Webinar Recap: California Privacy and How It Affects You

6 MIN READ

Thanks to an invitation from FormAssembly, the #1 Enterprise Web Form Platform, I presented my insights and best practices on a data privacy webinar on August 21, 2019. Watch the recording and read FormAssembly’s blog here!
​
The webinar focused on The General Data Protection Regulation (GDPR) as well as the California Consumer Privacy Act (CCPA) which will go into effect on January 1, 2020. As FormAssembly’s guest presenter, I spoke to the implications for nonprofit and educational organizations who may not have people or processes in place to specifically track data privacy and how it impacts organizations. The following are some key insights that I shared on the webinar. Whether you are a customer whose data is getting collected, or you work for a company that collects data, this is for you!

Tackle CCPA in Three (3) Steps
The CCPA is chock full of guidance for organizations, however it may be difficult to know how to get started. I suggest the following three steps:

1. First, analyze the data you currently collect and store, and how it is currently being used and accessed. For many education and non-profit organizations specifically, documentation like data dictionaries, information governance policies, and records retention schedules are uncommon and/or out-of-date. These can be extremely helpful to develop as part of your assessment of how CCPA impacts your organization. Examples of questions you may ask yourself are:

• The CCPA works on an opt-out basis while under the GDPR, consent requires a positive opt-in. What basis does your organization use to collect data from internal and external stakeholders?
• Do you have a data dictionary? Even at the highest level, consider documenting the types of data collected, the sources, the intended uses, and how the data is stored, archived, and scrubbed/deleted over time.
• Can stakeholders get a hold of their data from you? The CCPA highlights that people have a right to obtain and delete, or opt out of the collection, of their data.
• Is there data you are collecting that you aren’t even thinking about? The CCPA has broadened the definition of consumer information to include things like internet activity, biometric data, and browser cookie data. Look at your policies around the use of data from Google Analytics and similar tools.

​2. Second, develop short and long term plans to ensure your organization is in compliance with CCPA. Your analysis will likely bring up ideas and issues to solve right away or in the future. An example of an approach could look like:

• In the short term, considering bringing in or creating a Data Governance Committee responsible for understanding CCPA, GDPR, and other relevant legislation at a high level.
• Engage this committee by reviewing whatever analysis was done in the first step. The analysis may not include a data dictionary, but it should include a full list of the tools that will need to inform a future data dictionary. For AdvancED Consulting, that would include tools like Salesforce, FormAssembly, and Google Suite and Analytics.
• Have this committee identify the top three priorities for January 2020. For this to be effective, this committee should have authority given by your leadership to make these decisions.
• Document any other priorities for the 2020 calendar year that can be reprioritized by the committee at a later time.
• Create action plans for your top three priorities. Review with the committee for their insights on timeline, roles, capacity, and messaging to internal and external constituents.
• Finally, activate your Short Term plans!

3. Third, implement your short term plans and have a plan for the long term. After implementation, evaluate those short term plans and use that experience to inform the long term plans. This should include keeping track of updates to CCPA over time, as well as other relevant legislation. Some additional recommendations:

• Set benchmarks throughout to make sure you are on target for January 2020. Re-evaluate what is priority if needed. 
  • ​​For example, perhaps one long term priority is to develop a staff training around CCPA and how it applies to your teams. However, your team is now planning to hire a significant group of new staff in Q4 2019 and Q1 2020. You may re-evaluate this as one of the new top priorities in order to have all new staff champion CCPA when it comes into effect.
• Once you meet your benchmarks for January 2020, re-evaluate the long-term plans and generate new short term plans for each quarter of the new year.
• Develop journey maps, such as student journeys and customer journeys, about your enhancements. What did it look like before you implemented your changes, and what does it look like now that you are in compliance with CCPA? What are the benefits to your teams? To your stakeholders?

Questions and Answers
The webinar Q&A gave me the opportunity to drill deeper into the recommendations I made above around short term and long term planning. Find them below!

Q: What does it mean to develop a data dictionary?
A: A Data Dictionary is a document (Word, Excel, Google sheets, etc.) that summarizes the major data elements, their expected formats, and their sources for all data that your organization collects from California stakeholders. Common components include: Source, element/value name, description, data type, field size or character limit, last update date, example value, and validation. Once you have a data dictionary in place, it can be used as a:

• Reference document for internal staff to answer questions and troubleshoot around data privacy concerns.
• Reference document to define processes for scrubbing/deletion if requested.

Q: What other short and long term plans might we develop?
A: There are two more plans that I think make sense to develop in the short or long term depending on your organization’s capacity:

• Data breach response plan to include scenarios involving unauthorized or improper use, collection, or sharing of data.
• Data mapping policies and procedures to guarantee that any disclosures made in the privacy policy are correct and accurate.

​Q: Who else do we need to involve?
A: Be strategic about who you engage internally and externally so that you have a comprehensive lens around data privacy, without having too many cooks in the kitchen hindering progress. Examples of strategic partners include:

• Your legal team (internal or external) to review and revise website privacy policies, master service agreements, and employee privacy notices.
• Internal staff who will be trained and held responsible for responding to privacy inquiries and complaints. This should be explicit in job descriptions or performance review documents.
• Vendors and service providers that will need to review and execute updated Master Service Agreements.

Q: If we could only do one thing right now, what might it be?
AdvancED opinions and recommendations in articles should not be considered as legal advice. That said, my recommendation on how to best start this process includes:

• Identify a data governance champion or lead, empowered with authority to move this forward. Once identified, the role, responsibilities, expectations, and timeline should be communicated internally.
• Charge her/him with defining a way forward, and be clear on how that plan sets the foundation for January 1, 2020 and beyond.
• This person may be involved in data governance already, involved in tracking legislation and writing contracts, and/or responsible for reporting or analyzing data.

Do you have additional recommendations, or questions, regarding data privacy in California? Contact me!

About Meredith "Mer" Curry

​Mer has always had a passion for education and helping historically underrepresented groups achieve access and success to higher opportunities. She has consulted nonprofits, educational institutions, and businesses in addition to her volunteerism and mentorship of students.
Learn more about Mer at www.meredithcurry.com.

---

Sources:

• FormAssembly Blog: https://www.formassembly.com/blog/webinar-recap-data-privacy-trends-regulations-best-practices/
• https://www.caprivacy.org/
• https://fpf.org/wp-content/uploads/2018/11/GDPR_CCPA_Comparison-Guide.pdf
• https://www.dataprotectionreport.com/2019/02/gdpr-ccpa-and-beyond-changes-in-data-privacy-laws-and-enforcement-risks-to-monitor-in-2019/
• https://econsultancy.com/california-consumer-privacy-act-ccpa-changed-data-privacy-united-states/
• https://www.bakerlaw.com/USConsumerPrivacyandtheCCPA