Securiti Named a 2022 Cool Vendor in Data Security by GartnerDownload Now
Published on August 25, 2022 AUTHOR - Privacy Research Team
For businesses globally, personal data is a highly vital asset. Used effectively, personal data can increase a business’s revenues tenfold and ensure it targets users most likely to convert and turn into customers. Thus, it wouldn't be wrong to say that access to personal data has transformed the business world by knowing their customers and potential customers better.
However, there have long been ethical concerns about the scale and scope of personal data available to businesses. Some personal data is more sensitive than the rest - its use must be more strictly curtailed so that individuals are not exploited. This type of data might be about their most sensitive innate characteristics or traits, or it might be information that, in the wrong hands, could lead them to severe loss or harm.
That is one of the several factors that have led countries worldwide to draft data privacy laws that categorize certain types of personal data as sensitive personal data and provide it additional protections.
The California Privacy Rights Act (CPRA) replaces the California Consumer Privacy Act (CCPA), which will come into effect on January 1, 2023. The CPRA guarantees Californian consumers' are adequately protected by introducing a new category of data labeled "sensitive personal information". All data within this category warrants increased protection from businesses collecting, storing, processing, disclosing, and transferring personal information about their consumers.
Read on to learn more about sensitive personal information, including the ideal solution for organizations that want to handle the collection of sensitive personal information:
So, what exactly is sensitive personal information? The CCPA defined what constitutes personal information. The CPRA builds on that definition by introducing the sub-category of sensitive personal information. As per the CPRA's definition, personal information that reveals any of the following details about an individual consumer constitutes sensitive personal information:
This broader definition of the term means that an organization that might be collecting either one of these would now have to comply with the provisions that the CPRA requires them to adhere to.
Sensitive Personal Information is an entirely new category of data that the CPRA creates. It follows the wisdom that some types of data necessitate increased protection online such as a user's financial or biometric information. This new category of personal information is inspired by the "special categories of personal data" mentioned in the General Data Protection Regulation (GDPR).
The CPRA goes into great detail explaining the duties of businesses that collect consumers’ sensitive personal information. These duties and responsibilities include:
Due to just how expansive the definition of sensitive personal information is under the CPRA, businesses are likely to find themselves scrambling to determine whether they collect any such data.
Managing how a business collects, stores, secures, and maintains sensitive personal information is long and arduous. An automated solution is a critical necessity to ensure that the process is carried out effectively and efficiently.
With Securiti’s Sensitive Data Solution (SDI), an organization can scan its data assets and detect and classify all personal and sensitive personal information. Furthermore, this discovered data can be neatly arranged in a catalog to enable teams to leverage the metadata for security, privacy, and compliance purposes.
SDI uses machine learning and pattern recognition techniques, which aid in identifying personal and sensitive information such as government identifiers, financial, or racial identifiers. It can then categorize them accordingly by importing labels from the Microsoft Security Centre and applying them to Box, NFS, SMB, and other unstructured data assets.
These sensitivity labels are vital in ensuring the enforcement of security policies that prevent any sort of data leaks.
An organization can attach additional metadata to each sensitive file, such as the category of personal data, the purpose of processing, and retention period. Additionally, People Data Graphs enable timely and accurate fulfillment of DSRs, breach notifications, and consent reports.
Lastly, SDI allows an organization to identify data risk hotspots in their environment based on elements such as specific data elements, data locations, and user residencies. These insights can then be used to take any necessary remedial or preventative actions to mitigate or eliminate any security and privacy risks.
The CPRA, like any other significant privacy regulation, requires organizations to radically overhaul the way they collect users' personal information or sensitive personal information. The sheer volume of data makes it seem an arduous task for any organization unless they opt for robotic automation.
This is where Securiti can prove to be a viable option.
The automated data mapping solution helps maintain an updated catalog of all data assets and sensitive data, along with metadata such as the purpose of collection, retention period, and other details.
Additionally, you can visualize data maps to gain real-time insights into key data patterns, initiate PIAs, and monitor real-time risks related to your data processing activities.
Request a demo today to see how Securiti's products can aid your CPRA compliance efforts today.