California Consumer Privacy Act (CCPA): How to Leverage Your Investment in ServiceNow to Comply with the CCPA
In a previous blog, Mike DeAndrea, GRC Practitioner and Advisory Solution Architect at Milestone, shared important information about the new California Consumer Privacy Act. Today, Mike shares how to leverage your investment in ServiceNow to address the CCPA requirements and support your compliance program.
A Quick Recap of CCPA
The new California Consumer Privacy Act, which becomes effective on January 1, 2020 and enforceable on July 1, 2020, grants California residents the right to:
- Request a free copy of their personal information.
- Request that their personal information be deleted or not sold
- Bring civil actions against companies that fail to protect their personal information
It also empowers the California Attorney General (CAG) to legally enforce these rights.
What This Means for You
If your company is one of the several hundred thousand across the United States that must comply with the CCPA, you will need to implement policies, procedures, and protocols that:
- Enable California consumers to exercise their rights (i.e., submit ‘Consumer Requests’).
- Ensure consumer requests are fulfilled completely, accurately, and timely (i.e., within the 45-day limit mandated by the law).
- Ensure safeguards are in place to protect consumer personal data in your possession.
Enabling Your Organization to Respond to Requests
To ensure your organization responds to consumer requests completely, accurately, and timely, you need to know:
- What personal information you have
- Where that information is located
- How that information is being used in your organization
- Know where the information was collected
- Whether the information has subsequently been sold and to whom
- How personal data is categorized
Once you know the layout and workings of your data estate, you need to establish workflows for processing the various types of requests – access, delete, or opt-out.
Safeguarding Consumer Personal Information
The CCPA defines ‘personal information’ more broadly than any previous privacy law. So broadly, in fact, that just about any data you collect that relates to a consumer as an individual is considered personal data.
To safeguard this personal data, the CCPA requires you to implement “reasonable” security. However, it doesn’t define what constitutes ‘reasonable.’ Until further clarification from the California Attorney General, best practice is to implement a risk-based security program that complies with frameworks common to your industry such as NIST 800-53, ISO 27001, or COBIT. As a minimum, you should consider implementing the Internet Security Critical Security Controls (CIS Controls), which the California Attorney General cited as being ‘reasonable’ in a 2016 data breach report.
How to Leverage ServiceNow
ServiceNow provides a robust set of tightly-integrated capabilities that can be leveraged to implement a highly-efficient and effective CCPA compliance program.
- ServiceNow Customer Service Management (CSM): The CSM application can be leveraged to enable California consumers to exercise their rights.
- ServiceNow Security Operations Management (SOM): In terms of the CCPA, The SOM provides the essential automated oversight and monitoring capabilities required to safeguard your consumer data.
- ServiceNow Governance, Risk, and Compliance (GRC): The policy management capabilities of the application can be leveraged to centralize your privacy policies and to ensure those policies are reviewed and updated annually. For example, the CCPA calls for the annual review of your online privacy policies.
- ServiceNow Orchestration: Orchestration can be used to propagate a signal across your data estate to automatically delete, pull a copy of, or flag personal data as ‘do not sell’ in response to a delete, access, or opt-out request.
How Milestone Can Help
Milestone can help translate legal requirements cited in the CCPA into ServiceNow developer requirements (i.e., stories) that will help establish a common vision across stakeholders, jumpstart your project, and minimize the time-to-value.
We will help you prepare, implementing a regulatory compliance solution that not only addresses the needs of the CCPA, but enables your organization to readily embrace emerging laws and regulations.
Mike DeAndrea, GRC Practitioner and Advisory Solution Architect, Milestone Technologies
With more than 20 years of applied expertise in Governance, Risk, and Compliance, Mike helps Milestone customers understand how they can leverage the power of ServiceNow to meet their regulatory compliance needs in the shortest time. Mike has extensive experience both as a practitioner and a consultant. As a practitioner, he managed the compliance efforts of a large enterprise-wide IT operations department of a multi-billion-dollar, multi-national company for several years. As a consultant, Mike has been helping high-profile customers deploy GRC solutions in ServiceNow for over five years. He maintains a number of ServiceNow and industry certifications, and specializes in designing compliance solutions that are not only effective but also highly efficient, that minimize the time to value, and that drive down the cost, burden, and impact of compliance on your organization.