Category: Data Privacy

A Review of GDPR and CCPA

12/9/2019

5 MIN READ

This article is the 2nd in a series. Read the introduction article:
"Why Data Privacy Matters."

So you know what your data looks like. You know what it is used for. You have a sense of who touches it and who uses it. Now what? Now, you educate yourself on data privacy.

If you have data, you need to protect it. I had the opportunity to speak to this on a webinar hosted by FormAssembly on August 21, 2019. I joined Maggie Tharp at FormAssembly to talk about the data privacy landscape in 2019, and evolving regulations and best practices. Check out the Webinar Recap: California Privacy and How It Affects You. On the webinar, Maggie and I discussed The General Data Protection Regulation (GDPR) as well as the California Consumer Privacy Act (CCPA) which will go into effect on January 1, 2020. As FormAssembly’s guest presenter, I spoke to the implications for nonprofit and educational organizations who may not have people or processes in place to specifically track data privacy and how it impacts organizations. In my Webinar Recap, I share some key insights that I shared on the webinar.

As a follow up to their Data Privacy Deep Dive Webinar Series, FormAssembly recently published their white paper, State of Data Privacy in 2019. In this guide, they talk about the data privacy landscape in the United States, the new data privacy laws in other U.S. states, where businesses stand, and tips on better data stewardship.

Share State of Data Privacy 2019 with Your Operations Leadership

“Of organizations that the CCPA applied to (55 out of 143), 42% were very prepared, 33% were somewhat prepared, and 25% were not prepared.”

A realistic next step to prepare for CCPA is to have a discussion with the relevant leaders of your organization and determine your level of preparedness. Review FormAssembly’s white paper, State of Data Privacy in 2019 and give your organization a rating of Very Prepared, Prepared, Somewhat Prepared, or Not Prepared.

Depending on what your team decides, make a plan to move your team to Prepared or Very Prepared.

I’d like to share some highlights from the guide, and weave in some of my own best practices. These tips come from working with small to large, local to virtual organizations across California in developing and implementing data privacy business processes and protocols.

The CCPA is similar to Europe’s GDPR in many ways, but in contrast, the CCPA allows individuals to opt out of their personal information being sold by businesses. The focus of the CCPA is more narrow than the GDPR because it applies only to businesses in the state of California whose revenue is above $25 million, or to businesses that primarily sell consumers’ personal information.

Because the CCPA allows users to opt out, businesses will need to have systems in place for users to

know what data is stored on their behalf,
request a copy of said data, and
request the update or deletion of that data.

Talk to your teams and use a data dictionary to document what data is available, what can be requested, and what can be updated and/or deleted.

Determine who is responsible for managing each data element.

Design a process to send data to users and to delete data if requested.

43% of businesses have one or more people dedicated to privacy-focused roles.

With less than half of businesses having a dedicated person to track and manage data privacy, it is important that your organization ensure someone on the team is responsible for this effort.

In my Webinar Recap, I suggest that the best way to get started is to identify a data governance champion or lead. This person may be involved in data governance already, involved in tracking legislation and writing contracts, and/or responsible for reporting or analyzing data. Once identified, the role, authority, responsibilities, expectations, and timeline should be communicated internally. Charge her/him with defining a way forward, and be clear on how that plan sets the foundation for January 1, 2020 and beyond.

49% of respondents have a documented process in place for allowing customers to access, delete, or rectify their information and 54.5% have received requests for this in the past year.

Your organization may not need to follow these requirements because you do not meet the eligibility (e.g. your revenue is below $25M). However, your constituents may still desire to understand how their data is used by your organization, so you should be prepared.

Have at least one process documented that stipulates who is responsible for reviewing requests, and what are the possible options in responding to inquiries. For example:

You can use FormAssembly to build a short form (check out the 19 Web Forms by the FormAssembly Team) that requests contact information, gives a short description of data available, and gives a list of possible next steps (e.g. request a copy, delete my data).
You can also use Salesforce to set up a web-to-case form to request similar information, and embed that into an appropriate page on your organization’s website.

Read my next article “How You Can Protect Your Data” (under construction) for more tips and tricks to manage and protect your data.

Want support developing a data governance strategy?
Data governance helps organizations manage their stakeholder data and protect it from being abused, stolen, or lost. AdvancED can help you design an effective data governance strategy that will describe the steps to analyze, secure, store, and manage your organization’s stakeholder data. Schedule your free 20-min consultation now.

Related articles

Article 1: Why Data Privacy Matters
Article 2: A Review of GDPR and CCPA
Article 3: How You Can Protect Your Data (stay tuned!)

About Author: Meredith "Mer" Curry

Mer has always had a passion for education and helping historically underrepresented groups achieve access and success to higher opportunities. She has consulted nonprofits, educational institutions, and businesses in addition to her volunteerism and mentorship of students.
Learn more about Mer at www.meredithcurry.com.

0 Comments

Back to Blog

Why Data Privacy Matters

12/5/2019

4 MIN READ

This article is the 1st in a series on
"Why Data Privacy Matters."

I learned the importance of data starting in high school working at a local CPA firm in downtown San José during my summers.

Making my way through rows of filing cabinets, building up a tolerance to papercuts, and sneezing my way through dusty file folders, I took numbers off pieces of paper and turned them into financial statements. Sometimes it was straightforward data entry. Other times I double-checked the math after translating illegible debits and credits into typed balance sheets and income statements. Today I am so adept at ten-key I can type rows of numbers without looking at the keypad. I am also so grateful now for Excel formulas, pivot tables, and tools like Salesforce and FormAssembly that can bring clarity, transparency, and automation to once complex and highly manual (and thus, fraught with human error) processes.

In my over 10 years of being a certified Salesforce Administrator and over 20 years of championing Excel, I am a firm believer that the more data you can have at your fingertips, the more questions you can develop to find intelligent answers to. But in my years of working with corporations, startups, and nonprofits, I’ve seen varying levels of success making use of the data that is available.

Often, the challenge isn’t just what to do with the data you do have, but how to get the data you really need for the scale and impact you want. This might mean taking a step back and asking yourself, “What data do I have now, what am I using it for, and how has that been helpful?” It might then lead you to ask more questions like, “What data should I continue to track, what questions will they answer, and how will that be helpful in the long-term?”

SMART Goal-Setting Around Your Data
Understanding your organization’s data is important, let’s create a SMART Goal to investigate what your data looks like and what it is used for.

Read about SMART Goals in my article “Growth Mindset and SMART Goals for Professionals.”

Consider the specific goal you want to make around your data.
- S = I will create a table that tells me what data I have, where it comes from, and what it is used for.
Next, consider how you will measure success towards this goal.
- M = I will start with a blank table and each week try to fill a portion of it.
Next, decide what you will do to make this goal achievable.
- A = I will create a Google Doc with a blank table, and it will always be one of the tabs that open when I launch my browser. I will always be reminded to work on it.
Next, consider how this goal is relevant to your work or organization.
- R = Understanding my data will help me protect it for my clients and keep my team from wasting time collecting or reviewing data that isn’t useful.
Lastly, decide when you will accomplish this goal so that you can really make it actionable.
- T = I will complete the table within 30 days and I will set a deadline on my calendar.

If as a professional, manager, or executive, you are not asking yourself these questions at regular intervals (I recommend quarterly if not annually), then I highly recommend that you start now.

Once you go through this fact-finding mission of understanding what data you have and what it is used for, the next important question is, “How am I protecting it?”

I’d like to give you the use-cases, best practices, and tools to develop an intentional action plan around data privacy to ensure you are protecting the data you have and the data you intend to collect. Read my next article “A Review of GDPR and CCPA” to learn about the most important regulations and legislations that inform the policies and practices you may need to develop around data privacy.

Want support developing a data dictionary?
A data dictionary is a document (Word, Excel, whatever suits your fancy) that describes the types of data collected, the sources, the intended uses, and how the data is stored, archived, and scrubbed/deleted over time. Let’s talk about how our advisors can help you customize a data dictionary for you that tracks all of your data elements from all of your sources (e.g. Google Analytics, Salesforce, Google Sheets, Excel). Schedule your free 20-min consultation now.

Related articles

Article 1: Why Data Privacy Matters
Article 2: A Review of GDPR and CCPA
Article 3: How You Can Protect Your Data (stay tuned!)

About Author: Meredith "Mer" Curry

0 Comments

Back to Blog

Webinar Recap: California Privacy and How It Affects You

8/26/2019

6 MIN READ

Thanks to an invitation from FormAssembly, the #1 Enterprise Web Form Platform, I presented my insights and best practices on a data privacy webinar on August 21, 2019. Watch the recording and read FormAssembly’s blog here!

The webinar focused on The General Data Protection Regulation (GDPR) as well as the California Consumer Privacy Act (CCPA) which will go into effect on January 1, 2020. As FormAssembly’s guest presenter, I spoke to the implications for nonprofit and educational organizations who may not have people or processes in place to specifically track data privacy and how it impacts organizations. The following are some key insights that I shared on the webinar. Whether you are a customer whose data is getting collected, or you work for a company that collects data, this is for you!

Tackle CCPA in Three (3) Steps
The CCPA is chock full of guidance for organizations, however it may be difficult to know how to get started. I suggest the following three steps:

1. First, analyze the data you currently collect and store, and how it is currently being used and accessed. For many education and non-profit organizations specifically, documentation like data dictionaries, information governance policies, and records retention schedules are uncommon and/or out-of-date. These can be extremely helpful to develop as part of your assessment of how CCPA impacts your organization. Examples of questions you may ask yourself are:

The CCPA works on an opt-out basis while under the GDPR, consent requires a positive opt-in. What basis does your organization use to collect data from internal and external stakeholders?
Do you have a data dictionary? Even at the highest level, consider documenting the types of data collected, the sources, the intended uses, and how the data is stored, archived, and scrubbed/deleted over time.
Can stakeholders get a hold of their data from you? The CCPA highlights that people have a right to obtain and delete, or opt out of the collection, of their data.
Is there data you are collecting that you aren’t even thinking about? The CCPA has broadened the definition of consumer information to include things like internet activity, biometric data, and browser cookie data. Look at your policies around the use of data from Google Analytics and similar tools.

2. Second, develop short and long term plans to ensure your organization is in compliance with CCPA. Your analysis will likely bring up ideas and issues to solve right away or in the future. An example of an approach could look like:

In the short term, considering bringing in or creating a Data Governance Committee responsible for understanding CCPA, GDPR, and other relevant legislation at a high level.
Engage this committee by reviewing whatever analysis was done in the first step. The analysis may not include a data dictionary, but it should include a full list of the tools that will need to inform a future data dictionary. For AdvancED Consulting, that would include tools like Salesforce, FormAssembly, and Google Suite and Analytics.
Have this committee identify the top three priorities for January 2020. For this to be effective, this committee should have authority given by your leadership to make these decisions.
Document any other priorities for the 2020 calendar year that can be reprioritized by the committee at a later time.
Create action plans for your top three priorities. Review with the committee for their insights on timeline, roles, capacity, and messaging to internal and external constituents.
Finally, activate your Short Term plans!

3. Third, implement your short term plans and have a plan for the long term. After implementation, evaluate those short term plans and use that experience to inform the long term plans. This should include keeping track of updates to CCPA over time, as well as other relevant legislation. Some additional recommendations:

Set benchmarks throughout to make sure you are on target for January 2020. Re-evaluate what is priority if needed.
- For example, perhaps one long term priority is to develop a staff training around CCPA and how it applies to your teams. However, your team is now planning to hire a significant group of new staff in Q4 2019 and Q1 2020. You may re-evaluate this as one of the new top priorities in order to have all new staff champion CCPA when it comes into effect.
Once you meet your benchmarks for January 2020, re-evaluate the long-term plans and generate new short term plans for each quarter of the new year.
Develop journey maps, such as student journeys and customer journeys, about your enhancements. What did it look like before you implemented your changes, and what does it look like now that you are in compliance with CCPA? What are the benefits to your teams? To your stakeholders?

Questions and Answers
The webinar Q&A gave me the opportunity to drill deeper into the recommendations I made above around short term and long term planning. Find them below!

Q: What does it mean to develop a data dictionary?
A: A Data Dictionary is a document (Word, Excel, Google sheets, etc.) that summarizes the major data elements, their expected formats, and their sources for all data that your organization collects from California stakeholders. Common components include: Source, element/value name, description, data type, field size or character limit, last update date, example value, and validation. Once you have a data dictionary in place, it can be used as a:

Reference document for internal staff to answer questions and troubleshoot around data privacy concerns.
Reference document to define processes for scrubbing/deletion if requested.

Q: What other short and long term plans might we develop?
A: There are two more plans that I think make sense to develop in the short or long term depending on your organization’s capacity:

Data breach response plan to include scenarios involving unauthorized or improper use, collection, or sharing of data.
Data mapping policies and procedures to guarantee that any disclosures made in the privacy policy are correct and accurate.

Q: Who else do we need to involve?
A: Be strategic about who you engage internally and externally so that you have a comprehensive lens around data privacy, without having too many cooks in the kitchen hindering progress. Examples of strategic partners include:

Your legal team (internal or external) to review and revise website privacy policies, master service agreements, and employee privacy notices.
Internal staff who will be trained and held responsible for responding to privacy inquiries and complaints. This should be explicit in job descriptions or performance review documents.
Vendors and service providers that will need to review and execute updated Master Service Agreements.

Q: If we could only do one thing right now, what might it be?
AdvancED opinions and recommendations in articles should not be considered as legal advice. That said, my recommendation on how to best start this process includes:

Identify a data governance champion or lead, empowered with authority to move this forward. Once identified, the role, responsibilities, expectations, and timeline should be communicated internally.
Charge her/him with defining a way forward, and be clear on how that plan sets the foundation for January 1, 2020 and beyond.
This person may be involved in data governance already, involved in tracking legislation and writing contracts, and/or responsible for reporting or analyzing data.

Do you have additional recommendations, or questions, regarding data privacy in California? Contact me!

About Meredith "Mer" Curry

Sources:

2 Comments

AdvancED on Purpose

ADVANCED ON PURPOSE

Archives

Categories

A Review of GDPR and CCPA

About Author: Meredith "Mer" Curry

Why Data Privacy Matters

About Author: Meredith "Mer" Curry

Webinar Recap: California Privacy and How It Affects You

About Meredith "Mer" Curry