IDC Names Securiti a Worldwide Leader in Data Privacy
ViewListen to the content
When the California Privacy Rights Act (CPRA) comes into effect, replacing the existing California Consumer Privacy Act (CCPA), organizations will have to change their current business practices around personal information handling.
One significant change will be Regular Risk Assessments which covered businesses shall have to conduct, complete and submit to the California Privacy Protection Agency (CPPA). The exact requirements of these Regular Risk Assessments will be defined by the CPPA through its rule making efforts which should ideally be completed by July 1st 2022.
Regular Risk Assessments which are similar to the more popular and well-known Data Protection Impact Assessments (DPIAs) under Article 35 of the GDPR may be an added responsibility for Californian organizations, but they may also turn out to be a welcome obligation since their purpose is to help organizations evaluate their processing activities, identify privacy risks and mitigate or filter out any practices that may pose an immediate or long-term threat to the privacy of their customers’ personal information - reducing their liability in the long term.
Read on to learn more about what exactly a Privacy Impact Assessment is, how organizations conduct them, and how they can benefit from them.
Securiti’s CPRA assessment evaluates your readiness for CPRA and reviews how compliant your current practices are. This assessment highlights any deficiencies in your practices & aid in your CPRA compliance efforts.
For more information about the California Privacy Rights Act (CPRA) and how to kickstart your CPRA compliance program, see our CPRA Compliance Checklist here and download our white paper on 7 Essential Tips to Prepare for the CPRA.
A Privacy Impact Assessment (PIA) is a thorough evaluation of an entire organization’s privacy practices and how effective the organization is in ensuring that none of its users are exposed to any unwarranted risk.
A Privacy Impact Assessment (PIA) is a thorough evaluation of an entire organization’s privacy practices and how effective the organization is in ensuring that none of its users are exposed to any unwarranted risk.
These assessments became crucial in most data privacy regulations after the GDPR introduced the Data Protection Impact Assessment (DPIA) under Article 35.
Per the official GDPR text, organizations are required to carry out comprehensive data protection impact assessments,
“Where a type of processing, in particular, using new technologies, and taking into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons….”
Such assessments aim to test how robust and effective an organization’s privacy practices are. The assessments judge an organization’s data processing capabilities, the legitimate interest pursued by the controller, as well as all the safeguards, security measures, and mechanisms to ensure the protection of personal data.
These data protection impact assessments are carried out under the direct orders and supervision of the organization’s Data Protection Officer (DPO).
Of course, like any business practice, an organization would want to know how exactly they are benefiting from a PIA. Some of the benefits an organization can expect are the following:
All that being said, the key question remains how a business that has to abide by the CPRA can prepare itself for all the risk assessments and audits that lie ahead. While the process may not be straightforward, it will be relatively easy if a business has a clear idea of where to begin, what to know, and how to determine the best options.
Here are some steps any business can take to initiate their risk assessments:
The CPRA text itself does not provide a sample of what an ideal privacy risk assessment should look like. However, via triangulation of information such as necessary documentation as well as similar data protection impact assessment outlines under GDPR, it is reasonable to state that any reliable privacy risk assessment under the CPRA should include the following:
The CPRA has some exemptions in its official text such as employees’ data which is excluded from certain provisions such as the right to deletion. Any organization subject to the CPRA must work closely with its data privacy professionals to design a privacy risk assessment that not only ensures regulatory compliance but also delivers a reliable assessment that can be leveraged to improve the organization’s data processing activities in general.
The CPRA will replace the CCPA on 1st January 2023. When it comes into effect, it will have lasting implications for businesses operating in the region. Some of these implications are not exactly known as the CPPA still has to issue the rules and regulations to define them - these are expected to come into force on July 1st 2022. The requirement for businesses to conduct Regular Risk Assessments is also one of those obligations which must be defined by the CPPA. But based on the text of Section 1798.185(a)(15)(B) of the CPRA, we can highlight some of the significant salient features of CPRA Regular Risk Assessments:
The CPPA is required to create regulations which will require covered businesses whose processing of consumers' personal information presents a significant risk to consumers' privacy or security. What type of processing is considered to present a ‘a significant risk’ to consumers’ privacy or security is not defined and its threshold will therefore have to be defined by the CPPA.
Businesses will be required to conduct and submit these risk assessments to the CPPA on a regular basis. This requirement is a little different from the Article 35 requirement of the GDPR to conduct Data Protection Impact Assessments (DPIAs) which are required to only be conducted prior to the processing or if there is any material change in the processing operations.
Regular Risk Assessments of risky data processing activities will need to highlight the use of Sensitive Personal Information.
Businesses subject to the CPRA conducting Regular Risk Assessments shall have to identify and weigh the benefits resulting from the processing to the business, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing.
The CPRA explicitly requires businesses to eliminate processing activities which in the Regular Risk Assessments, are found to create more potential risks to the rights of the consumer compared to the benefits created for the business, the consumer, other stakeholders, and the public.
Businesses will not be required to divulge trade secrets when conducting and submitting CPRA Regular Risk Assessments.
The CPRA, like every other data protection law, goes every possible distance to ensure strict security measures are in place to ensure users’ data being collected is adequately protected. Privacy Impact Assessments may seem tedious to most businesses at the start, but at their core, their existence gives all businesses a realistic view of how well their infrastructure protects their users’ data privacy.
Of course, due to both the sheer volume of data involved and the relative inexperience of most businesses with this practice, implementing it within an organization can be a lot harder to execute.
That’s where Securiti can help you.
Securiti is a market leader in providing enterprise solutions in data governance and data compliance. Thanks to its acclaimed artificial intelligence and machine learning-based algorithms, Securiti can automate these privacy impact assessments while highlighting the gaps that exist in current practices.
Request a demo today to learn more about how else Securiti can aid your organization’s CPRA compliance efforts.
Get all the latest information, law updates and more delivered to your inbox
July 20, 2023
In a recent turn of events, the Superior Court of Sacramento County, California, postponed the enforcement of the California Privacy Rights Act (CPRA) regulations...
July 15, 2023
When the state voters of California approved the California Privacy Rights Act (CPRA) in 2020, most businesses and organizations that catered to residents of...
March 20, 2023
The California Privacy Rights Act (CPRA) of 2020 which goes into effect on January 1, 2023, is expected to replace the California Consumer Privacy...
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
Copyright © 2023 Securiti · Sitemap · XML Sitemap
[email protected]
300 Santana Row Suite 450. San Jose,
CA 95128