Cloud Hosting

How often does the word right show up in the text of the CCPA/CPRA?

Over 100 times.

Out of all those references to rights, it doesnt seem that the rights of businesses are often discussed. In the CPRA, consumers get all the rights, while the word businesses are most associated with is responsibility.

Businesses that are subject to the CPRA have responsibilities to their consumersresponsibilities to manage the proliferation of personal data across their organization, responsibilities to respond to consumer requests, responsibilities to protect consumer data, and more.

The only way to attend to those responsibilities is to know where you collect personal data, where you process it, where its sent, whether or not its adequately protected, and whether or not it's being treated compliantly.

In essence, if your business is subject to the CPRA, then it is imperative that you map your data and data processing activities. Well explain why and how in this article.

Like most data privacy regulations, the CPRA does not directly require you to map your organizations data. However, if you knowingly refuse to map where, how, and why your organization processes personal information, then any violations that take place associated with unmapped (and therefore unknown) personal information under your control could be construed as negligence.

If you dont map your organizations personal data processing activities, how will you:

Moreover, the CPRA not only requires you to manage the personal information you collect, but it also creates the concept of sensitive personal information.

Sensitive personal information includes data with the potential to cause harm to the associated consumer if it should be left unprotected, such as their medical information, social security number, sexual identity, and more. In order to apply the higher level of protection required by the CPRA to this information, youll need to engage in sensitive data discovery to identify where it lives and flows in your organization.

How do you actually approach mapping your organizations data in the context of the CPRA? There are a few different strategies, each of which will suit different kinds of organizations.

For very small organizations or organizations who know they have only a handful of essential systems to map, the manual approach can work.

Under this approach, youll develop spreadsheets that log all relevant compliance information associated with a given store of personal information, such as who owns or controls the systems, where the data is sourced from, where it is sent to, and so on.

Once your spreadsheet library is complete, you can simply contact the system owner to carry out any requisite tasks, such as fulfilling DSARs and auditing contracts for data processing addenda.

It doesnt take much to see the flaws in this approach, however; if you have any more than a handful of systems that process personal data, then the task of creating and maintaining a spreadsheet-based data map quickly becomes untenable. In fact, the average company uses 130 different SaaS applicationsmany, if not most, of those systems will be handling consumer data in some fashion.

Thats treating each system as equal, too. In reality, some systems will contain more or less personal information, sensitive personal information, subsystems, connected vendors, and so on.

Some organizations may have data science resources in place, whether thats a team of experts, a homegrown solution, or an off-the-shelf business intelligence tool. These businesses are in a better position to map their organizations data for CPRA compliance than those relying on the manual approachbut there are still issues to overcome.

For one, multipurpose data science resources will be in high demand. After all, data science falls under the broader umbrella of business intelligencecompliance isnt typically thought of as a business intelligence activity.Although a data science asset will technically be faster at CPRA data mapping than a manual approach, you may have to wait a long time before its your turn.

Then, there is also the likelihood that a homegrown approach to CPRA data mapping will still require a great deal of manual effort. Data science experts arent data privacy and compliance experts after all; theyre data science experts. A privacy professional will need to review the output and fill in the metadata necessary to make your data map actionable from a compliance perspective.

Given how essential data mapping is to an effective privacy program, there are data mapping solutions designed specifically for data privacy and compliance professionals. Osano Data Mapping is one such example.

Rather than rely on manual discovery or require data science expertise, Osano Data Mapping quickly uncovers systems that contain personal information by integrating with your Single Sign On (SSO) provider.

Based on criteria like the number and types of data fields, vendor flows, and identities managed, Osano Data Mapping assigns systems a risk score that enables privacy professionals to prioritize by risk and effort. Any systems that live outside of your SSO can be easily mapped using an automated workflow that keeps external stakeholders alert to any outstanding tasks.

The benefit of using a privacy-focused solution like Osano for CPRA data mapping is twofold:

Continue reading here:

CCPA/CPRA Data Mapping: The Why, What, and How - JD Supra