CCPA is Here: 4 Questions CISOs Should be Prepared to Answer


Post By: Matt Kunkel, CEO of LogicGate

CCPA, or the California Consumer Privacy Act, has been in effect for more than a month, influencing the business practices of companies not only in California but around the world as well. CISOs of proactive companies have likely already put proper procedures in place to comply with the regulation, but that doesn’t mean they’ll stop receiving questions about CCPA from colleagues and company leadership.

Here are four questions CISOs should be prepared to answer about CCPA.

Are we compliant?

Perhaps the most frequent question CISOs may get about CCPA is simply, “Are we compliant?” To feel confident in the company’s compliance stature, employees across an organization need to both understand what CCPA is and how the organization is addressing it. According to a survey by Osterman Research in December of 2019, more than 50% of companies reported they would not be compliant at the start of 2020. Because CCPA has such a broad view of personal data, companies have to be especially vigilant. It’s up to the CISO to allay concerns via a sound compliance strategy and timeline.

If we’re GDPR compliant, isn’t that enough?

The good news: because the General Data Protection Regulation (GDPR) preceded CCPA by more than a year and a half, many organizations were already having conversations about updating their consumer data policies. However, CCPA takes a broader view of personal data, so simply being GDPR compliant isn’t enough. CCPA has its own intricacies which demand unique policies and procedures.

How much is this costing?

According to research by CNBC, the cost of implementation of different policies and procedures for CCPA could range from $50,000 to $2 million per company, depending on the size of the organization. Across all companies, total costs for maintaining compliance could climb to more than $16 billion over the next decade. On the flip side, each fine for noncompliance is up to $7,500 per record. While this doesn’t sound too hefty in isolation, fines will add up quickly— to say nothing of the damage to a company’s reputation.

What’s our risk exposure?

An organization’s risk exposure starts with a fundamental understanding of what, where, and how: what kinds of data the organization possesses, where it’s housed, and how it’s protected. While these puzzle pieces are table stakes to quantifying risk exposure, CISOs have to be vigilant in tracking this information across their organization. This is an ongoing, uphill battle for a variety of reasons, from siloed approaches to changing data management laws. This is where creating a top-down culture of risk and compliance at an organization becomes especially important. Employees need to feel empowered to look for call out concerns about a certain process or procedure.

Knowing the facts about CCPA is essential for today’s CISOs, because their colleagues and leaders are bound to have questions.  Keeping a pulse on the conversations happening in the compliance industry around CCPA will help CISOs protect customer data in the most compliant way possible, while also keeping their companies well-informed.


About the Author

Matt Kunkel is the co-founder and CEO of LogicGate. Prior to LogicGate, he spent over a decade in the management consulting space building technology solutions to operationalize regulatory, risk, and compliance programs for Fortune 100 companies. It was during this time he learned the skills to realize his true calling: building world-class companies that meaningfully affect the lives of others through user-friendly technology. Given his extensive background in the GRC space, Matt regularly speaks and consults on risk and compliance topics.