The CCPA deadline has come and gone. And, while the California attorney general won’t enforce the act until July 1, just 5 months before its effective date, a recent survey revealed that only slightly more than one in 10 business owners and executives were aware of whether the law even applied to their business. Alarmingly, almost half had never heard of the regulation.
CCPA isn’t the first of its kind. The act closely follows GDPR, which went into effect in 2018 to protect data privacy and security for consumers in the European Economic Area. We can expect to see a similar enforcement path—with the real fallout for non-compliant organizations coming once a data breach has occurred. Notably, Marriott and British Airways were fined £99 million and £183 million, respectively, for their failure to comply with GDPR, which was discovered as the result of data breaches. While the CCPA fines are not nearly this high, at only $7,500, the reputational damage can still be substantial.
Furthermore, we can expect that CCPA is only the beginning in the U.S. There is similar proposed legislation in Massachusetts, New Mexico, New York, and Washington state—much of which closely aligns with CCPA. And, consumers are increasingly seeking more accountability from businesses as they become aware of the role organizations play in their data privacy and security. With this in mind, organizations not immediately impacted by CCPA should still take note and act fast to clean up their information act.
The Path to Information Chaos
Wrangling vast volumes of customer information to understand where to begin with compliance is arguably the single biggest challenge organizations face. In fact, a survey by AIIM revealed that 75% of organizations see information chaos as a major problem. Factors contributing to confusion include the following:
- The simplification of the customer journey—Consumer information doesn’t simply reside in “name” and “address” fields within structured databases any longer. It lives in photos, scanned documents, PDFs of resumes, emails, and myriad other forms.
?Businesses have tried to make customer experiences easier whether the customer is an end user or internal user, such as the relationship between an employee and human resources. However, as experiences are streamlined, information management is made more complex.
- Digital transformation—As enterprises have become more digital, they’ve adopted disparate operational tools that house important information. AIIM reports that 52% of enterprises have at least three enterprise content management systems, and 22% have more than five.
?Unfortunately, many of those systems don’t “talk” to each other, so there isn’t a simple way to query an organization’s systems to gather all information about a single customer, for instance. Instead, information may live in dozens of systems that must be individually parsed through.
- Operational inconsistencies—Many organizations continue to manually manage records. With up to 2,000 systems in some enterprises, it’s not surprising that business users, even those with the best of intentions, don’t consistently file information when and where they should. Business users also often don’t know which information must be retained. And, that’s without considering employees who might view information management as a low-priority task.
?To combat these inconsistencies, many organizations have hired records managers to oversee documents and ensure retention schedules are followed for various records. However, with each new standard or regulation, these managers are fighting an increasingly uphill battle to stay on top of demands.
Looking at the current state of the information, security, and regulatory landscape, it’s clear that we’ve reached a breaking point. Traditional methods of records management and information security are not only siloed, but also leave room for human error. The way it’s always been done simply won’t suffice any longer.
Next-Generation Information Management
To overcome the information governance challenges and ensure compliance with new and upcoming regulatory demands, businesses must employ modern approaches that not only take advantage of the latest technology, but also consider information at an enterprise level.
Building a Strong Foundation
As with any strategic initiative, the foundation of a next-generation information management program first and foremost requires planning and a substantial investment of time and financial resources. In an economic impact assessment released in August 2019, the California Department of Justice forecast that compliance with CCPA would cost $467 million–$16.5 billion between 2020 and 2030. However, the regulation is expected to protect the $12 billion worth of personal information used in advertising annually in California alone.
To undergo the required transformation, businesses must appoint a data security and compliance officer. This individual will lead the charge in mapping out all of the organization’s systems and identifying what types of information reside in them. While the initial activity of creating a data map is a huge undertaking—particularly for enterprises that have 2,000-plus systems—it is essential. The map will provide a complete picture of what information the business has and where it originates. This will allow an assessment of personally identifiable information (PII) risks and, if the organization sells consumer information, help to identify where the business must provide consumers a “right to opt out.”
Building a data map is frequently a rushed task or skipped altogether, particularly as CCPA does not mandate the exercise. It is, however, worth noting that other regulations such as GDPR require organizations to implement this best practice. When businesses forgo the map, they often decide to only tackle a subset of their systems—perhaps the most obvious enterprisewide repositories. As a result, PII stored in peripheral tools is often not brought under an organization’s management programs, leaving the business vulnerable.