It’s official: the California Consumer Privacy Act (CCPA) will come into effect in large part intact on Jan 1, 2020 after a series of bills to modify provisions met with mixed outcomes. Now the focus will (or, should) swing squarely on what needs to be done to comply, and especially how to best apply technology, processes and expertise to manage, monitor and validate the CCPA’s requirements – as it applies to each business’s specific circumstances.
But the impact of CCPA is not confined to California residents. The law is seen as a de-facto standard since it is a harbinger of more regulations, whether at a state or federal level. And, with greater regulation comes greater operational complexity that can no longer be sustained with ad hoc and manual processes that are not directly tied to data knowledge. At the heart of sustainable privacy compliance is privacy-centric data discovery and automation.
Without systematic and up to date understanding of whose data an enterprise stores, processes and transfers, where that data it is and what it is, it’s simply not practical to scale and automate privacy compliance – or operate with any degree of certainty that key requirements like data access rights and third party transfer reporting are being met. But equally, privacy data intelligence while is a foundational element, it is one element in broader, and increasingly robust, privacy ecosystem.
As a pioneer in privacy-centric data discovery and automation, we have responded to the market’s needs with:
– Extending data discovery and classification with support for data in motion, especially for managing, monitoring and validating third party transfer data pipelines
– Launching the BigID Ready Program to enable seamless interoperability and integration of BigID’s data intelligence with a broad range of partners, including SAP, ASG, TrustArc, Nymity, Centrl, Immuta, Ionic Security, and Wirewheel.
Our new data pipeline discovery capabilities were developed in direct response to customer needs for operationalizing CCPA’s third party data sharing requirements.
While many organizations have explicit contractual provisions in place to cover data sharing business relationships, the validation of third party data flows is still largely done manually. Meanwhile, data streaming technologies like Apache Kafka and AWS Kinesis that are increasingly embraced by IT and application development teams for business transformation initiatives are often used to facilitate data sharing across business units, enrichment for analytics and data transfers.
Lack of visibility and direct insight into these data streaming technologies such as Apache often used specifically to transfer personal information by application developments for marketing analytics or “customer 360” initiatives means blind spots for compliance oversight – and raises a set of operational challenges for honoring the Opt-Out or Do Not Sell requests, mandated under CCPA.
In fact, managing the lifecycle of data access rights from request to fulfillment – including Do Not Sell requests – features prominently as the most daunting operational challenge for organizations to comply with regulations like CCPA and the EU GDPR. The BigID Ready Program is aimed at helping companies automatically fulfill data access rights, which are at the heart of privacy regulations emerging across the globe. The BigID Ready Partner Program delivers flexible integration with the BigID enterprise platform (including tools, documentation, and APIs), enabling partners to leverage BigID’s advanced data discovery & intelligence with existing privacy management policies and workflows for sustainable compliance.
By facilitating integration, BigID enables organizations to manage the data access rights lifecycle from inbound requests to automated fulfillment. Planned deeper integration will allow organizations to leverage additional data governance tools to document, govern, and collaborate on data flows and data elements.
Seen in combination, these two announcements reinforce BigID’s strategy: help companies better understand their data, empower them to take proactive compliance steps based on that data intelligence, and leverage the tools, processes and workflows that they have implemented to operationalize their policies.
We have now set the stage for an integration path to supplement a centralized registry of third parties and legal contracts for reporting on how personal information should be shared with data-driven insights, as well as correlate requests from a preference management system to manage, monitor and validate not only what data, but also whose data is shared – making automated operationalization of Do Not Sell requests at scale a practical reality.