Data discovery is a key task for complying with the California Consumer Protection Act (CCPA). Yet CCPA adds a new wrinkle to data discovery when it goes into effect on January 1, 2020: While financial institutions (FIs) are long accustomed to analyzing the data they collect in order to satisfy regulators, CCPA requires connecting compliance and data management directly to consumers.
For the first time, data discovery needs to be organized so it can be easily and transparently communicated back to the customer.
A sweeping view of what’s personal
CCPA requires a multifaceted approach to data. The regulation obligates businesses to disclose categories and third-party involvement to consumers. It takes a broad view of personal information (PI). The 13 categories of PI data elements subject to CCPA privacy oversight are sweeping in nature: Included is everything from personal identifiers and payment and card activity to geolocation data, biometrics and even inferences drawn to create customer profiles. CCPA’s view of PI veers much closer to the definition of personally identifiable information, or PII, which is data that can be linked to a particular individual or household.
Data discovery is no small task. At its most basic level, privacy-related data discovery involves reviewing database tables to identify PI and then determine whether it falls within CCPA governance or is a permitted business exemption.
PI can exist in any number of places within organizations. As a result, legal or business justification efforts often begin with prioritizing PI based on the likelihood of its collection and then determining the applications that touch it.
Getting to the why of personal data
Inventorying the data captured within applications, however, is only one part of CCPA compliance. The legislation also requires organizations to justify why they collect PI. It’s a key difference.
While CCPA doesn’t explicitly require a PI process inventory as does the European Union’s General Data Protection Regulation (GDPR), compliance calls for a sustainable approach to accountability and maintenance as a matter of practicality. A potential middle ground is linking the PI collected to its overarching categories, an action that informs the business point of view that’s a critical element of CCPA governance.
Context is everything when it comes to CCPA. Compliance requires business units be held accountable for why and how they’re using consumers’ personal data. FIs that aren’t prepared to defend why they collect PI may find consumer data increasingly difficult to maintain and manage.
CCPA lays bare the practice of collecting PI for one purpose and then using it for another. For example, gathering consumer data for customer servicing purposes and then sharing it with unaffiliated third parties may conflict with a consumer’s expectations. At its heart, CCPA is about visibility, transparency and accountability.
Another challenge for banks is responding to CCPA requests for PI that crosses business lines. Because such requests will likely also cross multiple teams and systems, compliance provides FIs the opportunity — and impetus — to create a single customer identifier that links to all inventoried PI across the organization.
CCPA data discovery also dovetails with the growing trend of privacy by design and enterprises’ rising sensitivity to privacy issues. Integrating data privacy into new processes and applications can potentially reduce the risk profiles — and costs — of mishandled PI. One banking client observed that it will consider ending the collection of any PI it’s not using.
Common pitfalls in data discovery
Be sure your organization’s data discovery efforts are effective by avoiding these pitfalls:
1 Failure to capture the physical location of PI.
Location of data is key to CCPA. Your banking organization needs to be able to specifically identify where data resides within and outside the bank. Part of the challenge with this requirement is it’s easy for organizational reviews of software applications to miss some PI. For large banks that manage hundreds of applications, inventorying PI looms as a huge task. Manual reviews of database tables can produce an initial inventory, but PI is often fluid: Inventories can quickly become dated — leaving banks vulnerable to non-compliance. What’s more, CCPA requirements extend to unstructured data and paper-based documents as well. For example, any hand-signed agreements such as those that wealth firms maintain with advisors are fair game.
- The solution: Implement data scanning tools that automate and sustain data discovery. Automated scanning tools capture regular snapshots of all applications and repositories where PI resides.
2 Missing the business context.
Context works in tandem with the capture of data’s physical location. CCPA entitles consumers to know not just the personal details that are collected but also how they’re used. For many banks, mapping out detailed customer PI processes is new. Application-only, IT-oriented views typically omit the business rationale for data collection. They also overlook PI that’s consumed outside of core banking applications, such as hard-copy sent through the postal service and electronic documents emailed by customers as attachments. Without context for the data you collect, you can’t justify it back to the customer.
- The solution: Create and maintain process maps that ensure you know the business context for all customer PI and can communicate it to consumers. Be sure to include all PI, including any consumed outside applications or that originates with one process but is also consumed by another. Are email attachments saved to files? If yes, where? Are mailed documents scanned and then shredded? CCPA requires you to make the answers readily available.
3 Taking a siloed approach to regulations.
CCPA is more than a mapping exercise. The most effective CCPA efforts will be those that work holistically with other regulations, such as GDPR and state-level initiatives. What’s more, every department has its role in CCPA: IT provides information, and compliance proffers advice. But CCPA compliance is ultimately about the business, so it’s critical that IT collaborate with business units’ data stewards. This will continue to be a critical relationship to address new data privacy evolutions such as that stipulated in New York’s proposed privacy legislation.
- The solution: Successful compliance eliminates siloes and instead builds bridges between IT and the business. The connection starts with a three-way analysis that includes IT, the business process, and each regulation. The first step is to identify gaps for all regulations, including CCPA, GDPR and GLBA (Gramm-Leach-Bliley Act). Next comes mapping each set of findings to the process steps, PI category and relevant applications. Taking a holistic approach to compliance can turn up unexpected findings. For example, banks might discover data that’s needed not for regulatory purposes but for business reasons and that simply triggers an update to customers.
This article was written by Troy Danka, Director, Cognizant Consulting, Capital Markets, Risk & Compliance.
For more information on CCPA data discovery that can be easily communicated to customers, contact our CCPA Practice.