CCPA Data Mapping: What Do You Need To Know?

Level 2: Data Discovery and Inventory

While gathering data from surveys and forms from stakeholders is a good first step, many gaps may still arise in this approach. Inputs provided may not be complete, new data assets may require periodic monitoring, and assets may evolve and change over time. Organizations can ensure accuracy with continuous data scanning and discovery in Maturity Level 2, in which an organization’s data assets and records within the data catalog are automatically updated, and risk assessments and workflows can be triggered by the results of these scan jobs. To ensure the accuracy of the information provided, organizations can use Maturity Level 2 automated data mapping to:

1. Scan on-premises and cloud-based data assets, applications, and databases.
2. Update data catalog details regarding assets and processes based on data scanning and discovery insights.
3. Generate automated data processing assessments and reports that trigger assessments based on data attribute changes or the discovery of new data attributes in data assets.
4. Track risks associated with data processes that are dynamically updated using automation.

Level 3: Robotic Automation with PrivacyOps

Securiti’s Data Mapping Automation simplifies the migration journey providing a comprehensive PrivacyOps framework for all your data compliance needs with Robotic Automation. People Data Graphs (PDGs) can be created within data maps to link personal data to its user identity enabling automated DSR fulfillment and other privacy compliance functions. Organizations can:

1. Discover personal information among all data assets and link it with individual identities.
2. Create a comprehensive dashboard of every individual, including personal data records, data residency information, data stores and locations of those data stores, data objects, and identities.
3. Fulfill DSAR requests and identify cases of cross-border data transfers.

Reasons Data Mapping is Required for CCPA

CCPA applies to certain businesses that are operating in California or collecting personal information of the residents while doing business in California, and it requires organizations to be responsible and accountable for the personal information they collect. This is not possible unless a CCPA-compliant data mapping activity is conducted. CCPA-compliant data mapping activity is required by an organization for the following reasons:

1. Identifying protected PII: The CCPA provides a unique and broad definition for personal information. Any information that identifies relates to, describes, and is reasonably capable of being associated with a particular California consumer or household qualifies as personal information. CCPA also provides relatively novel requirements around biometric information, education information, geolocation information, and household information, qualifying them as PII. To ensure data covered by the CCPA is adequately protected, organizations will need to know what data they hold within their data stores which is only possible if they conduct a data mapping activity.
2. Knowing where the PII is coming from: Under the CCPA, organizations should state the category of sources from where PII is collected in their Privacy Notices. Modern organizations collect and process data from thousands of individuals every day across thousands of sources. In order to keep track of PII, organizations need to map their collection points - whether that would be someone filling a form or cookies dropped on their website, an organization should know where the data is coming from at all times to ensure it meets its regulatory requirements. It is also important to note that knowing where data is coming from can help ascertain what types of protections are to be enforced on it, i.e., PII collected from public sources is exempt from CCPA protections.
3. Managing consumer requests: Once PII is collected from the consumer, it needs to be stored in an efficient manner and should be easily trackable. This is because CCPA provides consumers the right to request access to their information and to have it deleted. An organization must verify, fulfill and respond to this request within a 45 days time period (extendable to a total of 90 days) or risk facing regulatory sanctions. With the hyperscale era upon us and multi-cloud storage on the boom, this can be a challenge if the data has not been mapped and is stored in an unstructured data store or system.
4. Protecting stored PII: Additionally, the CCPA provides consumers the right to bring private actions against covered businesses if their PII is breached and exposed due to an organization’s inability to implement and maintain reasonable security procedures and practices appropriate to the nature of the information. How can organizations take different security measures for data stores depending on the nature of the PII stored within them without mapping its systems and stores and assessing and tracking the risk posed to them?
5. Keeping track of the PII your organization collects, processes, and shares: Keeping track of collected PII, where it has been shared, and what processes it is undergoing is very important to comply with many different requirements of the CCPA. For e.g., Under the CCPA, if a consumer requests to opt out of the sale of their personal information, this opt-out request has to be relayed to all the third parties the PII has been shared with. Without a data map, it would be impossible for organizations to communicate this request since it would not know which third parties the requesting consumer’s PII has been shared with.

Benefits of Automated CCPA Data Mapping

There are various ways automated CCPA data mapping can benefit organizations in the US and beyond.

• Data is growing, and so as the systems containing the data. Data mapping is a pretty arduous task that thorough data collection, analysis, and record keeping. Doing such tasks manually is fairly time-consuming. Automation can help ease the process saving organizations the time and the resources to map data.
• Apart from consuming a lot of time, manual data mapping can further lead to incorrect mapping, which may result in inconsistency. CCPA data mapping automation leverages AI algorithms to discover data, maps it to regulatory context, and ensure accurate mapping.
• Data visibility is yet another important reason why organizations must automate their data mapping process. Automation enables better accuracy in identifying, classifying, and cataloging all data for effective data mapping. This way, organizations also get to have complete visibility of their data.

What's Next?

With data growing rapidly and regulations such as the CCPA encouraging organizations to keep track of their data, organizations will need to automate their processes in order to stay compliant with privacy regulations. Data mapping with manual methods is just not going to cut it, given the added time, cost, and resources - not to mention the risk of data sprawl and human error.

For a strong and reliable data mapping structure, businesses should adopt the PrivacyOps framework. This investment not only ensures compliance with current laws like the CCPA but also keeps organizations prepared for evolving regulations, such as the California Privacy Rights Act (CPRA), which is now in effect.