Author of Tomorrow's Jobs Today
Does your business know how to report a #databreach should it occur? Having a partner to help when facing the reporting responsibility could make all the difference when reporting to those affected and all regulatory entities. #dataprotection #dataprivacy #compliance
I was recently interviewed for an article on Data Governance & Privacy for a number of periodicals including Info Risk Today on “Data Governance: How to Tackle 3 Key Issues: The Importance of Accountability, Data Inventory, and Automation. Below is the full text of my interview for additional context.
While global privacy regulations like the GDPR and CCPA have greatly impacted contemporary data governance discussions, enterprise projects, and software solutions, we often forget that privacy itself is far from a novel concept and, in fact, one with deep roots in centuries-old ethics and social mores. What’s different now, or even from twenty years back, and what does that mean for data governance today?
The truth is that many companies have had to comply with at least some privacy requirements for decades, but the ease of digitally storing and monetizing personal information has now run up against the rights of consumers to access and in some sense, reclaim ownership of that data. That’s a paradigm shift that introduces a number of logistical burdens that some organizations, even relatively new ones, are not prepared to deal with. Especially since IT infrastructures and dependencies change quite rapidly. So the question becomes how do we build data governance rules that can keep up with these nuanced laws and demands while still supporting the greater needs of the business? The severity of fines and reputation damage from non-compliance has forced us to sit around the table and try to find the right balance between risk and reward. I think ultimately privacy-by-design as a fundamental aspect of enterprise architecture will bring needed order to some organizations despite handicapping them in the near term.
The second challenge is also privacy related, but in terms of exposure, much more consequential. Data breaches and ransomware have inundated infosec teams and exploiting poor data governance models is routine for hackers. Most breaches obviously originate with end-users, but the protection, encryption, anonymization, etc. of private data sets requires thoughtful and strict data governance to sustain disruption. How do meet that high bar and also provide a seamless customer experience? That’s a work in progress.
We try to spend as much of our time understanding the regulatory environment our client is subject to as much as their risk tolerance. You can always look for a baseline in terms of a particular set of laws, but often a best practice approach makes more sense in the long run. I think a solution needs to be proportional to an organization’s true risk, and while it must meet certain standards, your compliance professionals, data fulfillment service teams and IT support must be able to work with each other and speak the same language. It’s not as simple as throwing together a data map. This is, to your previous question, a challenge because the stakes are now much higher and teams must now not only support each other’s requirements but go farther in understanding and appreciating the very nature of those rules. It’s not just collecting the metadata, it’s understanding the relation of the attributes not simply from a database perspective but from an ethical one. This is a convergence of law and technology that requires true cross-functional teamwork, where each stakeholder must respect and value the contribution of his or her colleague. It’s just not enough to know your little corner of the universe anymore. At Compliance & Privacy Partners we aim to facilitate discussions that enable that synergy and eventually support change management goals.
As far as privacy goes, and despite its long history as a basic component of ethics and law, most groups still haven’t understood you can’t just throw bodies and technology at something like this. The specialty is too new and the laws are in many cases too vague to leave it up to a project manager, a lawyer, a vendor, and an enterprise architect. I’m seeing a lot of companies try to check off details of regulations without understanding exactly how they fit together. What ends up happening is a whole lot of talk, a whole lot of capital spend and very little result. Companies have to take a step back. The smartest know they need to bring somebody in who can provide an overview and roadmap for their particular challenges and then take next steps. That planning is what’s really going to set up their in-house teams and leaders for long-term success.
From my perspective, it would be to actually value privacy, not just as a consumer yourself, but as a smart business decision. Customers want companies they can trust and who provide solutions that help them solve their problem, but also don’t exploit their data. Do unto others as they say. I think building a culture that can internalize that as a golden rule will be transformative and lead to better data governance across the board.
Rafael Moscatel, CIPM, CRM, IGP, is the Managing Director of Compliance and Privacy Partners. He has developed large-scale information management, privacy and digital transformation programs for Fortune 500 companies such as Paramount Pictures and Farmers Insurance. His latest book, Tomorrow’s Jobs Today, is available soon from John Hunt Publishing. Contact him at www.capp-llc.com or follow him on Twitter @rafael_moscatel.
“California Consumer Privacy Act – Now What Do We Do?”
Register here: https://zoom.us/webinar/register/WN_inuTshVvT9SAQ_XGa
Learn: Why data protection and privacy are important to my business What to do in case of a data breach Preparation for a cyber-attack Preparation for CCPA Preparation for PII/PHI breach response
When: Wednesday, Jan. 22, 2020 Time: 10 a.m. PST/1 p.m. EST
On October 10, 2018, the Attorney General released proposed regulations for the California Consumer Privacy Act of 2018 (CCPA). The California Department of Justice (DOJ) will hold four public hearings to provide all interested persons the opportunity to present statements or comments on the proposed regulations, as detailed below. The hearings will begin promptly at 10:00 a.m. and will conclude when the last speaker has finished their presentation. Please note that attendees may be required to go through building security before entering each venue. For more information about the public hearings, and to RSVP, please visit: https://www.oag.ca.gov/privacy/ccpa/rsvp.
The deadline to submit written comments is December 6, 2019 at 5:00 p.m. (PST). Comments may be submitted via email (PrivacyRegulations@doj.ca.gov), mail (Privacy Regulations Coordinator, California Office of the Attorney General, 300 South Spring Street, First Floor, Los Angeles, CA 90013), or at the public hearings.
Please visit www.oag.ca.gov/privacy/ccpa for information about the DOJ’s CCPA rulemaking process, including the following newly added pdfs: Tips on Submitting Effective Comments and Information about the Rulemaking Process.
PUBLIC HEARING DATES
Sacramento
December 2, 2019; 10:00 a.m.
CalEPA Building
Coastal Room, 2nd Floor
1001 I Street
Sacramento, CA 95814
Los Angeles
December 3, 2019; 10:00 a.m.
Ronald Reagan Building
Auditorium, 1st Floor
300 S. Spring Street
Los Angeles, CA 90013
San Francisco
December 4, 2019; 10:00 a.m.
Milton Marks Conference Center
Lower Level
455 Golden Gate Ave.
San Francisco, CA 94102
Fresno
December 5, 2019; 10:00 a.m.
Fresno Hugh Burns Building
Assembly Room #1036
2550 Mariposa Mall
Fresno, CA 93721
Compliance & Privacy Partners provides smart and affordable privacy compliance, data governance and risk-management solutions designed to help organizations build privacy programs, assess, manage and remediate risks and demonstrate defensible compliance. We offer and support a variety of data privacy management platforms which include data subject fulfillment workflows, records and PI inventory management, vendor assessment and policy adherence tools, privacy impact assessments, file analysis projects and records retention enforcement.
On Monday, November 18th, Google AdSense pushed out the following updates regarding the California Consumer Privacy Act:
from Google:
| The California Consumer Privacy Act (CCPA) is a new data privacy law that applies to certain businesses which collect personal information from California residents. The new law goes into effect on January 1, 2020. |
| Google already offers data protection terms pursuant to the General Data Protection Regulation (GDPR) in Europe. We are now also offering service provider terms under the CCPA, which will supplement those existing data protection terms (revised to reflect the CCPA), effective January 1, 2020. For customers on our online contracts and updated platform contracts, the service provider terms will be incorporated into our existing contracts via the data protection terms. For such customers, there is no action required on your part to add the service provider terms into your contract. |
| These service provider terms will be made available alongside new tools for partners to enable restricted data processing. Restricted data processing is intended to help partners prepare for CCPA. Some partners may decide to send a restricted data processing signal for users who click a CCPA opt-out link. Other partners may decide to enable restricted data processing for all users in California via a control in our products. Subject to the service provider terms, we will act as your CCPA service provider with respect to data processed while restricted data processing is enabled. You can refer to this article for more information on restricted data processing and to determine whether restricted data processing meets your CCPA compliance needs. Please also refer to our Help Center articles for Ad Manager, AdMob, AdSense for more information on enabling restricted data processing. |
| Please see privacy.google.com/businesses for more information about Google’s data privacy policies. |
Compliance & Privacy Partners provides smart and affordable privacy compliance, data governance and risk-management solutions designed to help organizations build privacy programs, assess, manage and remediate risks and demonstrate defensible compliance. We offer and support a variety of data privacy management platforms which include data subject fulfillment workflows, records and PI inventory management, vendor assessment and policy adherence tools, privacy impact assessments, file analysis projects and records retention enforcement.
As I’ve traveled around California doing my “Blessings of the CCPA” presentation, I’ve been asked repeatedly about the “average” cost of a CCPA solution from CFO’s, GC’s and IT folks alike. It’s a loaded question as there are many requirements to the law, from policy and website disclosures to consumer data request obligations. One size does not fit all and your organization needs to spend time methodically planning its approach before setting aside budget and other resources.
While some unprepared organizations may need to beef up spending in the near-term, others may end up refining their programs over the coming years as they realize their initial investment wasn’t as strategic as it probably needs to be.
Click here for a free CCPA Roadmap from Compliance and Privacy Partners.
Clearly, all of us subject to the law need to protect our business and expect some activity, whether it be through consumer requests or even the limited right of private action afforded by the CCPA. That doesn’t mean you turn your entire organization upside down and fork over hundreds of thousands of dollars in licensing ransom! Change management on this scale first requires proper risk analysis, roadmapping and getting stakeholders to buy-in and be accountable.
Before you embark on this journey to become a privacy-centric company, the real question you should be asking yourself is….
Are there consultants and affordable software solutions out there that will leverage our resources and best minds to help us implement a proportional strategy that protects us?
The answer to that last question is YES!
Long-term solutions need to be fact-based and reasonable, recognizing the unique facets of your culture and business model. Big, complex and expensive isn’t always better.
It’s true there are some amazingly fancy privacy software products out there. But do you really want to spend a quarter to half-a-million dollars a year to fend off what might ultimately be a handful of consumer requests and opt-outs, when you can do the exact same thing with a far less expensive and better tool?
There are so many vendors playing in the privacy space today and way too many folks are impulsively investing either too heavily or disproportionately in them just to “check the box.” Yes, of course you need to “check the box,” but running headfirst into this regulatory challenge could leave you with a budget nightmare and organizational headache you’ll soon regret.
The bottom line is your investment needs to be proportional to your risk profile and the complexity of your infrastructure and organization. Even then, you may not need a solution that costs you hundreds of thousands of dollars when you could be compliant and sleep comfortably for under $50,000 a year.
Call us today at 323-413-7432, schedule a free consultation or visit us at www.capp-llc.com to learn more about our tailored privacy compliance solutions.
In response to recent stateside efforts to enshrine data protection including the California Consumer Privacy Act (CCPA), organizations are revisiting the efficacy of their Data and Information Governance (IG) programs. Laws and regulations vary by industry and company size. Yet each intend to protect consumer’s personal data by prescribing technical and governance standards backed by stiff penalties for non-compliance.
New regulations governing use of customer and personal data needn’t be burdensome. Rather, they help reduce expenses and monetize the information lifecycle, identify opportunities for better governance to avoid fines and litigation exposure and foster trust to enhance customer experiences. Download this FREE detailed CCPA roadmap to see how you can get your company on the path to compliance.
Our consulting and software solutions enable clients to comply with CCPA provisions 1798.110(a)(4), 1798.100, 1798.105, 1798.110, 1798.120, 1798.145, 1798.140, 1798.150
Call us today to see how we can help you with:
Rafael Moscatel, managing director at CAPP, joins GRC & Me to discuss how his background in law and consulting ultimately led him to the world of GRC. He shares how one tweet led to a watershed moment in compliance and privacy, and tells his deeply personal connection to California adoption records. Rafael also explains how CCPA should be viewed as a blessing that helps better understand what’s “under the hood” of your company.
[01:28] Rafael’s background in law and consulting
[02:35] Discussing Rafel’s company and beginnings
[04:36] The “Olympics of Privacy”
[05:59] A watershed moment in Compliance and Privacy
[08:05] Rafael’s personal connection to records in California
[09:05] The incredible moment Rafael received his birth records
[12:00] The “blessing” of CCPA
[14:11] Rafael’s personal opinion of CCPA
[16:19] Best practices for privacy and policy management
[19:30] Policy management systems
[21:04] How to read more about Rafael’s thoughts on these issues
[22:58] The Little Girl With The Big Voice
[24:03] Vendor Risk Management
[25:00] Being mindful of what’s outside your company walls as well as what’s within them
When: Oct 30, 2019 from 12:00 PM to 1:30 PM (PT)
Where: Klinedinst, 501 West Broadway, Suite 600 San Diego, CA 92101
We share and store our most sensitive personally identifiable information (PII) on countless computers, networks, and devices. Within an organization, PII can be found scattered in emails, databases, shared drives and more. The new California Consumer Privacy Act (CCPA) is making a strong privacy program an essential part of an organization’s records and information governance program. Join our presentation as we discuss:
Faron Lyons – Enterprise Account Manager, Blackberry
Rafael Moscatel – Managing Director, Compliance and Privacy Partners
Media Contact: Ally Bertik ally@marketingmaven.com (310) 405-0358
Williams Data Management to Host Data Protection Lunch at Century City Chamber of Commerce
Leader in Data Protection Partners with Cyber Hygienist and Technology Expert to Discuss How Fiduciaries Can Prepare and Protect Their Businesses for Data Breaches
_____________________________________________________________________________
LOS ANGELES. – (September 18, 2019) – Williams Data Management, southern California’s leader in data protection, has partnered with Rafael Moscatel, managing director of Compliance and Privacy Partners, and George Baldonado, president and CEO of Oasis Technology, Inc. to host a “Data Protection, A Primer For Your Fiduciary: It’s Your Business, Protect It!” lunch in conjunction with the Century City Chamber of Commerce. The panel will take place from 11:30 a.m. to 1 p.m. on October 3, 2019 at Greenberg Glusker, 1900 Avenue of the Stars, Suite 1400 in Century City, California.
Data Protection Pro, Douglas C. Williams, president and CEO of Williams Data Management will discuss how small businesses can take advantage of a data breach reporting service powered by CSR Privacy Solutions, Inc. to enable companies to protect Personally Identifiable Information (PII). Other topics will include the California Consumer Privacy Act (CCPA), cyber security protection and data governance.
“We are thrilled to lead the conversation for fiduciaries on how to better protect their businesses,” said Williams. “Our goal is to keep your information safe, secure and available regardless of what it is or where it is stored. We hope to provide a clear solution for companies in all industries moving forward, especially with our new data protection suite that provides a pathway for self-assessment and structural gap analysis for internal management.”
Guests will have the opportunity to network with business professionals, engage in this informative panel with expert sources and enjoy lunch provided by Williams Data Management.
To learn more or register for the data protection lunch, please visit https://business.centurycitycc.com/events/details/data-protection-a-primer-for-your-fiduciary-it-s-your-business-protect-it-1704.
About Williams Data Management
Williams Data Management is southern California’s leading source for data protection management. The company educates, consults, has the source materials, and provides the structure for self-assessment and corporate plan structure for information breach notifications in the United States. Over the last decade, the firm has become an expert solution provider, offering professional records management, data protection, imaging and digitization, cloud storage and certified data destruction services to all sectors and sizes of businesses.
Williams holds numerous certifications for data compliance and destruction including SSAE16, NAID “AAA” Certification, and is a member of PRISM. For more information, visit www.williamsdatamanagement.com or call 888-478-FILE.
About Century City Chamber of Commerce
The Century City Chamber of Commerce is one of Los Angeles’ most active, involved and relationship-driven chambers. The chamber places a special emphasis on its members working together to build effective relationships and relevant programs that help individuals and companies expand their marketplace reach. Under the clear and powerful guidance of many energetic committees and councils, the Century City Chamber has grown to encompass representatives from virtually every industry, helping to make Century City one of Los Angeles’ most prestigious business communities. From the largest corporations to mid-sized businesses and emerging entrepreneurs, its diverse members thrive with one another and with key decision makers.
# # #
Content may still be king, but now the rights to some of it may belong to the people! In response to the EU’s General Data Protection Requirement (GDPR) and recent stateside efforts to enshrine data protection including the California Consumer Privacy Act (CCPA), organizations are revisiting the efficacy of their Data and Information Governance (IG) programs. Laws and regulations vary by industry and company size but each intend to protect consumer’s personal data by prescribing technical and governance standards backed by stiff penalties for non-compliance.
Notably, while many companies are already familiar with records retention laws, these latest controls also introduce a duty to destroy data once no longer required for a legitimate business purpose. For entities that have grown accustomed to leveraging cheap digital storage, this new responsibility presents a number of logistical hurdles.
However, directives on how you may use your customer’s data or any other information you store doesn’t necessarily have to be burdensome. In fact, these new guardrails present numerous opportunities to implement better governance, monetize the lifecycle of information assets and foster trustworthy relationships that can actually enhance the customer experience.
These 7 tips can help prepare your data to support an IG strategy:
By complementing policy frameworks and toolsets with the types of Information Governance approaches noted here we can better enable our workforce to hone their knowledge skills, achieve defensible destruction and improve audit outcomes. In effect, we are future proofing ourselves for a business world destined to face increased scrutiny and under siege from data breaches and privacy issues with seemingly no end in sight. IG is the bright light at the end of that tunnel.
Rafael Moscatel, CRM, IGP, is the Managing Director of Compliance and Privacy Partners, LLC. Reach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit http://www.capp-llc.com to learn more.
Originally published in Document Media Magazine, July 2019.
