Optimize Unstructured Data for CPRA Compliance in Hours, Not Weeks or Months

It is probably not new news to you that a majority of California Privacy Rights Act (CPRA) provisions will come into effect on January 1, 2023.

CPRA or CCPA 2.0 is an updated set of data privacy regulations that require businesses to make significant adjustments to how they handle and share consumer data. Companies will need to maintain a detailed registry of the data they collect and use, that will help the state hold them accountable for their data security measures.

This next iteration of the California law is applicable to businesses such as retailers, distributors, manufacturers, law firms, consultants, realtors and entertainment companies that; Cater to at least 100,000 consumers Have an annual revenue of $25 million Derive over 50% of annual revenue from receiving, buying, selling or sharing California residents’ personal information

The International Association of Privacy Professionals (IAPP) estimates that over 500,000 U.S. businesses will have to comply with CPRA, and nearly 80% of those are located outside of California.

In our experience, a primary concern for Chief Information Security Officers (CISO), Chief Privacy Officers (CPO) and Heads of Compliance for companies in these industries is to make sense of the vast amounts of unstructured data being generated daily.

According to a new report by nRoad, analysts predict the global datasphere will grow to 163 zettabytes by 2025, and about 80% of that will be unstructured. In regulated industries, such as financial services, the challenges posed by unstructured data are exponentially higher.

One way to tackle this unstructured data explosion is to automate unstructured governance, enabling companies to consistently automate unstructured data discovery, indexing, classification, access and actions that can be derived from unstructured data.

CISOS recommend automated unstructured data governance

To comply with the new regulations set out for 2023, it is necessary for businesses to enforce data discovery, minimization, redaction and anonymization. Why? By automating and securing all the repetitive, time-consuming tasks required to acquire, manage and analyze data, companies can safeguard against potential data breach claims.

Let’s look at four substantial changes CPRA introduces and what can cause a data breach in context.

1. Updated right to access personal information

CPRA allows consumers to retain control over how their sensitive information is handled, giving them the option to request that companies stop using or disclosing their personal information.

Under CPRA, personal information also includes details like financial and health information, religious or philosophical beliefs — as well as contents of mail, email, and SMS messages. Individuals can make Data Subject Access Requests (DSAR) to a company for any personal data, including unstructured personal data.

Action plan: to meet this compliance obligation: Start by examining your organization’s data. Then determine where the specific data is stored, how it’s collected and put into production, and what applications feed off of or are fueled by it in order to ensure they’re not accidentally compromising their customers’ privacy.

You may have a process to find and address structured data difficulties, but when it comes to unstructured data, deploying Data X-Ray would be a no-assumptions based approach. Data X-Ray can scan over 100,000 words from 300 different file types, in seconds, at petabyte scale and help discover sensitive information wherever it lives — on-prem, in the cloud, and hybrid.

2. Updated ‘right to know’

CPRA 2.0 allows customers to request the categories, sources, and purposes involved in the collection, selling, or sharing of sensitive information. This requires companies to develop capabilities to provide, upon request, the data categories it stores, gathers, or holds on any third party.

Action Plan: Using Data X-Ray, you can label, tag and annotate sensitive, personal information present in your unstructured data landscape no matter where it is stored. Additionally, Data X-Ray’s advanced reporting allows for easy tracking of specific goals and trends so you can satisfy data requests at scale when needed.

Processing your unstructured data consistently through Data X-Ray will; Help you sort or classify your data, Save time and costs associated with data storage and processing DSARs, and Ultimately, fulfill the ‘right to know’ process more efficiently.

3. ‘Right to correction’

Section 1798.106 of the CPRA gives consumers the right to correct inaccurate personal information. For this, CPRA-compliant businesses will need to set up a procedure to process correction requests within the required timelines. Individuals could ask for information about them to be corrected that is stored in archived records, such as human resources (HR) data – for instance, employees may request error notifications for historical payroll information or performance reviews. To meet this compliance need, you will have to set up a way to scan archived unstructured data and HR records.

Action Plan: Employ Data X-Ray, a tool powered by machine learning and natural language processing, to scan and spot all your data assets including emails, drives, images and presentations that contain sensitive, personal information. After labeling and annotating the files based on your requirements, you will be able to isolate the data assets needed, implement corrective measures to prevent data breaches and ensure compliance with CPRA.

4. ‘Right to limit the use and disclosure of sensitive personal information’

CPRA 2.0 introduces the data minimization principle and states that a business cannot retain personal or sensitive information for a period of time that is longer than necessary for the purpose it was initially collected or used for. It allows consumers to opt out of sharing their personal information with third parties for behavioral ads. Meeting this requirement is imperative to prevent fines and mitigate an unregulated exchange of information with third parties.

Action Plan: Leverage Data X-Ray’s unstructured data classification feature to identify hidden attributes and map connections that would otherwise go undetected. If you redact and anonymize data for personal information accurately you can ignore this rule altogether. As manually redacting data is painfully slow and resource intensive, use Data X-Ray to redact and desensitize data, relate disparate data types to each other, view data assets based on purpose, and gather insights in a whole new light.

Why Data X-RAY is a preferred choice for analyzing unstructured data.

The amended CPRA undoubtedly enhances consumer privacy rights and protections but it also increases the risk of receiving fines. The CPRA carries fines of $7,500 per violation, which can be a large sum for companies with many customers or employees. Whether intentional or unintentional; the mere existence of a breach is enough to trigger a fine.

All the more reason to spend the next six months developing an intelligent breach response framework - to implement Data X-Ray to identify sensitive data, preserve valuable data in redacted forms and automate a response process.

Quick Check: can you answer the below questions?

1. What personal, sensitive data does your organization collect?

2. How much of this data is unstructured?

3. Where is this unstructured data being collected and stored?

4. What is done with the unstructured data collected?

5. With whom do you share it?

To answer these questions authentically, you will need to begin by employing a tool that automates unstructured data governance from data discovery and classification to unstructured data redaction and anonymity. A tool that can be deployed on-premise or on-cloud and is powered by machine learning and natural language processing.

Next step: Book a demo with our experts. Find out how you can make sense of your unstructured data, irrespective of where it resides. Prepare your teams to better respond to compliance requirements, and fulfill consumer data requests at scale, come January 1, 2023.