Businesses that are impacted by the UCPA have until December 31, 2023 to prepare. If you’ve already established policies and processes for meeting compliance requirements for other state privacy legislation, you’re already ahead of the game. If you haven’t, there’s no time like the present to find the right solutions for your business.
Compliance doesn’t have to be complicated. But if you wait too long, it will be.
Here are the top recommendations we share with our clients who are putting privacy at the top of their to-do lists.
1. Build a detailed data map
Also known as a data inventory, a data map follows data records on their entire road trip through your business, from first collection all the way to when the data is deleted.
But data maps do more than providing a glimpse into your data’s journey.
A data map provides invaluable insight into:
- What types of information you’ve collected/are collecting
- Who has access to it, from employees to vendors
- Where, how, and how long the data is stored
Moreover, a data map helps you identify risks and where your processes don’t align with both existing internal policies and regulatory requirements.
2. Review (and improve) your security measures
We say it all the time—data privacy and data security aren’t the same, but they are closely related. What’s more, you need both to meet statutory requirements for all state privacy laws.
When it comes to UCPA, the guidance is that businesses need to take “reasonable” security measures to protect customer data. “Reasonable” isn’t a clearly defined metric, but businesses can protect both consumer information and their own business interests by following best practices like:
- Automated installation of software updates and patches
- Multi-factor authentication
- Permissions and role-based access capabilities
- Stringent password and network access policies
- Ongoing employee training on privacy and security awareness
3. Rework your workflows
Do your current privacy workflows align with the requirements for UCPA? (Or other privacy laws, for that matter?) When new regulations come into force, they almost always require businesses to recalibrate at least some of their operational practices.
Thankfully, you don’t have to start from scratch if you already meet the requirements for other privacy regulations. US state privacy laws aren’t carbon copies of one another, but they’re more alike than not.
And if you are starting from scratch, you still have over six years of privacy best practices to turn to—and we’re well-versed in all of them. In fact, working with a privacy consultant is the best way to implement optimized processes that are tailored to your business needs.
4. Align policies and notices with current processes
Your privacy policy and privacy notice are vital documents, but they aren’t the sum total of your privacy program. Your privacy processes need to reflect what your policy and notice lay out. (In short, don’t just talk the talk—walk the walk!)
Make sure you’re doing what you say you’re going to do when it comes to:
- Types of data collected and why
- Who you share data with
- Individual rights requests and opt-out procedures
- Storage and security practices
While you’re examining your privacy documents, make sure that they themselves meet privacy best practices. In particular, your privacy notice (the external privacy information that you share with consumers) should be accessible to people with disabilities and as clear and easy to understand as possible.
5. Educate your employees
Your employees are essential resources for a smoothly functioning, consumer-friendly privacy program. Make sure they have what they need to successfully implement policies and practices.
A key element to this is a robust privacy training program. Don’t just squeeze an annual privacy training session into your calendar and then leave your team to figure it out the other 364 days of the year. Instead, add privacy tips to monthly staff meetings, create knowledge bases for privacy processes, and identify staff who can act as privacy champions to support and encourage others.
Ready to get started? Talk to a privacy expert at Red Clover when you call us today.