On January 1, 2020, a new California regulation went into effect that may push many unsuspecting enterprises doing business in the state into costly noncompliance while also introducing reputational risk and threatening their brands. The California Consumer Privacy Act (CCPA) grants new consumer rights related to data storage, use, and protection. Companies failing to comply with these rules can be fined up to $7,500 for each violation. Despite the potential impacts, a recent survey by the IT security firm ESET shows how ill-prepared most enterprises are regarding this new compliance obligation:
- Nearly half of all respondents had never heard of CCPA
- More than 8 in 10 respondents did not know if the law even applied to their business
- A third of executives were unsure if their organizations needed to change how consumer data was stored/processed
- Nearly 1 in 4 respondents “didn’t care” about becoming compliant
- More than half had not performed a risk assessment on cybersecurity within the past year
Given the stakes involved, this broad lack of urgency is concerning but not all that surprising. A DataGrail survey indicated that despite investing thousands of hours and being given a two-year head start, only half of the companies reported achieving compliance with the General Data Protection Regulation (GDPR), a similar data privacy regulation in Europe. Additionally, 70% of enterprises admitted the systems they were currently using to comply would not scale. When the pace of regulatory change is accelerating so rapidly, most enterprises are being caught flat-footed.
What the origin of CCPA tells us about what may be coming next
California’s passage of the first major consumer data privacy regulation in the US is somewhat surprising given the concentration of tech giants based in the state and the roaring economic engine that Silicon Valley fuels. Bob O’Donnell discusses this contradiction in the TechSpot article California Data Privacy Law Highlights Growing Frustration with Tech Industry. “So, what made California legislators willing to bite the hand that contributes so strongly to its coffers?” asks O’Donnell, rhetorically. “Incredible consumer frustration.” The dozen or so states with similar laws working their way through their respective state legislatures is a testament to just how widespread and strong this consumer frustration is.
Despite industry pleas for a single, comprehensive nationwide framework to reduce the compliance burden and standardize processes, partisan gridlock at the federal level makes this outcome seem unlikely in the near term. Nevada’s New Consumer Privacy Law Departs Significantly From The California CCPA describes a regulation that may soon be passed in that state. “The Nevada law differs from the CCPA enacted last year in notable ways, and could signal the coming of a patchwork of fifty-plus different data privacy standards across the country, much like the state data breach notification laws.” The prospect of a series of similar one-off state laws, each with significant differences from those of other states, is a nightmare scenario for compliance.
The need for agility in compliance
This wave of legislation driven by consumer activists at the state level signals a continuously shifting compliance landscape that will soon become a new reality that businesses must deal with. Instead of predictable, plodding paths through Congress or extended comment review periods in the Federal Register, these changes are coming quickly and from multiple directions. Want proof of the speed at which these changes are now coming? The same person who originally funded the original CCPA initiative that took effect on January 1st has already submitted a 2020 ballot measure for CCPA 2.0.
If the sluggish response to CCPA (and GDPR before it) are any indicators, the lack of agility demanded by constantly shifting compliance requirements may lead some firms into trouble. However, despite a large number of companies in the ESET survey currently ignoring the compliance ramifications of these laws, eventually, the alarm will sound. “When it does, and companies begin to see that the bill has real teeth, we’ll see a mad dash for companies to become compliant. In the rush, many companies will trip over their shoelaces and make inevitable mistakes, just as we saw with the GDPR,” warns Ian Barker in Compliance struggles and more legislation — privacy and data predictions for 2020.
Preparing for more than the CCPA
While taking basic steps to assess compliance with the CCPA is a necessary first step, preparing your organization to avoid this “mad dash” involves taking a wider view of not only compliance-related risks in this new environment but also how an inadequate compliance response can itself create other enterprise risks.
The pent-up frustration driving legislators to move quickly on new laws means that consumers care about data privacy issues. A lot. While a business may be able to handle the fines associated with non-compliance, the related ongoing reputational damage from being perceived as a company that doesn’t respect consumer privacy could be much harder to absorb. This creates implications beyond compliance including enterprise risk management (ERM), internal audit, and BCM/crisis management. CCPA noncompliance could be viewed by the public as a symptom of a much larger condition. That condition requires a fully-connected response across several departments.
No time for silos
In a rapidly changing, high stakes regulatory environment, a fragmented approach will be less effective than a flexible, integrated response. Attempting to monitor how successfully the organization is prepared for all the challenges associated with each new data privacy regulation depends on a coordinated effort, where critical data flows between all the groups that need it.
The promise of integrated governance, risk, and compliance (GRC) solutions is that a single system that can handle the interconnected nature of today’s risk environment and would provide organizations the big-picture view they need to make the most informed decisions possible and shift from reactive responses to proactive, strategic efforts. Although the CCPA (and similar future legislation) offers an ideal use case to demonstrate the benefit of an integrated solution, there is one more component necessary to live up to that promise.
Given the need to continually pivot to the next new compliance demand, manual processes and rigid legacy systems eventually run into scalability issues. The 70% of respondents in the DataGrail survey who indicated that their solutions couldn’t adequately handle an escalating regulatory environment points out just how low the ceiling is for a reactive, band-aid type of approach. Solutions such as Origami Risk’s Integrated GRC are designed to be flexible enough to handle today’s challenges (CCPA, for example) and adapt to whatever new compliance issues may emerge tomorrow, while also providing the entire enterprise with a way to stay ahead of the regulatory curve and protect hard-earned brand reputation.
Are you looking for ways to simplify compliance and better adapt to changing regulations? Origami Risk can help! Contact us to learn more about how Origami Risk can help make your operations more efficient, opening the door to next-level services.