This is the Data Privacy & Cybersecurity Practice's second client alert in a series that breaks down the major elements of the California Consumer Privacy Act (CCPA), which goes into effect January 1, 2020. This post focuses on gap assessments for the CCPA. Stay tuned for additional posts and information about the CCPA.
Once a company determines that it is subject to the CCPA (see our earlier client alert discussing the applicability of the CCPA here), the next step is to conduct a gap assessment. A gap assessment, in the CCPA context, is an examination of a company's current state of compliance and, if CCPA compliance standards are not being achieved, an outline of the steps that should be taken to ensure that the company can become CCPA compliant. A general roadmap of a gap assessment follows. Keep in mind, however, that each company's gap assessment will be tailored to that company's unique circumstances.
Gap Assessment Phase 1: Information Gathering
During the information-gathering phase of the gap assessment, companies should first evaluate whether they are a "business," "service provider" or both (analogous to a "controller" or a "processor," respectively, under the EU's General Data Protection Regulation [GDPR]).
During this phase, companies should also conduct a preliminary analysis of data flow identification to better design the data mapping exercise (see phase 2):
- What personal information is generally collected
- How the personal information is used internally
- How the personal information is shared (to get a general sense prior to data mapping)
This phase of the gap assessment also involves gathering the company's existing privacy compliance materials to compare against CCPA requirements. These documents may include:
- Internal privacy policies and procedures, including procedures for honoring individual rights requests
- External privacy statements
- Training documents
- Existing vendor/supplier contracts
Gap Assessment Phase 2: Data Mapping
Although the CCPA does not require data mapping, it is a very valuable exercise to facilitate CCPA compliance. Determining a company's CCPA obligations requires a deep understanding of the ways in which the company collects, uses, transfers and disposes of data. Companies that lack the ability to identify what data they have and where it is located are ill-positioned to comply with the CCPA. Taking the time to conduct a CCPA-specific data mapping exercise (or update existing maps for CCPA) at the outset enables organizations to accurately describe their practices and prepare for compliance.
During the data mapping phase of the gap assessment, data maps are updated to identify:
- Personal information collected from California residents
- The sources of personal information collected from California residents
- Types of data subjects
- How and why California residents' personal information is used
- To whom California residents' personal information is transferred or made accessible
- The purposes for which California residents' personal information is transferred or made accessible
- Where California residents' personal information is stored
- Which personal information of California residents is exempt from CCPA (e.g., data subject to HIPAA, GLBA, DPPA and FCRA)
Gap Assessment Phase 3: Assessment
During the assessment phase of the gap assessment, the differences between the company's current practices and the practices necessary to reach CCPA compliance are evaluated. The assessment phase includes:
- A review of the CCPA standards and requirements in light of the data map results
- Identification and review of the company's current policies and procedures (e.g., website privacy statement, internal privacy policies, etc.)
- Identification of areas in which the company is or is not compliant with the CCPA
- Recommendations for compliance with the CCPA
The assessment phase is critical to identifying deficiencies in a company's practices vis--vis the CCPA. The assessment phase also provides companies with a roadmap to strengthen their program in general, since many states have proposed legislation similar in nature to the CCPA. The gap assessment is an important step toward a CCPA-compliant program.