Understand What Data Falls Under the CPRA’s Expanded Scope
CPRA's new regulations apply to more types of data. They include a new classification of sensitive personally identifiable information (SPI)—information such as social security numbers (SSN), driver's license numbers, biometric information, exact geographic location, racial and ethnic origin, and more. Organizations must accurately retrieve, classify, and manage this information in accordance with CPRA's data minimization and retention requirements.
Prepare for new Consumer and Employee Rights Requests
The CCPA introduced new consumer rights for California citizens, including the right to know, the right to access, the right to erasure, the right to refuse to sell data, and the right to non-discrimination. CPRA now extends these rights to correction, portability, and restrictions on the disclosure of sensitive personal information, extending these rights to employees as well.
While many organizations implementing CCPA compliance programs have processes in place for handling consumer rights requests, employee rights requests pose some unique challenges. Increase. Granting privacy rights to employees requires organizations to parse and classify more unstructured data. This means the need for auto discovery and data remediation becomes even more critical with CRPA.
Update Policies for Retention & Sensitive Personal Information
CPRA introduces new requirements for collection, use, and retention of sensitive personal information, limiting it to what is necessary to provide goods and services. Implementing these policies can be a challenge for organizations that work with large amounts of data.
Perform Risk Assessments and Annual Cybersecurity Audits
The CPRA specifies that high-risk organizations—those that handle personal information or sensitive personal information - should perform periodic risk assessments similar to data protection impact assessments (DPIAs) required in the EU as part of the GDPR.
CPRA risk assessments are submitted to regulatory agencies, to ensure that if an organization performs data processing activities that pose significant risks to consumer privacy or safety, the activity is carried out with an appropriate level of protection to mitigate the risks.
In addition, CRPA requires organizations whose processing activities pose a significant risk to consumer privacy or security to conduct an annual, independent cybersecurity audit.