Preparing your business for the incoming CCPA
From Jan 2020, the CCPA will affect companies based in, or conducting business with, firms or individual in California. Here's what organisations needs to know.
Due to the state’s economic significance, California has always been significant in navigating the international regulatory agenda. In the months ahead, it looks set to affirm this role again.
Signed into law on 28th June 2018, from 1st January 2020 the California Consumer Protection Act (CCPA) will affect companies based in, or conducting business with, firms or individual in California.
Will the CCPA apply to your organisation?
The CCPA is applicable to three distinctive business categories.
It applies to a wide range of “for profit” businesses – this includes any organisation “doing business” with Californian residents and turning over more than $25m per year.
It also applies to smaller organisations that buy, sell or share the details of more than 50,000 records of individuals per year (this includes data from the smart devices they use). So, if you have the sales records of 50,000 smart appliances you’ve sold (e.g cars, fridges, phones etc), the CCPA will apply to your organisation.
Finally, the CCPA applies to any organisations that make more than 50% of their revenue from data sales.
It’s fair to say that most global businesses will fall into one of these categories, and these organisations should be concerned as the penalties for non-compliance can be severe.
Both the civil penalties and individual damage claims are supported within the CCPA, and the individual damage claims can be up to $750 per individual affected. So, if your organisation suffers a data breach which leaks a million individual records, you could be looking to pay out $750,000,000.
Plus, it’s important to consider the global damage to trust an organisation will suffer should they indicate non-compliance. Many other US States and national legislatures are implementing new data privacy laws, which are leading to a complex worldwide set of regulations that global organisations must manage effectively. The CCPA is just another example. Navigating this complex and differing set of privacy rules is likely to be a significant and ongoing challenge for organisations.
How to mitigate the risks
The CCPA presents businesses with a series of conditions, and under these conditions they must seek and manage consent from individuals. Meanwhile, it also provides those individuals with a range of rights - this includes the right to erasure, the right to access and the right to information.
To manage the risk, the organisation must firstly identify and understand the personal data it processes, and could have processed in the preceding 12 months.
It must then examine the controls it has in place to ensure it meets the conditions required. This includes security systems, lifecycle management and third-party relationships.
We often find that businesses fall at this “first hurdle” by failing to have a robust and in-depth process for the on-going documentation and management of the organisation’s personal data assets. Frankly - they are often unaware of the data that they are responsible for.
GDPR vs CCPA – what can we learn from the enforcement of European privacy laws?
The GDPR was a wake-up call for organisations in Europe.
Penalties have a different structure to the repercussions in the CCPA, and are only just starting to be applied. However, in some cases, the proposed penalties that have been issued to date are severe; British Airways and Marriot International have both been proposed penalties of over £100m for breaches under GDPR.
Yet even with these eye-watering fines, we’ve still seen evidence that many organisations have treated the implementation of the GDPR as a one-off, tick-box activity. They have not built business processes in a way that ensures they stay consistently compliant and on top of the ever-evolving regulatory landscape. Certainly, they have not implemented the “Privacy by Design and Default” approach which the GDPR stipulates.
This is evident in DQM GRC’s 2019 research report “Privacy, Value and Ethics: Coping with the cautious consumer”, which examined the current attitudes to the GDPR one year on from both businesses and consumers.
Over 60% of the organisations interviewed felt that they were compliant with the GDPR. However, only 1.8% had actually completed a Data Protection Impact Assessment.
This contradicts the core principle of “Privacy by Design and Default”, and suggests that, in reality, there still a fair way to go – especially given the complex and ever-changing ways organisations use and manage data over time. It’s likely that now, over a year from implementing the GDPR changes, many organisations will have become uncompliant.
There is also a misconception that being GDPR compliant ensures your organisation is also CCPA compliant - this is not the case. Businesses should definitely coordinate their GDPR and CCPA compliance efforts, but also be aware of the differences.
Global privacy laws: further regulatory advances in data protection are expected
Data science is continuing to advance and technologies such as machine-learning and AI can give businesses a huge competitive advantage. As the demand grows and usage evolves, we expect regulation to also advance so it can continue to provide the adequate and necessary protection for individuals.
Individuals will also start to recognise the value in their data, in fact – according the DQM GRC research report - the rise in awareness of data protection laws has been remarkable. 45% of consumers have said they now know all about the GDPR, while nearly one quarter (22.7%) are reasonably aware but have yet to absorb the detail.
This will result in a new consumer mindset of “how can I make my data work for me?”, and their data value exchange with organisations will become more overt. Legislation will also need to evolve to include this.
Eventually, we could start to see a global alignment of privacy rules and practices (GDPR is now being used as the basis for many new data laws). However, until that happens global businesses will have a complex job of managing privacy across their customer domains.
For more information on business topics in the United States, please take a look at the latest edition of Business Chief USA.
Marketing matters: from IBM to Kyndryl
Prior to joining Kyndryl as Chief Marketing Officer, Maria had a 25-year career at IBM, most recently as the tech giant’s CMO where she oversaw all marketing professionals and activities across North America, Canada and Latin America. She has held senior global marketing positions in a variety of disciplines and business units across IBM, most notably strategic initiatives in Smarter Cities and Watson Customer Engagement, as well as leading teams in services, business analytics, and mobile and industry solutions. She is known for her work with teams to leverage data, analytics and cloud technologies to build deeper engagements with customers and partners.
With a passion for marketing, business and people, and a recognized expert in data-driven marketing and brand engagement, Maria talks to Business Chief about her new role, her leadership style and what success means to her.
You've recently moved from IBM to Kyndryl, joining as CMO. Tell us about this exciting new role?
I’m Chief Marketing Officer for Kyndryl, the independent company that will be created following the separation from IBM of its Managed Infrastructure Services business, expected to occur by the end of 2021. My role is to plan, develop, and execute Kyndryl's marketing and advertising initiatives. This includes building a company culture and brand identity on which we base our marketing and advertising strategy.
We have an amazing opportunity ahead at Kyndryl to create a company brand that will stand apart in the market by leading with our people first. Once we are an independent company, each Kyndryl employee will advance the vital systems that power human progress. Our people are devoted, restless, empathetic, and anticipatory – key qualities needed as we build on existing customer relationships and cultivate new ones. Our people are at the heart of this business and I am deeply hopeful and excited for our future.
What experiences have helped prepare you for this new opportunity?
I’ve had a very rich and diverse career history at IBM that has lasted 25+ years. I started out in sales but landed explored opportunities at IBM in different roles, business units, geographies, and functions. Marketing and business are my passions and I landed on Marketing because it allowed me to utilize both my left and right brain, bringing together art and science. In college, I was no tonly a business major, but an art major. I love marketing because I can leverage my extensive knowledge of business, while also being able to think openly and creatively.
The opportunities I was given during my time at IBM and my natural curiosity have led me to the path I’m on now and there’s no better next career step than a once-in-a-lifetime-opportunity to help launch a company. The core of my role at Kyndryl is to create a culture centered on our people and growing up in my career at IBM has allowed me to see first-hand how to prioritize people and ensure they are at the heart of progress in everything Kyndryl will do.
How would you describe your leadership style?
I believe that people aren't your greatest assets, they are your only assets. My platform and background for leadership has always been grounded in authenticity to who I am and centered on diversity and inclusion. I immigrated to the US from Chile when I was 10 years old and so I know the power and beauty that comes from leaning into what makes you different from other people, and that's what I want every person in my marketing organization to feel – the value in bringing their most authentic self to work every day. The way our employees feel when they show up for themselves authentically is how they will also show up for our customers, and strong relationships drive growth.
I think this is especially true in light of a world forever changed by the pandemic. Living through such an unprecedented time has reinforced that we are all humans. We can't lead or care for one another without empathy and I think leaders everywhere have been reminded of this.
What’s the best leadership advice you’ve received?
When I was growing up as an immigrant in North Carolina, I often wanted to be just like everyone else. But my mother always told me: Be unique, be memorable – you have an authentic view and experience of the world that no one else will ever have, so don't try to be anyone else but you.
What does success look like to you?
I think the concept of success is multi-faceted. From a career perspective, being in a job where you're respected and appreciated, and where you can see how your contributions are providing value by motivating your teams to be better – that's success! From a personal perspective, there is no greater accomplishment than investing in the next generation. I love mentoring younger professionals – they are the future. I want my legacy as a leader to include providing value in work culture, but also in leaving a personal impact on the lives of professionals who will carry the workforce forward. Finding a position in life with a job and company that offers me a chance at all of that is what success looks like to me.
What advice would you give to your younger self just starting out in the industry?
I've always been a naturally curious person and it's easy for me to over-commit to projects that pique my interest. I've learned over years of practice how to manage that, so to my younger self I’d say… prioritize the things that are most important, and then become amazing at those things.