Is your small business ready for the California Consumer Privacy Act (CCPA)? If not, do you wish you were? The CCPA has brought a significant amount of awareness to consumer rights, and as data privacy continues to be an important issue for consumers, small businesses are changing how they handle personal data. Given that the CCPA will take effect on January 1, 2020, small businesses need to consider the steps they’re taking now to meet CCPA compliance requirements.
Here are three steps your small business should take to prepare for the CCPA in 2020:
Step 1: Educate & Train Your Employees on CCPA Requirements
What do you need to know?
Many employees across departments handle consumers’ personal information daily, but very few understand the legal obligations of protecting that data. The CCPA outlines training requirements for employees, partners, and individuals dealing with or focusing on CCPA compliance measures. Section 1798.130(a)(6) requires your business to ensure “that all individuals responsible for handling consumer inquiries are informed of all requirements” concerning certain consumers’rights and “how to direct consumers to exercise their rights”. Some of these requirements include:
- Disclosing the categories of personal information collected about that consumer and the business purpose of that collection
- Disclosing the categories of personal information the business sold and the categories of third parties to whom it sold the information
- Not discriminating against a consumer who has exercised a right
- Providing consumers with two or more methods for submitting requests to update or delete personal information
- Delivering the requested information within the proper timeline and in the proper format
Who Needs Training? Employees, Partners and More
One of your first steps is to determine who needs training. Often, this includes employees,service providers, and individuals responsible for handling consumer inquiries regarding your company’s privacy practices or those maintaining CCPA compliance standards throughout your business. As a result, you would need to train anyone that touches consumer data, from customer service to marketing and even HR. Although every employee should participate in training, focusing on these departments is a great place to start.
Remaining Up to Date on CCPA Training
The law doesn’t specify a preferred training method or how often it should occur. However, offering quarterly training sessions to your employees can help safeguard your company against claims that employees are uninformed, have forgotten their training over time, or just aren’t familiar with the latest CCPA regulations and developments.
Step 2: Assess Your Company for Risks and Gaps in CCPA Compliance
Now that your employees are familiar with the CCPA, it’s time to see if your company and compliance program are ready for it. Conducting a readiness assessment is an integral part of your CCPA preparation. It can help you understand if your business and existing privacy program meet CCPA compliance requirements or if they need some adjustments. With a readiness assessment, you can quickly identify gaps in data processing, consumer requests, and other processes where changes or new developments are needed. This helps prioritize the steps you need to take towards compliance and provides insight into how your compliance program measures against the CCPA framework. If you strategically leverage the assessment results, then you’ll be a step closer to establishing a CCPA compliant program.
Learn how you can quickly assess your company readiness for compliance with global laws and frameworks with OneTrust Pro Maturity & Planning and Assessment Automation.
Step 3: Develop Your CCPA Compliance Roadmap
Once you have a clear idea of where your privacy program needs work, you can prioritize your next steps accordingly. With your readiness assessment, you can design a roadmap that will resolve gaps within your CCPA compliance program. Some steps you may add to your CCPA roadmap include:
- Identifying key stakeholder and building your CCPA compliance team
- Testing the current state of your compliance program for gaps and risk (as noted in step 2)
- Mapping data flows and documenting personal information transfers to service providers and sales to third parties
- Conducting Privacy Impact Assessments (PIAs)
- Building a process to collect and document valid consent
- Implementing reasonable security measures and practices
- Developing a data breach response plan
- Building a process to respond to consumer requests and opt-outs
Your roadmap should include key tasks for each step and a structured timeline that meets compliance requirements before the deadline of January 1, 2020.
Getting an early start on compliance offers small businesses time to fully understand the and devise a plan for compliance. Start preparing your small business for CCPA compliance using OneTrust Pro’s CCPA Readiness Checklist for Small Businesses, and not only will you be ready to respond to consumer rights requests, but you will also begin to improve the safety and protection of your consumer data.