June 26, 2019
Getting Ready for CCPA: What to Do for Data Inventory
Posted by Pippa Akem
Has your organization recently or almost begun to inventory and map in-scope personal data, along with instances of “selling” data, in preparation for the California Consumer Protection Act (CCPA)?
If so, you need insight into the scope of your organization’s processing activities and a true understanding of the value of your enterprise data. This may seem daunting but be encouraged, as this is very meaningful work and proactively sets you and your organization up for success. It is better to know now that personal information is being collected fairly and lawfully and where data is stored, rather than discovering, too late, that your organization has not complied with its privacy obligations.
However you are feeling about data inventory, don’t despair! Here are some tips to help you prepare for the work ahead.
The Purpose of Data Inventory
Conducting a data inventory gives you visibility and a full understanding of your organization’s data assets. When done correctly, an inventory should disclose the data inputs and outputs of each of your systems and applications. For CCPA, the inventory should focus on identifying the in-scope personal data and ensuring your data handling practices meet CCPA requirements.
Conducting an Inventory
Your data inventory should include these steps:
- Step 1: Identify your data inventory team. Performing an inventory that involves multiple teams requires coordination, oversight and leadership. The first step to reduce inventory fatigue is to assemble a designated team from areas that will be impacted by CCPA.
- Step 2: Define the inventory scope and develop a questionnaire. The inventory team should drive scoping and deadlines, and provide guidance for completing the inventory and mapping work for the affected teams. When defining the scope of the data inventory and mapping work, the inventory team should consult with your legal team on the requirements and align efforts with internal privacy policies. Design a survey for use with the inventory and mapping activity.
- Step 3: Categorize data assets based on legal descriptions. Consult with your legal team on how to catalog and describe the data assets of the affected teams.
- Step 4: Check the quality of documented survey responses. Establish a process to follow up or validate the documented survey responses. Ensure that teams have a solid understanding of the personal data that is in scope for CCPA in their area and that the survey has been completed by the person(s) most knowledgeable about the system or application.
- Step 5: Prioritize your systems and applications. Focus first on the riskiest scenarios for CCPA compliance (i.e., where you are most likely to see regulatory and customer pressure first).
Creating a data inventory may seem like an overwhelming challenge. But with proper planning, you can accomplish this task efficiently and ensure CCPA requirements are met.
For more information on Armanino’s data privacy solutions visit Risk Assurance & Advisory Privacy Services.
Prior to joining Armanino, she held privacy functions at Fortune 500 companies supporting General Data Protection Regulation (GDPR) implementation and the transition to California Consumer Privacy Act (CCPA) compliance. Pippa holds the Certified in Healthcare Privacy Compliance (CHPC) designation and is a member of the Health Care Compliance Association (HCCA) and the International Association of Privacy Professionals (IAPP).