CCPA Step 09: Perform annual risk assessments
The CCPA requires businesses that may "create risk" to consumer privacy to perform annual cybersecurity and risk audits. These regular risk assessments must be submitted to the California Privacy Protection Agency.
The risk assessment should be performed where you are processing any type of personal information. Ultimately the objective of a risk assessment is to evaluate whether the purpose for which you are processing the data poses a risk to the user that is greater than the value for which you want to process the data.
In order to conduct a risk assessment, you will want to review each data processing activity you are performing and look at:
| Title | In simple terms... | Description |
| Data Categories | Is the data necessary? | The type, or category of personal data you are processing and whether it's truly necessary to perform the process you're conducting. |
| Necessity of the Process | Is the process necessary? | This may seem obvious but you should ask yourself "is the thing I'm doing with data truly necessary?" That is to say, is it really adding value to the user or necessary for my business? Or is it just creating unnecessary risk to the user. |
| Data Retention Policy | Are we deleting data quickly? | Are we disposing of data as quickly as we reasonably can to minimize what we hold and reduce the risk to our users? |
| Location | Where is the data traveling to? | Due to different policies internationally, data flow between various geographies creates risk for your users. For example, data traveling between Europe and US is only permitted under specific contractual conditions, so data residency or location is vital to understand. |
| Data Processing Agreement | Are our vendors policies and agreements up to date? | You are responsible for ensuring that your vendors are complying with your security and privacy practices for the safety or your users. |
| Security Controls | Is our users data secure? | A broad review of security controls to ensure that your business is adequately protected is key. |
Unlike Europe's GDPR, there is no single standard form for risk evaluations today. However answering the above questions for your business regularly and recording this evaluation as part of an audit trail will set you up for success as a basic process for evaluating privacy risks.
If you're unsure how to configure your website, app, or footer for CPRA's data sales and sharing regulations, ask a question on the Fides Slack Community (opens in a new tab), or get Privacy Engineering Intelligence from Ethyca (opens in a new tab) now.