In the final post in our CCPA Readiness series, we’ll be touching on steps 4 and 5 of the CCPA readiness plan: setting up an operationalization model and creating processes necessary for ongoing governance.
Operationalization model: Implementing your blueprint with trackable metrics
Operationalization means specifying measurement criteria for something that is not typically measurable, like compliance. In other words, think of the operationalization model as how you intend to define and track compliance for your company. Since compliance is different for every company, the exact methodology for achieving it will vary based on how the requirements are interpreted.
Below are some questions to keep in mind when operationalizing your blueprint:
- Review and remediate all affected contracts
- What language constitutes remediation?
- What are the criteria for an affected supplier contract?
- What verbiage covers the requirements outlined by the CCPA?
- Is the language used clearly understandable by the lay person?
- Support opt-outs
- What constitutes a clear and conspicuous link?
- Who is responsible for handling consumer privacy inquiries, how much do they need to know?
Ongoing governance: monitoring compliance
Compliance with the CCPA requires iteration beyond January 1, 2020, and is a continuous effort. There may be a new ruling that impacts the original interpretation or perhaps an amendment to the law. In any case, a designated person or people at every company should be keeping track of all regulatory updates.
It’s also worth noting that the law imposes different requirements on businesses and service providers. Whenever rolling out a new revenue stream that might involve processing personal information, make sure to evaluate whether there are new disclosure requirements. Similarly, when considering new vendors, make sure to vet what information they process and how it will affect your compliance requirements.