The CDPA borrows a lot from the European GDPR and California’s CCPA and the update to the CCPA, CPRA. Having experience with customers that must comply with both regulations and being subject to the GDPR ourselves, we’d like to share with you why automating data lineage in the preparation phase is crucial for CDPA compliance.
Two main thresholds impose CDPA obligations on businesses. Businesses are subject to the CDPA if they:
Similar to the GDPR and CCPA, the CDPA defines personal data as any information that is linked or can be linked to an identifiable person. Information that is publicly available in federal, state, or local government records is not defined as personal data under the CDPA.
On top of personal data, certain types of data fall under the sensitive data category that is subject to additional, stricter requirements and restrictions. Sensitive data includes:
There are several exemptions from the CDPA, like financial institutions subject to the GLBA (the Gramm-Leach-Bliley Act) or businesses subject to HIPAA (the Health Insurance Portability and Accountability Act).
If your business is subject to the new regulation, you are required to:
Covered businesses are required to conduct risk assessments on their data protection practices. These risk assessments must be taken when the covered business activities involve:
If you are familiar with European and California data privacy laws, you will see numerous similarities, not only in terms of defining what personal data is, obtaining consent to process sensitive data, and applying the law to businesses that target Virginians but are not necessarily located in the state. Just like under the GDPR, under the CDPA, consumers will have the following rights with respect to their personal data.
What if your business fails to meet the CDPA obligations? Non-compliance has a hefty price of $7,500 per violation.
It might seem that there’s still plenty of time before the regulation comes into effect (January 1st, 2023), but the truth is that the time to comply is now. The key to being and staying compliant is to automate data lineage collection in the preparation phase. Mapping the whole environment in advance will give you an overview of all the data your company is storing and processing. Doing it automatically will guarantee that the results are correct, complete, up to date, accurate, and include all data sources, no matter how large your data environment is and how scattered your data assets might be. Completeness and accuracy are crucial for identifying all data that is defined as either personal or sensitive data. With such an overview and generated map of the whole environment, you can take the next steps to get you closer to full compliance.
With the full transparency that end-to-end lineage gives you, you will find it easier to implement data security measures required by the CDPA. Knowing exactly what data your organization is processing, how this data entered your systems, and how it’s connected with other data assets will allow you to establish or enhance current data security practices and prevent data breaches.
Why should you automate data lineage in the initial phases of a data governance initiative? Read the article by Nicola Askham, the Data Governance Coach.
So, you have harvested data lineage across all systems, you know where the data originates, you have identified personal and sensitive data, and you are CDPA-ready, so you think your journey with automated lineage can end here. Not exactly. Automating data governance well in advance will, indeed, give you time to map the environment and prepare for January 2023 without rushing into it. Still, without regular monitoring and reporting afterward, all your efforts will be wasted.
How can data lineage help once the CDPA comes into effect? It will help you make sure that you are fulfilling your obligations towards consumers. All the rights that they have under the CDPA (the rights to know, access, correct inaccuracies, delete, port, and opt-out) can be granted only after you’ve located the consumer’s data. Doing it manually carries a high risk of missing a record that might have gotten lost in your database’s meanders or could have been overlooked once it changed its format during an ETL process. Automating all these efforts not only ensures accuracy and eliminates the risk of human error but also ensures that you can respond to customer requests in the timely manner that the CDPA imposes.
Working with customers from all over the world who are subject to various international, federal, and state privacy laws has taught us that the sooner you automate lineage collection, the better. Having a complete overview of what data you process, what its sources are, how the data transforms, where it resides, and how it’s connected will help you align your data governance practices with your business needs, regulatory requirements, and consumer needs without harming any of them. Do you want to know more about data lineage for data governance? Read more here.
Do you want to know how our customers leveraged MANTA’s automated lineage when preparing for GDPR and CDPA? Send us a message at manta@getmanta.com and schedule a meeting with a representative.