitive information in files, documents and web pages but also provides a way to compile more detailed and useful data about that data. For example, the metadata for an Excel spreadsheet could include personal data, the type of personal data (name, address, etc.), and the author of the spreadsheet. From a data protection standpoint, this information can be used to better identify, classify and protect corporate data. From a data management or analytics point of view, it can help business leaders develop strategies for new initiatives. Ideally, metadata can bring together an organization’s data protection and data management strategies to protect and advance the business simultaneously.
When considering privacy regulations such as CCPA, security professionals must look holistically across the organization to create metadata that all security technologies and data management systems within the organization can take advantage of. For example, what does the firewall need to be more efficient? Could firewall policies benefit from file metadata that identifies that personal data is contained in the file?
People often associate metadata with just the identity of the data, but it can also be used to govern how long an organization should retain this data. We know a key aspect of data protection is identifying retention for the possible deletion of data and this can all be defined in metadata. After identifying how long the data should be held, organizations can action programs to ensure information is deleted or archived in a way that is in line with data privacy regulations. Do you really need to keep a document listing employee names and dietary restrictions captured ahead of the corporate holiday party or can that be deleted once the party has taken place?
3. Use Machine Learning to Understand Context
Numerous machine learning models in the market today have already been tuned for personally identifying information (PII). Solutions designed to help with CCPA and GDPR compliance should leverage those models when it comes to data detection. Data categorization tools with machine learning built-in make it easier to understand the context around data, which in turn helps determine how to handle different types of data. Rather than simply flag social security numbers or bank account numbers, tools that employ machine learning can help users identify personal information contained within the narrative of documents and emails, such as health history or employee review details, for example.
What’s more, machine learning enables organizations to automate their PII strategy. Data categorization tools with built-in machine learning capabilities allow organizations to focus on getting their arms around privacy. As confidence in the system grows, data handling policies can be applied automatically.
Because most organizations have ever-increasing, complex environments, leveraging technologies that offer machine learning capabilities are critical for implementing efficient and intelligent data identification solutions to help achieve CCPA and GDPR compliance goals.
4. Know Where Data Goes and Why
The act of identifying data is one thing but keeping track of said data and managing it to ensure that compliance as it moves throughout the organization is quite another. Most data protection solutions will come with some sort of out-of-the-box dashboard, but a more efficient and customized way of approaching this is to think about the broader organizational analytics strategy.
Security professionals must understand what types of data their organization collects and where it goes once collected. It’s also critical to understand how people interact with personal data. Is personal data leaving the organization? Understanding how data is created, collected and shared will help security executives develop information handling policies that work with business strategies while also protecting sensitive data. They may discover they need to change security policies to be more efficient relative to how people are using data.
Once information handling policies have been refined, security executives can find ways to leverage their company’s data analytics approach to put good monitoring practices in place. As mentioned earlier, the lines between data management (or analytics) and data protection are beginning to blur as data becomes central to business strategies and privacy becomes a top concern for consumers.
5. Evaluate Who has Access to Personal Data
A central aspect of any data protection strategy is understanding who has access to personal information within the organization. Consider all the petabytes and zetabytes of data at rest within an organization – if there is personal data lurking out there, which there certainly is, how is access to that data controlled?
The question may not simply be who has access to what – but why do they have access? Is having access to certain personal information truly necessary? For example, consider a spreadsheet that contains 50,000 customer names and addresses. This personal information poses a potential risk to a business if it were to be poached. Must these names be kept on file? Why are these names being collected and saved in a spreadsheet? Can the file be deleted?
Sometimes it’s not about restricting access to personal information but considering whether the organization even needs to collect and save the data in the first place. Eliminating vulnerable personal information that is actually not needed is one very straightforward way of avoiding a costly data breach or noncompliance fine.
Regulations such as the CCPA and GDPR are setting a global standard for how data must be protected, which impacts almost every organization on the planet. For those organizations that have not had to consider compliance regulations in the past, they are likely struggling to get their arms around a strategy. The good news is many of the principles to solve this problem have existed for years and are dramatically maturing with frameworks such as Zero Trust. For example, understanding where your data resides so it can be protected. It’s now about tuning those principles in a way that’s pragmatic and practical for the business’ privacy requirements.