USA
Select regional store:

CCPA Compliance Checklist

The CCPA (California Consumer Privacy Act) takes effect on January 1, 2020, enhancing California residents’ rights concerning how their personal information is used.

It applies to legal entities that do business in California and collect Californian consumers’ personal information (irrespective of where those entities are based), and that fulfill certain criteria.

Learn more about the CCPA’s requirements and how they could affect your organization >>

The seven-step checklist for CCPA compliance

To help organizations comply with the CCPA, we’ve created this simple seven-step compliance checklist, which explains what you need to do. Download your free copy of the CCPA compliance checklist today.

Download now

1. Obtain board-level support and establish accountability

Complying with the CCPA – and maintaining compliance – requires top-level support. It is essential that your organization’s board understands the law and its implications so that your compliance project receives the resources it needs in order to achieve long-term results.

What you should do:

  • Advise the board about privacy risks and the benefits of CCPA compliance.
  • Obtain management support for your CCPA compliance efforts.
  • Assign accountability (key roles and responsibilities) for CCPA compliance.

How we can help:

The California Consumer Privacy Act (CCPA): An implementation guide
This guidebook is the ideal resource for organizations that want to understand the CCPA and how to comply with it. It provides the reader with a comprehensive understanding of the CCPA and explains how businesses can implement strategies to comply.

Buy now

2. Conduct a detailed gap analysis

A gap analysis will help you understand how your current practices meet the CCPA’s requirements, as well as where they fall short. You can then prioritize the areas that must be addressed to comply with the law.

What you should do:

  • Review the CCPA to understand its requirements.
  • Audit your privacy and security programs against the CCPA’s requirements.
  • Determine which compliance gaps require remediation.

How we can help:

California Consumer Privacy Act (CCPA) Gap Analysis
Gain a practical understanding of the implications and legal requirements of the GDPR for your organisation, and the knowledge and skills to implement an effective compliance programme with this five-day training course.

Buy now

3. Create a personal information inventory and map data flows

To ensure your organization is processing personal information in accordance with the CCPA, you need to keep appropriate records. Understanding the personal information you process, and exactly how you process it, is essential.

What you should do:

  • Assess the categories of personal information your organization holds, where the personal information comes from, and the business or commercial purpose for processing it.
  • Document how personal information flows to, through, and from your organization.

How we can help:

Data Flow Mapping Tool
The Data Flow Mapping Tool simplifies the process of creating data flow maps, giving you a thorough understanding of what personal data your organization processes and why, where it is held, and how it is transferred. The tool is a Cloud-based application, licensed for up to five users and can be accessed via any compatible browser.

Buy now

4. Develop operational policies, procedures, and processes

Once you have identified your compliance gaps and mapped your personal data flows, you should bring the way you process personal information into line with the CCPA’s requirements. This will include reviewing your existing policies, procedures, and contracts, and implementing new ones as necessary.

What you should do:

  • Ensure your personal information protection policies and privacy notices are in line with the CCPA.
  • If you sell personal information, ensure your web domains have a “Do Not Sell My Personal Information” feature.
  • Review employee, customer, and supplier contracts, and update them if necessary to cover personal information processing.
  • Plan how to recognize, verify, and respond to verifiable consumer requests to access or delete their personal information.

How we can help:

The GDPR Toolkit
The GDPR and CCPA share many requirements, and many processes designed for GDPR compliance are applicable to the CCPA. Our GDPR Toolkit contains more than 80 document templates – including policies, procedures, and checklists – designed to aid GDPR compliance, which you can adapt to streamline your CCPA compliance program.

Buy now

5. Implement processes and technical measures to secure personal information

Implementing appropriate measures to secure the personal information your organization processes is paramount to your compliance.

What you should do:

  • Have an information security policy in place.
  • Implement basic technical controls, such as those specified by established cybersecurity frameworks like the NIST CSF (Cybersecurity Framework), the 20 CIS Controls™, or ISO/IEC 27001:2013.
  • Use encryption and/or deidentification where appropriate.
  • Ensure policies and procedures are in place to detect, report, and investigate breaches of personal information.

How we can help:

ISO 27001 implementation bundles
Combining our best-selling tools, software, and qualification-based training with up to 40 hours of online consultancy, our ISO 27001 implementation bundles have been expertly created to meet the unique needs of your organization. They can reduce the time and effort required to implement an ISMS (information security management system), as well as eliminate travel costs and other expenses associated with traditional consultancy.

Buy now

6. Ensure teams are trained and competent

Having established your compliance gaps, you should bring your existing policies, processes and procedures into line with the GDPR’s requirements, and develop new ones to ensure you fulfil your legal obligations.

What you should do:

  • Ensure internal communications with stakeholders and staff are effective.
  • Train your employees to understand the importance of personal information protection, basic CCPA principles, and the procedures you have implemented to ensure compliance.

How we can help:

California Consumer Privacy Act Foundation Online Training Course
Delivered by an experienced privacy consultant, this one-day Live Online training course will give you a clear understanding of the main elements of the CCPA. It is suitable for anyone involved in information management, data protection compliance, or data privacy compliance, or as part of implementation programs for organizations located or doing business in the state of California. Attendees who pass the included exam are awarded the California Consumer Privacy Act Foundation (CCPA F) qualification by IBITGQ.

Buy now

7. Monitor and audit compliance

Complying with the CCPA is an ongoing process, not a one-off project. Periodic internal audits will ensure your activities remain up to date and that you will not fall out of compliance.

What you should do:

  • Schedule regular audits of personal information processing activities and security controls.
  • Keep records of personal information processing up to date.

How we can help:

CyberComply
The CyberComply platform combines five tools to aid organizations’ cyber risk and privacy management monitoring and compliance:

  • The Data Flow Mapping Tool simplifies the process of creating data flow maps.
  • vsRisk Cloud streamlines the information security risk management process.
  • Compliance Manager helps you keep track of your legal and regulatory requirements.
  • GDPR Manager streamlines your compliance with the EU-US Privacy Shield framework, which streamlines the processing of EU residents’ personal information in line with the EU’s GDPR (General Data Protection Regulation).
  • The DPIA Tool helps you conduct data protection impact assessments – a type of risk assessment that evaluates and minimizes risks associated with the processing of personal information.
Buy now
This website uses cookies. View our cookie policy