GDPR, the California Consumer Privacy Act (CCPA), and other emerging privacy laws and regulations impose privacy and security obligations on covered entities. CCPA, for examples, provides consumers with the following privacy rights: [1]
- Right of Disclosure: To request the categories and pieces of information collected, sold, or disclosed about the consumer going back 12 months
- Right of Deletion: To have certain information deleted, both from the business and any service providers with which the business shared the information.
- Right to Opt-Out: To opt out of the sale of their information (Those under the age of 16 must explicitly opt in to any such sale).
Citadel supports our clients wanting to ensure their ability to comply with these privacy laws, honoring requests to disclose, to delete, and to opt-out.
As attorney Robert Braun has written: Understanding how the company collects, processes, transmits and stores data – as well as how it’s used and who uses it – is the foundation of a data privacy program and the key to complying with the Act and most other privacy regulations. (Robert is a Partner in the law firm Jeffer Mangels Butler and Mitchell and a member of the SecureTheVillage Leadership Council.)
With this in mind, Citadel’s Information Inventory / Data Mapping services are designed to meet these requirements.
- What controlled information you have
- Where it is: desktops, servers, cloud, smartphones, laptops
- Who Manages It: department, individual
- Why You Have It
- How Long You Keep It
- How You Control Access
- How You Secure/Delete It
- 3rd-Parties To Whom You Provide Access or Sell It; 3rd-party security and privacy controls
This includes all of the following categories of information:
- Name, Addresses, Social Security Numbers
- Credit Cards
- Health Information
- Email Addresses
- Digital Identities
- Internet Activities
- Consumer history
- Etc
In developing the Information Inventory, Citadel works across your entire organization. More than just management, Citadel provides leadership: we work to break down silos, get effective cross-functional communication, and surface shadow files and other “unofficial” information repositories. We work within our client’s risk tolerances and with the guidance of the client’s legal staff.
- Involved Departments that collect, process, transmit, and store protected information
- IT management
- Information security
- Law
We document the Data Inventory / Data mapping as appropriate using tools such as
- Spreadsheets
- Network Maps
- Visio Diagrams
- Data-Flow Diagrams
- Reports / Narratives
In developing and documenting the Data Inventory / Data Mapping, we use several tools as appropriate including
- Spreadsheets
- Program Management Tools
- Data Discovery Tools
- Special Purpose Tools, such as Inventory and Deletion Tools
- Data classification tools built into AWS, SQL, etc.
Background Information & Additional Resources
SecureTheVillage: Information Classification and Control
SecureTheVillage: General Data Protection Regulation (GDPR)
SecureTheVillage: California Consumer Privacy Act (CCPA)
[1] CCPA has an additional right — The Right to Be Compensated in Event of Data Breach. The California Consumer Privacy Act (CCPA) private right of action establishes statutory damages of between $100 and $750 per incident for consumers whose personal information has been compromised by a breach of personal information resulting from the business’ “violation of the duty to implement reasonable security procedures and practices appropriate to the nature of the information to protect the personal information. Our Defendable Security Procedures and Practices service is designed to assist organizations wanting to ensure their information security procedures and practices are suitably defendable.