Securiti announces a $75M Series C Funding Round
ViewWhen the California Privacy Rights Act (CPRA) comes into effect, replacing the existing California Consumer Privacy Act (CCPA), organizations will have to change their current business practices around personal information handling.
One significant change will be Regular Risk Assessments which covered businesses shall have to conduct, complete and submit to the California Privacy Protection Agency (CPPA). The exact requirements of these Regular Risk Assessments will be defined by the CPPA through its rule making efforts which should ideally be completed by July 1st 2022.
Regular Risk Assessments which are similar to the more popular and well-known Data Protection Impact Assessments (DPIAs) under Article 35 of the GDPR may be an added responsibility for Californian organizations, but they may also turn out to be a welcome obligation since their purpose is to help organizations evaluate their processing activities, identify privacy risks and mitigate or filter out any practices that may pose an immediate or long-term threat to the privacy of their customers’ personal information - reducing their liability in the long term.
Read on to learn more about what exactly a Privacy Impact Assessment is, how organizations conduct them, and how they can benefit from them.
Securiti’s CPRA assessment evaluates your readiness for CPRA and reviews how compliant your current practices are. This assessment highlights any deficiencies in your practices & aid in your CPRA compliance efforts.
For more information about the California Privacy Rights Act (CPRA) and how to kickstart your CPRA compliance program, see our CPRA Compliance Checklist here and download our white paper on 7 Essential Tips to Prepare for the CPRA.
A Privacy Impact Assessment (PIA) is a thorough evaluation of an entire organization’s privacy practices and how effective the organization is in ensuring that none of its users are exposed to any unwarranted risk.
A Privacy Impact Assessment (PIA) is a thorough evaluation of an entire organization’s privacy practices and how effective the organization is in ensuring that none of its users are exposed to any unwarranted risk.
These assessments became crucial in most data privacy regulations after the GDPR introduced the Data Protection Impact Assessment (DPIA) under Article 35.
Per the official GDPR text, organizations are required to carry out comprehensive data protection impact assessments,
“Where a type of processing, in particular, using new technologies, and taking into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons….”
Such assessments aim to test how robust and effective an organization’s privacy practices are. The assessments judge an organization’s data processing capabilities, the legitimate interest pursued by the controller, as well as all the safeguards, security measures, and mechanisms to ensure the protection of personal data.
These data protection impact assessments are carried out under the direct orders and supervision of the organization’s Data Protection Officer (DPO).
Of course, like any business practice, an organization would want to know how exactly they are benefiting from a PIA. Some of the benefits an organization can expect are the following:
All that being said, the key question remains how a business that has to abide by the CPRA can prepare itself for all the risk assessments and audits that lie ahead. While the process may not be straightforward, it will be relatively easy if a business has a clear idea of where to begin, what to know, and how to determine the best options.
Here are some steps any business can take to initiate their risk assessments:
The CPRA will replace the CCPA on 1st January 2023. When it comes into effect, it will have lasting implications for businesses operating in the region. Some of these implications are not exactly known as the CPPA still has to issue the rules and regulations to define them - these are expected to come into force on July 1st 2022. The requirement for businesses to conduct Regular Risk Assessments is also one of those obligations which must be defined by the CPPA. But based on the text of Section 1798.185(a)(15)(B) of the CPRA, we can highlight some of the significant salient features of CPRA Regular Risk Assessments:
The CPPA is required to create regulations which will require covered businesses whose processing of consumers' personal information presents a significant risk to consumers' privacy or security. What type of processing is considered to present a ‘a significant risk’ to consumers’ privacy or security is not defined and its threshold will therefore have to be defined by the CPPA.
Businesses will be required to conduct and submit these risk assessments to the CPPA on a regular basis. This requirement is a little different from the Article 35 requirement of the GDPR to conduct Data Protection Impact Assessments (DPIAs) which are required to only be conducted prior to the processing or if there is any material change in the processing operations.
Regular Risk Assessments of risky data processing activities will need to highlight the use of Sensitive Personal Information.
Businesses subject to the CPRA conducting Regular Risk Assessments shall have to identify and weigh the benefits resulting from the processing to the business, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing.
The CPRA explicitly requires businesses to eliminate processing activities which in the Regular Risk Assessments, are found to create more potential risks to the rights of the consumer compared to the benefits created for the business, the consumer, other stakeholders, and the public.
Businesses will not be required to divulge trade secrets when conducting and submitting CPRA Regular Risk Assessments.
The CPRA, like every other data protection law, goes every possible distance to ensure strict security measures are in place to ensure users’ data being collected is adequately protected. Privacy Impact Assessments may seem tedious to most businesses at the start, but at their core, their existence gives all businesses a realistic view of how well their infrastructure protects their users’ data privacy.
Of course, due to both the sheer volume of data involved and the relative inexperience of most businesses with this practice, implementing it within an organization can be a lot harder to execute.
That’s where Securiti can help you.
Securiti is a market leader in providing enterprise solutions in data governance and data compliance. Thanks to its acclaimed artificial intelligence and machine learning-based algorithms, Securiti can automate these privacy impact assessments while highlighting the gaps that exist in current practices.
Request a demo today to learn more about how else Securiti can aid your organization’s CPRA compliance efforts.
Get all the latest information, law updates and more delivered to your inbox
March 16, 2023
On March 2, 2023, the Biden-Harris administration announced its National Cybersecurity Strategy1 to secure the full benefits of a safe and secure digital ecosystem...
March 15, 2023
With the proliferation of data protection regulations globally over the last decade, organizations have been under unprecedented scrutiny regarding their resolve to ensure their...
March 13, 2023
The California Privacy Rights Act (CPRA) came into effect on January 1, 2023, formally amending and expanding the erstwhile California Consumer Privacy Act (CCPA)....
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
Copyright © 2023 Securiti · Sitemap · XML Sitemap
[email protected]
3031 Tisch Way Suite 110 Plaza West, San Jose,
CA 95128