CCPA – Making Sure Your Data Doesn't Die in The Dark

I'm not a hoarder, but like many people, I have a drawer full of cables that ‘might come in handy one day.’  They were indeed valuable to me in the past – and could well be in the future – so, rather than get rid of them, they lie tangled in a drawer.

That’s the same attitude that many businesses have towards data – especially Personal Information (PI).  We all see the impact of PI in the moment: I check out jewelry online in the run-up to my wife's birthday, and then I see ad after ad for evermore eye-wateringly expensive bracelets for the next two weeks.  But, a month later, how valuable is that data?  Perhaps it has no immediate value but, just as my cables might come in handy to connect some device in a future situation that I haven't even imagined yet, so could that data on jewelry interests be used in an equally unimagined way.  Better for businesses to store the data and wait for a use case to emerge than to delete it.

But what if there were more jeopardy in keeping the data?  That's precisely the challenge that the California Consumer Privacy Act (CCPA) has mixed into the equation for organizations doing business in California.  Since the introduction of this legislation in 2020, businesses lacking a grip on the data they're selling or storing could find themselves fined to the tune of $7,500 for each misused record.

How?  Well, there are plenty of ways that businesses can unwittingly breach CCPA.  For example, PI that’s not correctly tagged could be sold despite belonging to an individual who opted out of the agreement to share it.  Similarly, if the business is not currently using the PI, the data might have been archived in a way that makes it challenging to locate if the subject wants to access or delete the data.

52percentuntagged.png

According to research by Veritas, with Vanson Bourne, 52% of data that businesses are storing is considered 'dark data' – that is to say, no value has been assigned, or it is simply redundant, obsolete and trivial data.  But CCPA makes the value of dark data into a game of Russian Roulette.  The data might be incredibly valuable to the business – or it might have a negative value if they are fined for being out of compliance.

So, what’s the solution? I believe that it’s all about insights, visibility of the data itself, and automated classification.  Before businesses can even begin to comply with CCPA, they need to understand what data they have and where it is stored.  This is where a solution like Veritas’ Information Studio can help – where a powerful tool built from the ground up to deliver data intelligence and risk mitigation to regain control of your data.  Information Studio provides:

  • Automated data classification and visibility helping you understand what types of data you have and where it is stored.
  • Ability to identify and defensibly dispose of sensitive data – like Personally Identifiable Information (PII) – to help automate data retention periods.
  • Manage data subject access requests (SARs) in compliance with privacy legislations like CCPA and GDPR.

Once businesses know what data they have, the challenge then is to keep on top of that as data moves through its lifecycle, and new data is added.  That's why they need a proper automated classification system.  Data needs to be tagged so that it’s searchable and findable.  And, if that data is no longer CCPA compliant, businesses need to be able to find it and deal with it accordingly.  Veritas’ Information Studio provides businesses visibility into complex data landscapes that include cloud architectures and diverse storage infrastructure. It empowers businesses to make intelligent decisions on their data, find data, classify data, and act on the knowledge that gives them the ability to ensure data privacy and compliance.

A great example is the need for moving more and more data to the public cloud, while staying in compliance with different regulations like CCPA. Insights into the information contained in these files are essential to determine what data can be sent to the cloud. Veritas Information Studio works by gathering information about data within a company’s on-premises and cloud-based data infrastructure, from a variety of primary data sources, while displaying the information in an intuitive dashboard. It then allows users to filter information. For example, users can choose to filter based on data age, like “older than two years," and for data containing PII, like phone numbers, credit card numbers, or social security numbers. Users can even filter for data hosting a specific phrase, like "Highly Confidential" or a particular text string like a person's name. Once important information is identified, reports can be extracted to allow evidence-driven data decisions on what data to keep on-premise and automate via classification what data will be allowed in the cloud.

To simplify the process, Information Studio comes with more than 700 preconfigured data classification patterns and over 120 classification policies covering new privacy laws like CCPA and GDPR. 

For many companies operating internationally, the challenges of CCPA aren’t new – they’ve been dealing with them since the introduction of GDPR in 2018.  But it brings those challenges closer to home for many of the biggest organizations in the US.  Now, if you want to do business in California, you have to comply with CCPA.

What CCPA and GDPR really bring, is a need for a change in mindset.  We can’t keep hoarding data like a drawer of old power cables.  If we do that, data becomes a burden dragging us down with storage costs and fines.  CCPA compliance is the opportunity – the impetus – for businesses to get to grips with their data. Help your legal team to understand your company's current data risk environment better. Be confident about what kind of data you have and where it is stored, how it is accessed today, and know what data can be deleted if it is outside of retention periods. And, by doing so, you will find the true value of your data.