Data discovery is a key task for complying with the California Consumer Protection Act (CCPA). Yet CCPA adds a new wrinkle to data discovery when it goes into effect on January 1, 2020: While financial institutions (FIs) are long accustomed to analyzing the data they collect in order to satisfy regulators, CCPA requires connecting compliance and data management directly to consumers.
For the first time, data discovery needs to be organized so it can be easily and transparently communicated back to the customer.
CCPA requires a multifaceted approach to data. The regulation obligates businesses to disclose categories and third-party involvement to consumers. It takes a broad view of personal information (PI). The 13 categories of PI data elements subject to CCPA privacy oversight are sweeping in nature: Included is everything from personal identifiers and payment and card activity to geolocation data, biometrics and even inferences drawn to create customer profiles. CCPA’s view of PI veers much closer to the definition of personally identifiable information, or PII, which is data that can be linked to a particular individual or household.
Data discovery is no small task. At its most basic level, privacy-related data discovery involves reviewing database tables to identify PI and then determine whether it falls within CCPA governance or is a permitted business exemption.
PI can exist in any number of places within organizations. As a result, legal or business justification efforts often begin with prioritizing PI based on the likelihood of its collection and then determining the applications that touch it.
Inventorying the data captured within applications, however, is only one part of CCPA compliance. The legislation also requires organizations to justify why they collect PI. It’s a key difference.
While CCPA doesn’t explicitly require a PI process inventory as does the European Union’s General Data Protection Regulation (GDPR), compliance calls for a sustainable approach to accountability and maintenance as a matter of practicality. A potential middle ground is linking the PI collected to its overarching categories, an action that informs the business point of view that’s a critical element of CCPA governance.
Context is everything when it comes to CCPA. Compliance requires business units be held accountable for why and how they’re using consumers’ personal data. FIs that aren’t prepared to defend why they collect PI may find consumer data increasingly difficult to maintain and manage.
CCPA lays bare the practice of collecting PI for one purpose and then using it for another. For example, gathering consumer data for customer servicing purposes and then sharing it with unaffiliated third parties may conflict with a consumer’s expectations. At its heart, CCPA is about visibility, transparency and accountability.
Another challenge for banks is responding to CCPA requests for PI that crosses business lines. Because such requests will likely also cross multiple teams and systems, compliance provides FIs the opportunity — and impetus — to create a single customer identifier that links to all inventoried PI across the organization.
CCPA data discovery also dovetails with the growing trend of privacy by design and enterprises’ rising sensitivity to privacy issues. Integrating data privacy into new processes and applications can potentially reduce the risk profiles — and costs — of mishandled PI. One banking client observed that it will consider ending the collection of any PI it’s not using.
Be sure your organization’s data discovery efforts are effective by avoiding these pitfalls:
Location of data is key to CCPA. Your banking organization needs to be able to specifically identify where data resides within and outside the bank. Part of the challenge with this requirement is it’s easy for organizational reviews of software applications to miss some PI. For large banks that manage hundreds of applications, inventorying PI looms as a huge task. Manual reviews of database tables can produce an initial inventory, but PI is often fluid: Inventories can quickly become dated — leaving banks vulnerable to non-compliance. What’s more, CCPA requirements extend to unstructured data and paper-based documents as well. For example, any hand-signed agreements such as those that wealth firms maintain with advisors are fair game.
Context works in tandem with the capture of data’s physical location. CCPA entitles consumers to know not just the personal details that are collected but also how they’re used. For many banks, mapping out detailed customer PI processes is new. Application-only, IT-oriented views typically omit the business rationale for data collection. They also overlook PI that’s consumed outside of core banking applications, such as hard-copy sent through the postal service and electronic documents emailed by customers as attachments. Without context for the data you collect, you can’t justify it back to the customer.
CCPA is more than a mapping exercise. The most effective CCPA efforts will be those that work holistically with other regulations, such as GDPR and state-level initiatives. What’s more, every department has its role in CCPA: IT provides information, and compliance proffers advice. But CCPA compliance is ultimately about the business, so it’s critical that IT collaborate with business units’ data stewards. This will continue to be a critical relationship to address new data privacy evolutions such as that stipulated in New York’s proposed privacy legislation.
This article was written by Troy Danka, Director, Cognizant Consulting, Capital Markets, Risk & Compliance.
For more information on CCPA data discovery that can be easily communicated to customers, contact our CCPA Practice.