Six Month Countdown to CCPA: The 10 Information Governance Steps Needed for Compliance

In our quick 10 step guide, we provide an overview of the necessary Information Governance steps needed to help prepare for the CCPA, and also to consider more broadly as you’re building your privacy program.  With CCPA going into effect January 2020, it is important to consider CCPA may be a catalyst for data privacy in the United States. Organizations must start preparing now, looking to leverage similar activities that have already been initiated to accelerate their CCPA readiness. Preparing for CCPA will undoubtedly put organizations in a better position to comply with other new US privacy regulations that are bound to be enacted soon.

10 Information Governance Steps to Consider for CCPA Readiness


1. Define Requirements
Organizations potentially subject to CCPA must understand and document their privacy requirements, understand timelines, set milestones, and assign responsibilities for executing the plan.



2. Perform Assessments
Assess your current state to determine how ready (or not) you are to meet these new regulatory obligations. A current state assessment should focus on the key points of the regulations.


3. Identify Synergies
Ensure you include stakeholders from different parts of your organization.  Understanding each function’s major initiatives is critical in designing a comprehensive program to address current and future needs. By aligning each constituency, you can build out a privacy program that is not only compliant with broad frameworks like CCPA, but also addresses specific needs across the organization.


4. Identify and Address Gaps
Potential gaps will be identified as requirements are defined and assessments take place. A mitigation plan should be developed to address the gaps.


5. Implement Change Management
Addressing the requirements of legislation can sometimes lead to potentially unsettling and disruptive changes in business processes if proper planning does not take place.


6. Train and Create Awareness 
Many organizations do not have data privacy related training offerings. Training should be developed, implemented, and measured to confirm that employees know the subject matter.


7. Communicate and Socialize the Program
Changes to policies and related procedures will need to be clearly communicated across the organization.  Think of the ways you typically conduct outreach including existing staff meetings, email communications, etc .


8. Update Documentation 
Consider using preparing for the CCPA as a catalyst to review and update company documentation.


9. Implement the Program
With a 12 month “look back” requiring companies to catalog, preserve, and be prepared to disclose personal information dating back 12 months before CCPA’s effective date, organizations should be documenting processes now, so they have current information about how they use and share data.


10. Monitor and Maintain the Program
While preparing for CCPA may be a focus within your organization, it should ultimately fold into more robust privacy program initiatives.


For more detailed information on each of our 10 steps, please view our insight.