State legislatures across the US have been on a roll in introducing omnibus privacy bills. During the 2022 legislative cycle, there was a feverish rush of activity surrounding state data privacy laws, and bills pertaining to data privacy regulation were presented by legislators in no less than 29 states, Hearings for the committee were held in 23 of those states, and bills were passed in 14 states.
Utah and Connecticut Reach the Finish Line
Only Utah and Connecticut have successfully passed and enacted comprehensive privacy laws this calendar year. They will be joining their three forerunners, California, Virginia, and Colorado in rolling out state privacy laws which will require compliance starting in 2023. The expectation is for additional states to join the trend in the months ahead.
A federal privacy law, the American Data Privacy and Protection Act, has moved through congress this year progressively and may reach some big milestones in 2023. Who knows? Maybe this year will be the year that the US finally catches up with other economically developed countries in introducing a federal privacy law. It’s too early, though, to get excited about any US privacy regulations. Although the ADPPA has some bipartisan momentum behind it, the proposed law’s broad exceptions to preemption indicate that people prefer to continue to adapt to a state-by-state strategy. This means that there is a lot of work for businesses to do to update their systems for privacy regulatory compliance with state privacy laws that apply to them.
2022 is definitely “the prep year” for data privacy compliance with new laws going into effect in 2023.
- On January 1, 2023, the California Privacy Rights Act (CPRA) will replace California’s current comprehensive data privacy law, the California Consumer Privacy Act (CCPA). Virginia’s first extensive privacy law, the Consumer Data Privacy Act (VCDPA), will also go into effect at the start of 2023.
- Six months later, on July 1, 2023, Colorado and Connecticut will join in marking history when their first, robust privacy law, the Colorado Privacy Act (CPA) and the Connecticut Privacy Act (CTDPA), go into effect.
- Businesses operating in or providing services to consumers in Utah will need to be ready for compliance by December 31, 2023.
If keeping up with all the “C” acronyms alone is confusing, you can be sure that compliance will likely be a monumental task.
Step One: Create a Data Inventory
“Data inventories serve as the foundation of the information gathering needed to support other activities such as identifying high-risk processes; determining what data sets you collect to inform data subject request practices or even establishing how you will look to implement a data minimization program and where you will prioritize those efforts,” explains privacy and data protection principal Lindsay Hohler.
Data mapping, a term that also refers to data inventory, requires you to take stock of your data and understand its full scope. A comprehensive data inventory is a crucial component of a privacy program because it can be used to update the privacy notice, more effectively assign security measures, and quickly and effectively respond to customer demands. Although creating an inventory of your data may appear difficult, it will eventually simplify the compliance process as well as an incident response strategy. The right questions must be asked to effectively develop a comprehensive data inventory.
- Do we know what we have?
- How long are we keeping it?
- Where are we keeping it?
- Why are we keeping it?
- Who has access to it?
- Has the data been classified?
- Who is responsible for the data?
The vast majority of organizations that have prepared for the General Data Protection Regulation (GDPR) or California Consumer Privacy Act (CCPA) already have a data inventory in place and likely just need to tweak it to update it for compliance with the California Privacy Rights Act (CPRA) and the other pending U.S. state laws designated to go live in 2023.
Data Inventories and Personal Data
Let’s explore the relationship between data inventories and personal data before we get into how companies might leverage data inventories for compliance. A data inventory is the cornerstone of a successful privacy program. A data inventory, in its most basic form, can be thought of as a matrix that lists the type of personal data collected, how the data is used, how it is protected, and to who the data is transferred. Data inventories are systems or living directories for managing private data within the company. Sensitive data is categorized into different categories, and a data inventory conveniently designates a category and allocation to the data. In addition to personal information, sensitive data can also refer to trade secrets, client-attorney confidential information, and data that is subject to export restrictions.
The foundation of any data protection program is a data inventory. They give decision-makers a “single source of truth” and give them more power and command over their personal data management. A data security leader could feel overburdened by the plethora of compliance requirements and regulations they must adhere to if the personal data they manage is poorly overseen or underutilized. Across all industries, using a comprehensive data inventory can make compliance with new customer data protection acts simpler.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
Steps to Take To Update Data Inventory for 2023’s New State Privacy Law
- Assuming you already have a data inventory built for the CCPA, determine further information that needs to be collected for upcoming U.S. state privacy regulations. Below is a summary of the four sections that need to be updated for the CPRA in data inventories created in compliance with the CCPA.
- The CCPA’s HR and B2B exemptions are scheduled to sunset at the onset of 2023, bringing new procedures and data processes into the scope of the law. Update data mappings to include HR and business-to-business data subjects in the data inventory. Some laws will require extending the reach of data subject rights to encompass employees and business-to-business data subjects as well as notification obligations.
Application of the law to employees imposes a heavy challenge to applicable companies for two reasons. Firstly, because employee-related data may not have been inventoried before and also because determining the potential applicability of exceptions to rights will require meticulous research.
- Create an inventory of the important systems and resources that gather and handle the pertinent personal information for each main working group. The inventory should also include information about the circumstances and methods by which such information is disclosed to third parties.
- A data inventory can be used to implement a data retention strategy, required by the CPRA and other state acts. Businesses can use a data inventory to categorically and methodically set data retention durations. The CPRA proposes disclosures of the retention period by category of personal information. Collecting record retention information via an organized data inventory will allow organizations to efficiently fulfill these requirements.
- Newly enacted state laws give consumers the right to limit the use and disclosure of sensitive personal information, making it critical to understand and identify what sensitive personal information your organization manages.
Any new information on the business processing activities that a company is involved in that process sensitive personal information should be included in a data inventory. At a minimum, comprehensive data mappings should include:
- Subject information like employees, customers, vendors, etc.
- Processing category
- Government ID
- Finances
- Geolocation
- Race, religion, and union membership
- Communications
- Genetics
- Biometrics
- Health
- Sexual orientation
- Data elements captured or processed like device ID, phone number, purchase history, browsing time, etc.
- Designate a team member who is responsible to update data inventory records. It is also crucial to train team members who will take part in keeping the data inventory. New team members should be properly taught before they review or take part in the data inventory for the first time. Additionally, make sure that personnel who have previously participated are trained and made aware of the impending rules because these new privacy regulations have drastically changed the terrain of the privacy landscape in the United States.
Data Mapping with Centraleyes
A data inventory acts as the foundation of an organization’s privacy program. As we continue to navigate the rapidly evolving U.S. privacy laws, we will continue to rely heavily on the data inventory to comply with the upcoming regulations. It is vital that organizations either create or update their data inventory now to prepare for the regulations going into effect on January 1st, 2023. Data mapping is a tedious job, but ultimately provides great clarity and protection that will ensure that your compliance management team makes decisions that are properly balanced.
With Centraleyes, you can automate and orchestrate data collection and analysis and envision the entire compliance process in one central dashboard. We help automate the full data privacy lifecycle starting with data collection and following through to analysis and compliance, freeing up hours of siloed, repetitive labor by seamlessly crosswalking controls between various state legislations.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days