Data privacy has now become a headline issue for many Americans. In response to large-scale data breaches and the questionable collection and use of data by major businesses, several states, including Massachusetts and Hawaii have already passed new data privacy legislation. Other states, like Connecticut and Pennsylvania, seem intent on passing new legislation this year.
The two laws that are getting the most attention from the business community are the California Consumer Privacy Act (CCPA) and New York’s Stop Hacks and Improve Electronic Data Security (SHIELD). There are several reasons these laws are so important. The first is that they’re strict, occasionally exceeding the scope of the General Data Protection Rule (GDPR) that caused significant regulatory trouble for U.S. companies in 2018.
Another important reason why CCPA and SHIELD are so important is that both laws apply to not just businesses located in California and New York, but to any company that does business with entities in those two states.
Research shows that most companies are not ready for the new compliance standards. One of the challenges that companies have is determining which information they need to protect in order to be compliant.
NY’s SHIELD lays out a clear definition of protected data.
CCPA provides a broader, more inclusive definition of protect data.
Personal information is data that identifies, relates to, describes, or is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
The intentional ambiguity around “household” is designed to stop businesses from circumventing the law by protecting everyone using a single PC.
At the beginning of each compliance engagement, Complete Network will sit down with your team to help you analyze your technology and identify relevant PII. Only once you have clear visibility into the location and nature of those data assets can you begin to build a meaningful compliance program.
Both CCPA and SHIELD require that businesses have “reasonable” security controls in place to protect consumer data. Because of the ambiguity involved in assessing and implementing “reasonable” security, most businesses choose to partner with a compliance expert like Complete Network to help them make that determination with confidence.
Complete Network has 20 years of experience building and configuring technology solutions that protect PII as it moves through or is stored by your network technology. Here are just a few ways that we define strong technical controls:
Administrative safeguards make sure that your people and processes are properly supporting your technical controls. The Complete Network VCIO team can help you implement administrative controls that are customized to the needs your business or organization, including:
An often-overlooked aspect of security, physical controls ensure that your office itself is secured with the proper techniques to keep data away from unauthorized individuals. Physical safeguards your company should have in place include intrusion detection systems, controls that limit access to customer data after its been collected, and processes for the proper transportation and destruction of customer data after it’s been discarded.
Another important tool in building a robust data privacy program is to create an inventory of the consumer data that’s at your organization. This record, called a data inventory, will help you see how sensitive data is shared, stored, and processed by your business, shedding light on areas of weakness.
Creating a data record is particularly important in relation to CCPA compliance. Under the new law, businesses must be able to provide consumers with a full accounting of the personal data they’ve collected from them. Without a clear sense of where consumer data is in your systems, fulfilling those requests in a systematic, timely way will be almost impossible.
• Find personal data in each system and department
• Determine the scope and of relevant data assets
• Analyze data privacy and retention policies
• Create appropriate records in existing databases
• Ensure data can be retrieved in a useable format
• Recommend optimizations in data handling procedures
This record isn’t designed to be a fixed or static record. Instead, it’s a living document that’s designed to evolve with your business and show how your business processes and data interact. As such, building a data inventory will likely require on-going effort to maintain.
Because of the complexity and vigilance involved, most businesses need help achieving and maintaining compliance. For over 20 years, the Complete Network team has been providing businesses in both Albany, New York and Charlotte, North Carolina with dependable expertise that helps them address their compliance requirements with confidence.
If your business is concerned about its ability to prepare for SHIELD or CCPA and would like to speak with an expert, we’d be happy to talk with you and answer your questions. Contact our team any time at 877.877.1840, or email us at [email protected]lete.network.
The team at Complete Network can help you understand and comply with any new data regulation. Schedule a comprehensive consultation today.
We know that the first step toward better IT support is to research your options. We’ve put this guide together to aid you in that process.
It’s designed to give you an overview of our organization, so that you have the key information you need to evaluate our service fit.
This guide covers:
Download it for free by filling out the form here.