CPRA introduces certain GDPR-inspired obligations that were not included in the CCPA regulations, such as data minimization requirements as well as requirements to disclose the data retention period for different categories of personal information and sensitive personal information being collected.
If specifying the retention period against each category of PI or SPI isn’t possible, then businesses are required to define the criteria which are used to determine retention periods. The regulation further obligates businesses to not retain any information if it has fulfilled the purpose for which it was collected.
The obligation requires businesses to first scan deep through its structured and unstructured systems to detect categories and metadata, such as the purpose of retention, file creation, age metadata, etc. Lastly, the discovered data and labeled metadata need to be mapped to the respective consumer accordingly. This will allow businesses to keep track of the data whose retention period is expired, and thus, needs to be deleted for compliance.
Cyber Security Audits and Risk Assessments
The CPRA also requires that businesses that hold personal information that might “present a significant risk to its consumers’ privacy or security” perform an annual cybersecurity audit and submit it to the CPPA. This audit must be independent and thorough according to the law. To determine the risk of PI processing operations, organizations need to consider the following factors:
- The size and complexity of data processing activities of the organization.
- The nature and scope of data processing activities.
The CPRA will also require organizations to conduct regular risk assessments to evaluate their processing activities. All assessments must weigh the privacy risks created by the processing activity against the benefits that are provided. One of the factors that can be used to evaluate a processing activity is the use of consumers’ sensitive personal data. This assessment then needs to be submitted to the California Privacy Protection Agency (CPPA).
Businesses need to start identifying higher risk processing activities now and build a robust risk assessment framework to meet this requirement. This process will allow the business to conduct timely risk assessments and identify problem areas quickly. An effective data discovery process is the first significant step for businesses to properly audit and assess their processing activities. Without knowing what type of data is being stored, where and being collected, and for what processing purposes, a business cannot begin to evaluate the risks produced by its processing activities.
As per Section 1798.155(a) of the CPRA, any violation involving children’s personal information - i.e., personal information of a person below 16 years of age - would be automatically considered an intentional violation if the business, third party, service provider or contractor is found to have had actual knowledge. This offense carries along with an administrative fine of $7500 imposed by the CPPA.
Thus businesses would gain a lot from being able to discover children’s personal information within their databases so that they can take actions to provide added protection and ensure it remains within compliance with the CPRA.
Monitoring Third Parties’ and Vendors’ Compliance
As per Section 1798.100(d) CPRA significantly requires businesses to sign contracts with service providers, contractors, and third parties to whom they may share, sell or disclose personal information to.
The contracts must specify that the personal information is being sold or disclosed by the business only for limited and specified purposes and should obligate the third party, service provider, or contractor to comply with applicable obligations under the CPRA and provide the same level of privacy protection as is required by CPRA to the transferred personal information.
Furthermore, the CPRA requires that the contracts should grant the business rights to take reasonable and appropriate steps to help to ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business’ obligations.
Furthermore, under Section 1798.140(ag) and 1798.140(j)(1), the CPRA requires businesses to annually monitor service providers’ and contractors’ compliance with the contractual limitations and protections afforded to the transferred personal information by various means including automated scans.
An automated data discovery process is essential for businesses in not only mapping their data flows of California consumers’ personal information - so as to ensure they take adequate steps to protect transferred personal information of Californian consumers - but also to be able to scan data inventories of third parties, service providers and contractors to ensure they are complying with the CPRA’s obligations and the required contractual protections.
What an Effective CPRA Data Discovery Process Looks Like
- An efficient and smart data discovery tool must allow an organization to effectively integrate with its disparate data assets through native connectors for frictionless and accurate data discovery across shadow and sanctioned data assets.
- The discovery tool further needs to enable organizations to thoroughly scan the data assets for metadata, such as vendor information or encryption status, and catalog it within relevant categories.
- The tool then needs to discover the data that exists in structured and unstructured data stores with high accuracy. Once the data is discovered, the tool must use smart contextual analysis to classify personal information and sensitive personal information under accurate categories and data elements, such as CVV, username, password, routing number, unique personal identifier, etc.
- The tool should include regional labeling so that specific data attributes can be labeled based on regional privacy regulations. Additionally, the tool should give system administrators the ability to apply other essential labels, such as sensitivity-based labels, policy, and privacy based.
How Securiti Streamlines Data Discovery for CPRA Compliance
Securiti delivers a 360-degree suite that enables hyper-scale organizations to efficiently meet security, governance, and compliance requirements. With the integration of Securiti’s AI/ML-enabled Data Discovery solution, organizations can enhance, streamline, and automate their data discovery process. The solution enables organizations to
- Discover structured and unstructured data assets, spread across on-premise and multi-cloud environments
- Create a single repository of searchable data assets, with accurate metadata
- Discover and categorize disparate data across structured and unstructured data stores
- Classify and tag relevant metadata
- Tag specific attributes for global and regional compliance
Request a free demo today to learn more about Securiti’s Data Discovery solution.