JANUARY 2019 Angelique Carson Editor The Privacy Advisor Host The Privacy Advisor Podcast International Association Of Privacy Professionals privacypen acarsoniapporg What are we here to talk about ID: 750446
Download Presentation The PPT/PDF document "How to get ahead of California’s landm..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
How to get ahead of California’s landmark privacy law
JANUARY 2019Slide2
Angelique Carson
Editor, The Privacy Advisor
Host, The Privacy Advisor PodcastInternational Association Of Privacy Professionals@privacypenacarson@iapp.org Slide3
What are we here to talk about?
One of the biggest stories to hit the privacy and info-security world in the U.S. this year was the passage of the California Consumer Privacy Act of 2018. The law will apply to more than 500,000 small- and medium-sized businesses and grants new rights to California residents over how their data is used, including a right to be forgotten, a right to data portability and the right to opt out of having their data sold. But there are still a lot of unknowns as the law continues to be amended ahead of its implementation date in 2020. Slide4
Dominique Shelton Leipzig, Perkins Coie
DANA SIMBERKOFF, AVEPOINT
CHRIS ZOLADZ, NAVIGATE Slide5
Dominique Shelton Leipzig
What does the law require?Slide6
CCPA - Explained for Cyber ProfessionalSSlide7
What is the California Consumer Privacy Act?
Goes into effect January 1st, 2020
Gives California consumers certain rights with respect to their personal information
Applies to businesses that:
Have gross revenues in excess of $25,000,000;
Buy, receive, sell, or share for commercial purposes the personal information of 50,000+ California consumers, households, or devices; or
Derive 50% or more of its revenues from selling personal information.Slide8
8 New Consumer RightsSlide9
Business Obligations Re: 8 Consumer Rights Slide10
Business Obligations Re: 8 Consumer Rights Slide11
Business Obligations Re: 8 Consumer Rights Slide12
Business Obligations Re: 8 Consumer Rights Slide13
3 Independent Business Obligations
Training
Create Designated Methods for Asserting Rights
Obtain Immunity by Making Contract Meet Specific CriteriaSlide14
Sample General DefensesSlide15
Specific Defenses Apply to Each RightSlide16
Dana Simberkoff
The nexus between privacy and security as it relates to the lawSlide17
17
Key OverlapsSlide18
Data is ValuableSlide19
Both CCPA and GDPR give consumers the right to be forgotten….
A.K.A. “Nightmare Letters”
A.K.A DSAR and Freedom of Information Acts (FOIA) Requests
Please confirm to me whether or not my
personal data
is being
processed
. If it is, please provide me with the
categories of personal data
you have about me in your
files and databases
.
In particular, please tell me what you know about me in your
information systems
, whether or not
contained in databases
, and including
e-mail
,
documents
on your networks, or voice or other
media
that you may store.
Please provide me with a copy of, or
access
to, my
personal data
that you have or are
processing
!
Please provide a list of all
third parties
with whom you have (or may have) shared my
personal data
. Additionally, I would like to know what
safeguards
have been put in place in relation to these
third parties
that you have identified in relation to the
transfer
of my personal data.Slide20
Client records
Employee records
Previous project files
To Comply with CCPA you must know what data you have….Dark data is the key problem (always!)
Current project files
Current reference docs
Dark Data
What do we have?
What you need to keep…
What you use…Slide21
CCPA Represents an opportunity for Privacy and Security to Align
17Slide22
CPO and a Data Privacy Program
CISO and a Data Security Program
standards
training
policies
managing data risks
technical
administrative
procedural
controls
how to keep personal data confidential
how to keep data secure
accountability
personal data management
general data management
B&W
shades of greySlide23
How Do You Know Where to Park?Slide24
The Business Impact
Operationalizing Privacy and Security through a connected framework creates results….
Better Visibility, Less Risk
Incident response program
Map of critical assets
Controls and security
Better Visibility, Less Risk
Lower the risk profile for our organizations
Map of critical assets
Simpler audits
Digital Transformation
Reduced cost of legacy IT storage
Data Optimization
Simpler migrations
Data Privacy
IT Security
CIOSlide25
Chris Zoladz
How to operationalize complianceSlide26
A Team Effort
Technology
Security
Privacy
LegalSlide27
Understand the systems and data in-scopeConsumer rights requests – secure means for receipt and responseSecure opt-in and opt-out
Evaluate data redaction and encryption options
Review all privacy noticesProvide input to training Security Pros Role in the CCPASlide28
Proactively connect to the compliance teamSet expectations
Create a security RACI
and workplan with outcomesRequest funding as needed
Next StepsSlide29
Thank You!
Partner, Privacy & Security
Co-Chair Ad Tech Privacy & Data Management1.310.788.3327Dsheltonleipzig@perkinscoie.com
Data Management Video Series Link
Dominique Shelton Leipzig Slide30
Thank You!
Chief Risk, Privacy and Information Security Officer
Avepoint Dana.Simberkoff@avepoint.com
Dana
Simberkoff Slide31
Thank You!
Founder, Navigate LLC
chris@navigatellc.net240.475.3640
Chris
Zoladz