July 16, 2019
Is CCPA Making Sense of Unstructured Data?
Posted by Pippa Akem
Is the California Consumer Privacy Act (CCPA) forcing your organization to create structure for your unstructured data? Beginning with a full inventory of the personal data companies house, the CCPA puts companies on the path to not only knowing what data they have collected, but also fully understanding and recording how they use or share that information.
While we understand that most transactions and engagements today involve a greater exchange of personal information than in the past, the need to have a valid reason for collecting this data should be closely scrutinized by the companies collecting it. When you think about it, a secondary benefit of the CCPA is that it will help companies define their focus by zeroing in on the quality of the data a company has – and not just the volume of information it gathers. (The General Data Protection Regulation, GDPR, is having a similar impact.)
If your company’s data operation includes processing unstructured data, you are likely challenged both by how to create structure for the data you must maintain and by how to dispose of the “extra stuff.” It’s obvious you cannot address the full spectrum of your organization’s privacy risks if you don’t fully understand the information you currently house.
We encourage you to view the new requirements as an opportunity to take control of the true data your company requires to do business — and put in place transparent processes that allow you to meet your compliance obligations and close trust gaps.
The CCPA and similar laws are mushrooming across the country and expose where privacy regulation is headed, with many states inclined to give consumers greater control over their personal information. The takeaway from the flurry of activities is that companies should not delay their compliance preparations. Instead, they should begin to draw up their roadmap for how they plan to respond to consumers’ privacy rights given their business practices.
With varying priorities and strategies for tackling privacy requirements, given that no business is exactly alike, there are still baseline rules to go by. Start with knowing what is done with the personal information that your organization has collected, document a business purpose, and identify the source of the information and who has access to it. Do not delay — when will you have time to structure your unstructured data if not now?
For more information on Armanino’s data privacy, inventory and mapping solutions visit Risk Assurance & Advisory Privacy Services.
Prior to joining Armanino, she held privacy functions at Fortune 500 companies supporting General Data Protection Regulation (GDPR) implementation and the transition to California Consumer Privacy Act (CCPA) compliance. Pippa holds the Certified in Healthcare Privacy Compliance (CHPC) designation and is a member of the Health Care Compliance Association (HCCA) and the International Association of Privacy Professionals (IAPP).