No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Featured

Complying with California’s New Privacy Law

Guidance on Preparing for the California Consumer Privacy Axt

by Alex Gorelik
August 19, 2019
in Featured, Governance
legal scales on blue background with binary code

A majority of organizations are still struggling to comply with GDPR, and – just as bad – only 14 percent of U.S.-based companies are ready to comply with the CCPA. Waterline Data’s Alex Gorelik outlines what organizations can do to bake compliance into every aspect of company culture.

One month after GDPR went into effect in May of 2018, California passed its own consumer privacy act, which by 2020 will give California-based consumers similar data protections to those EU-based individuals now get. These include the right to know what data is being collected and how it’s being used, the right to refuse the use of such data and the right to delete such data. The law, based on an opt-out consent model (as opposed to GDPR’s opt-in requirement), will affect any business, regardless of location, that collects data on California-based individuals.

After years of high-profile data breaches and growing consumer resistance to the data-tracking practices of digital advertisers and businesses (more than 200 million users have downloaded AdBlock alone), public trust in how businesses handle their personal data seems at a breaking point. The California Consumer Privacy Act of 2018 (CCPA) will arrive on January 1, 2020, and it will be the toughest privacy law in the country. But don’t count on it being the last.

Organizations around the world are facing a much more punitive regulatory landscape. British Airways is facing a nearly $230 million GDPR-related fine stemming from a 2018 data breach that exposed the credit card information of many of its passengers. Google and Facebook are facing GDPR fines of up to $5 billion and $2.2 billion, respectively, and for these companies, it’s just the tip of the iceberg. The National Commission on Informatics and Liberty also fined Google $57 million for not properly notifying its users how data is collected from its properties. Facebook is on the hook for $5 billion with the FTC, $100 million with the SEC and £500,000 with the U.K. Information Commissioner’s Office for its part in the Cambridge Analytica scandal and other transgressions. If anything is to be learned from these fines, it’s that compliance is not optional.

Compliance: An Enormous and Complex Task

Even so, more than 50 percent of organizations are still struggling to comply with GDPR, according to the International Association of Privacy Professionals. Recent data from Dimensional Research shows only 14 percent of U.S.-based companies are ready to comply with the CCPA. Forty-four percent haven’t even begun the implementation process. The problem is the sheer enormity and complexity of the task. Governing all of an organization’s sensitive data – or even knowing what sensitive data exists and where it’s located within the enterprise – isn’t easy. Data classification is equally hard to accomplish. With the volume of data that must be discovered and when the task is left to business users, reliability suffers.

Consider this:

A typical large health care provider stores 4.1 billion columns of data. A typical financial services company captures more than 10 million data sets per day. As the oceans of new data pour in, only a small percentage of it — the so called critical data elements (CDEs) — are tagged in a painfully slow and error-prone manual process that leaves most data miscategorized, lost or still waiting to be discovered and impossible to track. Most companies have between 100 and 200 CDEs. CCPA covers any data you have on your California-based customers — typically thousands and sometimes even hundreds of thousands of data elements depending on your business, data organization and representation.

Some organizations are, therefore, still reacting to data governance initiatives by quarantining and limiting access to large volumes of data. But by treating all data as sensitive, including data that isn’t, business analysts are required to submit formal requests for access to understaffed IT groups that can take weeks, if not months, to respond. Their data’s value in today’s real-time world is, as a result, in large part drowned by this firehose approach.

Even data that’s buried and virtually inaccessible is still subject to regulations like GDPR and CCPA’s “right to delete” rules. This requires organizations to jettison personal data on a number of grounds, including when it’s no longer necessary “in relation to the purposes for which they were collected or otherwise processed” and explicitly upon request. (If data is compromised, companies are required to notify customers about the breach. Imagine having to explain to a customer who asked to be forgotten and was told that the request had been fulfilled that their data had actually been compromised, because the company was not aware it was in a particular data set.) But how can you jettison certain personal information (let alone prove it’s been discarded) if you don’t even know where it is?

Since most companies lack a comprehensive inventory of their data, they only have tabs on about 10 to 20 percent of their total data estate. This lack of understanding of their data can also inhibit the organization’s ability to mask sensitive data and properly track all processing activities, including categories of recipients of personal data, transfers of personal data to a third country or an international organization and those who process data on behalf of the organization. Implementing consistent governance policies across heterogeneous systems that use different technologies – which are managed by different teams with competing priorities – is another big challenge.

AI in Data Governance is a Key (But Often Misunderstood) Requirement

The primary challenge in achieving full data governance is a technological one – for most organizations, there is simply too much data to identify and govern.

Over the years, many organizations have implemented data governance tools that can tell you what kinds of data should be considered sensitive. The problem is, these tools assume you already know where the data resides. Other tools exist that can be deployed at the data security and storage level, and they’re very good at helping you lock down sensitive data, but these tools suffer from the same problem: They don’t tell you where regulated data is located;dwhere the data came from or where it’s going; or how to identify, report and control new regulated data as it comes in.

According to Forrester Consulting, while data security and privacy are top of mind at 65 percent of companies, only 35 percent say their current tools are helping them fully understand what data is available, putting their ability to protect data at risk. This is because traditional sensitive data discovery tools relied on preconfigured classifiers, such as regular expressions preprogrammed to find easily detectable personally identifiable information (PII) such as tax IDs or credit card numbers. GDPR and CCPA, however, extend the regulation to everything your business knows about your customers. Since each business is different and has its own representations of the data, it is impossible to find that data using traditional tools with prebuilt, simplistic classifiers.

The good news is that AI and machine learning can be applied to automate the discovery of all your customer data across massive data estates with millions and billions of fields, as well as the subsequent governance of that data. SunTrust Banks, Inc., one of the nation’s largest financial services companies with total assets of $222 billion, is one organization that was successfully able to apply AI and machine-learning-driven automation to enable full-scale data governance specifically in response to CCPA. But most organizations haven’t even completed this crucial first step. At the most recent Catalyst Conference, speaker and Gartner analyst Sanjeev Mohan seemed stunned to discover that most of his audience of data professionals didn’t even know such automation capabilities existed.

In addition to detecting sensitive data, regulations require that the original business purpose for which the data was collected be tracked, as well as the business purposes for which the data is used. There is currently no place in the enterprise that keeps track of all the data sets, their original business purposes and their uses. Any organization – whether or not it is currently impacted by GDPR, CCPA or some other industry or government regulation – must consider solutions that directly address the challenges presented by the growing number of data privacy laws with software that:

  • Uses AI and machine learning to automatically discover the location of regulated data, no matter how unique to the organization the data is, where it is stored or how it is used.
  • Tracks the compliance status, including providing dashboards and reports on the levels of compliance, as well as tracking the compliance metadata required by the regulations, such as the business purpose for which the data was collected, the usage and purpose of the data and so forth.
  • Provides a comprehensive set of APIs and adapters so it can be integrated with other tools in the ecosystem that help to secure and manage the data, such as the various access control systems for managing access in different data sources, data masking tools for encrypting the data, workflow systems for provisioning the data and tracking its usage and so forth.

The data protections enjoyed in California and the EU are bound to eventually catch fire among other governments. Despite their best efforts to comply, data-driven, consumer-facing organizations that don’t embrace automation in data governance will continue to drown in their own data and find themselves increasingly unable to achieve compliance.


Tags: Artificial Intelligence (AI)AutomationCalifornia Consumer Privacy Act (CCPA)Data BreachData GovernanceGDPRMachine Learning
Previous Post

How Employers Should Prepare for the New Overtime Threshold

Next Post

ICO to Issue More Than $350M in Fines for GDPR Data Breaches

Alex Gorelik

Alex Gorelik

Alex Gorelik is founder and CTO of data cataloging company Waterline Data and author of O’Reilly Media’s “The Enterprise Big Data Lake: Delivering the Promise of Big Data and Data Science.” Prior to Waterline Data, Gorelik served as senior vice president and general manager of Informatica’s Data Quality Business Unit, driving R&D, product marketing and product management for an $80 million business. He joined Informatica from IBM, where he was an IBM Distinguished Engineer for the Infosphere team. IBM acquired Gorelik’s second startup, Exeros (now Infosphere Discovery), where he was founder, CTO and vice president of engineering. Previously, he was cofounder, CTO and vice president of engineering at Acta Technology, a pioneering ETL and EII company, which was subsequently acquired by Business Objects.

Related Posts

banks information sharing_f

Sharing Is Caring? Lessons From Dutch Banks’ Data-Sharing Program

by Sukirt Singh
March 22, 2023

With federal investigations pending, the autopsy of Silicon Valley Bank and resulting cascade of bank failures is only just beginning....

risk tunnel

From Regulation to Volume, There Is No Light at the End of the Data Privacy Tunnel

by Jim DeLoach
March 15, 2023

Data proliferation and data privacy regulatory activity across the globe have created the need for focused boardroom discussions. An underpinning...

gdpr

UK Resurrects Data Protection Reforms, EU Court Rules on GDPR in Civil Cases

by Jonathan Armstrong and André Bywater
March 15, 2023

Recent courtroom and legislative action in Europe will likely have ripple effects around the world for companies subject to regulations...

DALL·E 2023-02-16 13.18.43 - magritte style painting of robot looking into mirror

A Bot Isn’t Going to Take Your Place, But AI Will Make Your Job Harder

by Jennifer L. Gaskin
March 8, 2023

OpenAI’s splashy ChatGPT rollout has generated untold amounts of text, both directly and indirectly. While much of what’s been written...

Next Post
high-rise Marriott hotel

ICO to Issue More Than $350M in Fines for GDPR Data Breaches

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT