• by Ray Schultz , Columnist, August 20, 2019

Has anyone noticed a certain ho-hum quality around the subject of GDPR? U.S. businesses have a more looming challenge on their hands: getting ready for the California Consumer Privacy Act (CCPA).

The bad news is that 56% don’t expect to be prepared by the Jan. 1, 2020 enforcement date, according to a study released Tuesday by PossibleNOW.

That means they’re not ready to guarantee these consumer rights, as enumerated in a Tuesday post by Net Security: Allowing consumers to know what personal data is being collected about them and where that data is being sold or disclosed.

Under CCPA, individuals have the right to access this data, prohibit its sale and request its deletion, Net Security notes.

The laggards have many reasons for being behind, according to PossibleNOW. For instance, 35% are daunted by the cost.

Yet the study states that the cost compliance technology is less than that for one full-time employee. 

Another 32% are simply waiting to see how the CCPA will be enforced. This is a dangerous game, given that firms can face fines of $2.5 million to $7.5 million for mishandling 1,000 consumer privacy requests.

Another 17% feel their company isn’t big enough to be fined, and 11% say the law is new to them — they don’t know enough about it. Finally, 4% don’t think CCPA applies to them.

“Just as with GDPR, a significant number of businesses are caught between the cost and effort of complying with CCPA and the probability of enforcement actions against them,” states Eric Tejeda, marketing director at PossibleNOW.

Tejeda adds: “There are heightened concerns surrounding the CCPA specifically because of California’s strict approach to legislation across all facets of business within the state.”

What to do? Hook up with an outside resource and automate your compliance process.

In a recent post, Erwin suggests that you automate:

1. Catalog systems — All stakeholders should be able to "see the interrelationships of data assets across the organization."
2. Govern PII “at rest” — Classify and flag use of personally identifiable information regardless of where it is stored.
   
3. Govern PII “in motion” — Scan, catalog and map PII to see how it moves both in and out of the organization.
4. Manage policies and rules — Facilitate lineage and impact analysis views that depict relationships between physical data catalogs and the applications that use them.
5. Strengthen data security — Understand regulatory risks while fortifying and encrypting security standards and policies. Above all, know where all PII is stored, processed and used.