Many organizations are facing questions from their customers that go beyond the typical queries about the current business mission: they're being asked about how the organization manages personal data and how it meets its personal data privacy compliance requirements. These are not hypotheticals or pointless interrogations. Due to the proliferation of compliance requirements and the serious sanctions involved in non-compliance, organizations can lose clients and businesses if they can't provide the right answers.
You may be asked to verify that your company is not a vector for non-compliance risk. Your partners, vendors, and customers need to know that you have an effective, relevant, and layered security approach deployed to manage shared personal data, for areas including:
Additionally, your employees need to be confident that their personal data is protected with the same rigor – it's not uncommon for them to ask similar questions, especially in the wake of high-profile security incidents regularly occurring. Obscure organizational responsibilities can lurk in marginal places, e.g. if a job seeker sends an application that includes their SSN or driver's license number, is that considered personal data that needs to be protected? The answer is “yes” – personal data privacy does not only apply to consumer data or salaried employee data, it's any personal data that's housed on the company's network.
So, what does personal data privacy compliance look like for many of our clients?
Organizations need to be aware of the full spectrum of their compliance responsibilities, which can be based on location, industry, applications, and other factors. The chain of relevant protocols can be extensive: maintaining cardholder data requires PCI compliance, keeping protected health information (PHI) requires HIPAA compliance, having EU customers or employees requires GDPR compliance, etc.
Free Download: 7 Things CISOs Ought to Know About HIPAA Compliance
The California Consumer Privacy Act (CCPA) is a prime example of what personal data privacy compliance looks like for organizations and one that is serving as a model for other states and national jurisdictions. Mandatory compliance is required for organizations with California resident-originated data that meet any one or more of the following thresholds:
Note: Parent companies and subsidiaries sharing the same branding must also comply, even if they themselves do not exceed the applicable thresholds.
CCPA is on the books, however, enforcement is not yet being wielded as a stick, and certain elements may be delayed or scrapped entirely. With GDPR, which went into effect in 2018, organizations were allowed a grace period to spin up their controls and hone their compliance efforts. After that feeling out period, the EU singled out a handful of the most egregious laggards and dropped the hammer. We expect enforcement of CCPA will follow a similar pattern and we're advising our clients to NOT be the organization that attracts an audit and is made into an example (like these guys, probably).
Related Reading: Gauging Risk Tolerance for Remote Workforce Security Versus Privacy
Avertium's Identity Data Mapping and Protection (IDMaP) assessment for personal data privacy compliance uses GDPR and CCPA as baselines: these are currently the most stringent and detailed compliance protocols. An IDMaP assessment reveals any gaps in your data, privacy, and/or compliance stances, and our team can then create a road map to get your organization where it needs to be.
We're also able to provide guidance for incident response with a privacy focus, data privacy policies, breach notification plans, reporting policies, and customized support based on the specific compliance protocols relevant to your business.
Eldon Sheckles is an enterprise consultant with Avertium. Eldon specializes in helping Avertium customers to apply more rigor, more relevance, and more responsiveness in their security posture.