A Framework for Privacy Risk Self-assessment

A Framework for Privacy Risk Self-assessment

With the recent raft of worldwide privacy legislation and much more to come, organizations of all shapes and sizes are becoming forced to evolve the way they do business. Those SMEs that can’t bring their operations into compliance with the GDPR, CCPA and other data privacy laws worldwide will be at a significant competitive disadvantage, and may even find that continued non-compliant operation merely is unsustainable. 

In this “adapt or die” scenario, the essential first step to getting compliant is for SMEs to perform a rigorous self-assessment of their present-state data operation.

There are three basic formats to self-assessment:

  1. Business units can analyze their practices.
  2. Different groups within the agency can review and analyze each other.
  3. A single appointed party can assess each unit in the business.

At Ethyca, we believe in empowering a Data Protection Officer to be a real focal point for all data-related business operations. So if scale permits, we recommend delegating full responsibility for the exercise to a DPO. Of course, each organization’s privacy self-assessment will be inherently different. However, the following aims to provide a framework that will serve as an excellent starting point for any business looking to evaluate its path to data privacy compliance: 

First: Plan the Objective of the Assessment

Is your organization trying to determine whether existing policies ensure regulatory compliance? Deciding the specifics of what to assess is a critical first step. 

Second: Conduct a Personal Information Inventory Check Across All Business Units 

It involves answering the following questions: 

  • What personal information does the business unit collect?
  • How do you collect personal information and in which situations?
  • Why do you collect personal information?
  • Who in the company uses personal information?
  • Who has access to it?
  • Where and how do you store personal information?
  • What methods are used to ensure it is secure?
  • Is it disclosed outside the company? If so, to whom and why is it disclosed?
  • How long is the personal information kept, and when and how is it disposed?

Only by answering these questions can businesses understand the work needed to bring themselves into a state of regulatory compliance. It’s vital to cross-check these answers against provisions in the GDPR, CCPA, and other relevant pieces of regulation by the DPO. Additionally, you should actively cooperate with internal or retained legal counsel proficient in privacy law. The exercise should result in a set of tasks or processes to accomplish to reach the desired level of privacy compliance. 

Last: Review Past Privacy Complaints 

Finally, we recommend reviewing privacy complaints as part of a privacy self-assessment. Especially those that have arisen in the recent past, three years is a sufficient window. It will give you insight into where potential privacy pain points exist between your business and the consumer. That way, you can pay extra attention to these areas as you’re revamping them to be regulation-compliant. So if your organization doesn’t keep logs of such complaints, we’d like to say congratulations! You’ve uncovered another process that needs revamping to survive in the new competitive landscape! 

Published from our Privacy Magazine – To read more, visit privacy .dev

How To Assess Vendors For Data Privacy Compliance

How To Assess Vendors For Data Privacy Compliance

When small-to-medium enterprise (SME) team members begin to consider how the business landscape is changing to increased data privacy regulation, the procurement process is not usually high up on their list of answers. However, SMEs focusing too purely on in-house practices miss a key point. Both the GDPR and CCPA place new responsibilities on data controllers. In other words, the company or another body determines the purpose and means of personal data processing. They need to ensure all third-party vendors who touch their data are behaving in a compliant manner. 

In short, the controller continues to hold responsibilities for compliance, even when outsourcing processing duties. The in-house compliance will not suffice. It’s now incumbent on SMEs to ensure that the vendors they work with also adhere to worldwide privacy standards. 

Furthermore, the auditing process should optimally take place upfront in the procurement stage. Contracts signed without the requisite due diligence can be difficult to back out of if it later. Especially if it becomes revealed a third-party vendor is operating in an incompliant fashion. Businesses with deep existing ties to third-party vendors may not be able to start this audit process from a procurement stage. Although, experts highly recommended that existing relationships be revisited and assessed from a compliance perspective. 

With all that said, here are some of the questions that all SMEs should be asking their partners, whether it be during procurement due diligence or in the revisiting of an existing relationship:

First: Does the vendor have a Data Protection Officer?  

Under GDPR, DPOs are now legally required for companies processing large amounts of data. It’s almost a certainty that vendors who specialize in data processing infrastructure are operating at a scale to necessitate a DPO. Failing to cover off on this necessary compliance measure should be a disqualifying red flag in any SME’s procurement process.

Second: How often are the vendor’s policies for storing and processing data on behalf of partners reviewed and updated? 

Data compliance is rapidly changing and continually evolving. A telltale sign that a vendor lacks data privacy rigor is a lack of process for regular policy updates. This field is the opposite of “set it and forget it.” SMEs should be on the lookout for this when auditing vendors for suitability.  

Third: Does the vendor use their sub-processors for the work they do on your behalf? 

If so, what measures have they taken to ensure those entities operate in a compliant fashion? The data privacy chain extends to every processor that runs underneath the data controller umbrella. It includes “partners of partners.” If a vendor has others to help them do their work, they should be able to demonstrate the partners’ compliance. 

Fourth: Does the vendor have tools in place to rapidly identify and communicate a data breach? 

Under the auspices of GDPR and CCPA, data controllers now have a strict obligation to respond to data breaches concerning their data subjects, but if third-party vendors are slow to recognize and report a violation, controllers may have no chance of handling data breaches in a compliant fashion. Thus, reaction and response time is a crucial concern when evaluating a partner for suitability. 

Last: What happens to data ‘subjects’ information at the end of the partnership? 

Without a clear-cut process for erasing subject data in a compliant fashion, it’s a possibility a data controller gets stung by vendor negligence, even after their business relationship has ceased to exist. For this reason, it’s essential to have data sunsetting processes built into third-party agreements upfront. Otherwise, controllers have no legal recourse if vendors mistreat their data after completion of the contract. 

Published from our Privacy Magazine – To read more, visit privacy .dev

What is the CCPA? A Guide to California Privacy Law

What is the CCPA? A Guide to California Privacy Law

Introduction: What is the CCPA?

The California Consumer Privacy Act will come into effect on January 1, 2020. This fact may have a significant impact on your business. 

California is the crown jewel in the United States economy. If it were a standalone country, its $2.7 trillion GDP would be the fifth-largest in the world, sitting ahead of the United Kingdom. Combined with the state’s status as an incubator for tech innovation and consumer culture, California gives outsized importance for all kinds of businesses operating at local, national, and multinational levels.

The CCPA forces enterprises reaching a particular scale to contend. Other states will soon follow suit with similar legislative pieces of their own. California has long been a bellwether for US-wide tech legislation. 

This examines the CCPA piece-by-piece, analyzing business impact, with particular attention given to the consequences for Small-to-Medium Enterprise (SME) ‘s data management, systems, and practices. 

The conclusion should clarify the CCPA is nothing to fear for management and development teams. Teams that are proactive and thoughtful in adapting to CCPA prescriptions will get ahead in successfully achieving compliance. For those that don’t use the appropriate amount of care, the consequences can be severe.

Getting Started: What is the Scope of CCPA?

Reading through the CCPA is quite a different exercise to reading through the GDPR. For context, the GDPR is another major piece of consumer data protection legislation to emerge in recent times. The language of the GDPR is clear and its structure is logical. Contrastly, the grammar of the CCPA is a dense “legalese”. The structure of the Act skips from one area to another without a consistent thread. 

The CCPA is a series of builds or amendments to previously existing pieces of legislation. Compared to the GDPR, which was an attempt to craft a comprehensive data protection policy from scratch. The upshot is that it’s most sensible to analyze the CCPA under topic groupings rather than from top to bottom. The first topic is essential to consider is scope: Whom does the CCPA apply? There’s a host of ways business are subject to CCPA requirements. 

How to Determine If your Business Qualifies

Regardless of the amount of data you collect, do you have gross revenue over $25 million? Then the CCPA applies to you. However, if you’re not operating at that scale and still collect, buy, or sell the personal information of over 50,000 people, households, or devices per year, then the CCPA also applies to you. If a business doesn’t process that amount of personal information, but still earns more than half of yearly revenue (no matter what number) from selling consumers’ data, then the CCPA is applicable. Of course, your company must also have a business presence in the state of California, because that’s as far as the legislation’s power extends.

Personal Data

“Personal Data” is the second scope-related question in the CCPA. Whereas other pieces of data legislation take an umbrella-view of defining what constitutes personal data, the CCPA attempts to spell out in more explicit detail the types of information that count. The list here is extensive and worth comprehensive review, but a pivotal point to realize is that the CCPA covers information that links to households as well as individuals.

In effect, this means that certain information which would not be protected under other pieces of legislation because they can’t be associated with an individual. For example, TV viewing records or non-individual linked purchase behavior data are considered personal data under the CCPA because they are linked to a household.

Digging Deeper: What are the Intentions of the CCPA?

Once you address the question of scope, it’s possible to begin examining the intentions of the California Consumer Privacy Act and, at macro-level, the measures it takes to achieve those intentions. 

Section 2 of the Act explicitly outlines the aim of this piece of legislation – empowering citizens of California to:

  • Know what personal data is organizations are collecting about them
  • Know if/when personal information is sold or disclosed and to whom
  • Say “no” to the sale of their data
  • Access the personal data that an organization has collected about them
  • Obtain equal service and price from companies collecting personal data. 

Right away a development team or project manager tasked with architecting their SME’s data infrastructure should see that these aims if adequately supported by the legislation, carry far-reaching consequences for how businesses build their data management systems. 

The old notion of siloing company data is dead. Data is no longer an organic mass. It is information continuously added and subtracted through interaction with company employees and product consumers. Businesses will face real challenges with being and staying CCPA-compliant. They need flexibility and agility built into the architecture, including collection and storage to retrieval and analysis.

Business Obligations: CCPA’s Impact on the Data Landscape

Given the objectives stated, what are the concrete steps businesses must take to avoid running afoul of the CCPA? Here’s a list a summary of the most important:

Companies must be able to disclose to a requesting consumer the categories and specific pieces of personal information that the business has collected.

Businesses must have both a clearly-signposted Method for consumers to lodge a request for information and a streamlined system for disaggregating an individual’s data from their database. They need to deliver it in a timely fashion too. It’s worth noting that a business is obligated to provide this information up to two times in twelve months. Though it may seem self-evident, this means a system is needed to track Information Requests so that one individual doesn’t overly burden the system. 

Consider that even some businesses operating at scale don’t possess a system for request intake nor keep a single-location record of information requests. In this scenario, it’s entirely feasible that a single individual could take up far more valuable staff time than legally necessary through repeated information requests.

These are easy solves when considered upfront but can be challenging if retrofitted only when the problem becomes evident. An additional requirement of this capability is that the delivery of this data must be free and in reasonably consumable form, which means that businesses can’t charge a consumer to receive a record of their data record, and they also can’t present that data in some arcane file format that the consumer will have difficulty decoding. 

All in all, this requirement could lead to significant business impact for companies that are not already up to speed on current best practices for data management.

At or before the point of data collection, businesses are required to inform consumers of the categories of personal information they intend to collect and the purpose for using specific types of personal information.

For any SME operating on “highest common denominator” principles, this will be no surprise. After all, this is already a requirement under GDPR law. It’s reasonable to expect that as the world follows in the footsteps of the CCPA and GDPR, upfront disclosure of data collection will become a standard legal procedure. 

In practice, this can have a range of implications for a company’s customer experience on- and offline, such as:

  • A pop-up box for consent to cookies
  • An opt-in screen before a user enters the purchase funnel 
  • Changes to the purchase experience in physical store locations that are passively collecting data on in-store customer behavior

Under CCPA law, some forms of personal information are protected that can’t be tied directly to an individual. To fully understand how this CCPA requirement could change the way a company does business, an in-depth audit will often be necessary.

Lastly, businesses and marketers collecting information on consumers need to be able to wipe out that information entirely upon request.

Not only that but in many cases, the business must be able to direct related service providers who utilize this info to wipe it also. It does not matter whether the data has been sold as part of a second-party set or shared as part of a service-delivery process; the requirement stands. 

This obligation demonstrates businesses operating under CCPA jurisdiction have no choice but to end antiquated “data-silo” operations. Especially those that made ongoing alterations to a data store difficult and time-consuming. Businesses will have to ensure their partners and data clients have this same capability. They can be held liable for a partner’s failure to remove records from a database.

What are the Costs for Violating CCPA?

Of course, the CCPA couldn’t hope to be a compelling piece of privacy legislation without effective enforcement mechanisms to keep companies honest. What are the consequences for organizations that run afoul of their prescriptions? To put it straight, they can add up quickly.


A person, business, or service provider found in violation of the CCPA is subject to a court injunction. They are also liable for a civil penalty of up to $2,500 per unintentional violation and $7,500 per intentional violation. 

The critical thing to remember is that for companies dealing with large amounts of personal data, violations likely won’t number in the tens, hundreds, or even thousands of customers. A systemic violation of CCPA provisions can quickly put a six-digit multiplier on the $2,500 or $7,500 fine. 

Civil Suit

For many SME’s, this could prove a high enough number to sink them entirely. That’s not all. Apart from civil liability, consumers can bring action of up to $750 per incident. Plus, the value of personal damages. A business failing to simply notify their consumers they’re collecting web data can quickly find themselves looking down the barrel of a damaging class-action civil suit.

In essence, the CCPA is a piece of legislation that takes data protection seriously. It has the enforcement clout to make businesses take it seriously too. The bill becomes the law of the land on January 1, 2020. Companies with a footprint in California have approximately six months as of the time of writing to ensure they’re not at risk for severe financial penalties. 

First Steps: How Should Teams Prepare for the New Data Landscape?

Time to take action! What are the steps that teams should take now? Let’s examine some of the critical steps any business can take to prepare.

Conduct a Review of Existing Data Architecture.

If you’re a typical SME preparing for what lies ahead, your first step is to comprehensively review data operations. Prepare data maps, inventories, and other records to catalog. Include all points of collection, storage, retrieval, and exploitation of personal information relating to California-based consumers. Only through this exercise can a business accurately plan for the changes needed to be CCPA-compliant.

Consider more than California-only web/mobile/business models

For companies operating at a global scale, we recommend adopting a highest-common denominator approach to a full data architecture redesign. It future-proofs operations, saving time and money due to decreased need for bespoke solutions based on territory. 

For companies with a smaller footprint; however, it may be worthwhile to examine building California-specific consumer experiences. Your SME can decide on the best business option by following the previously mentioned systematic audit of current data operations.

Ensure there are available online and offline methods for submitting Data Access Requests

The CCPA requires companies to consider their relationship with consumers. The CCPA mandates a toll-free number dedicated to submitting data access requests, so businesses ensure their intake system isn’t online-only.

Provide a Clear “Do Not Sell My Personal Information” Option on web properties

It’s another non-negotiable requirement of the CCPA. California citizens or those authorized to represent them must be able to designate that their data is not for sale. A user who selects this option can’t suffer a diminished experience if they don’t want their data sold. In contrast, the GDPR does allow companies to alter their experience if customers don’t want their data monetized.

Plan New Systems That Can Perform The Following Functions

  • Verify the identity of individuals who request data access or data deletion
  • Respond to requests for data access or deletion within 45 days
  • Determine the age of a California resident. Companies must obtain parental consent for data collection for users under 13. If they don’t have a way to determine the user’s age, they can be held liable for disregarding this obligation.


If this seems like a significant amount of work, it’s because it is.

Since its inception, the Internet has been a relatively lawless environment regarding consumer protection. Now the days of the Internet as a Wild West are genuinely drawing to a close. Just like in the physical world, businesses that wish to profit must follow the rules or face the consequences. Luckily with the proper foresight and attention, CCPA compliance can be a straightforward exercise that doesn’t break the balance sheet.

Published from our Privacy Magazine – To read more, visit Privacy.dev