Compliance with the CCPA requires robust processes for identifying, governing, distributing, and securing consumer personal information.
The first steps are to document the current usage of this information:
- Data inventory: Generate lists of personal data related to clients, investors, employees, counter parties, prospects and other entities.
- Data recipients: Compile a list of entities, such as administrators, custodians, transfer agents, investment managers, and other service providers.
- Data policies: Review current policies to process, retain and delete data.
- IT security: Assess information security and data protection mechanisms from a business and technical perspective.
- Third-party compliance: Review and conduct gap analysis of third-party provider data security policies
After the initial assessment is complete, financial institutions will be in a position to:
- Confirm what personal data they hold and for what purpose
- Understand whether there is a strong legal basis for holding this data
- Modify business processes that do not comply with the CCPA
- Develop revised policies and procedures
- Reinforce data governance, distribution, and protection mechanisms
- Ensure third-party providers are in compliance
We recently published a guide examining the California Consumer Privacy Act of 2018, and the steps any financial institution must take in its response to the new law to evaluate its exposure and current state of readiness. You can download the guide below.