Photo of Shanna Holako

Privacy and cybersecurity attorney, Shanna Holako, focuses on compliance and risk counseling, incident response and privacy program development.

To comply with the CCPA, you need to know your data. You need to know what personal information you collect, where it is collected and stored, and whether, to whom, and for what purpose, it is shared or sold. And to know your data, you need to conduct a thorough data inventory.

The process of creating and maintaining a data inventory differs from company to company; however, several key steps are common across industries. First, you need to identify all personal information your company is collecting and where, or from whom, such information is obtained. You also need to identify where the personal information is stored and whether it is shared or sold to others. If personal information is shared with or sold to others, you need to know to whom and for what purpose. In addition, the inventory should have a mechanism to track the 12-month “lookback” period for responding to consumer data requests. If you had prepared a data inventory for GDPR, that would be helpful, but it would not be the end-all for CCPA compliance, as GDPR inventories (or Article 30 reports) are typically limited to personal information flowing from the European Union and to the data elements contained within GDPR’s definition of “personal data.”
Continue Reading CCPA 12-Month Compliance Series Part 2: Know Your Data

Recent privacy laws and standards promote, and in some cases require, privacy by design. Simply put, companies are to incorporate privacy principles in and throughout all its products and services. In Europe, Article 25 of the GDPR requires companies to implement “appropriate technical and organisational measures . . . which are designed to implement data-protection

Are you collecting, using or disclosing personal information (PI) of Canadian residents in the course of commercial activities? If so, you may be subject to Canada’s Breach of Security Safeguards Regulations(Regulations), under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). Under the Regulations, which went into effect on November 1, 2018, organizations that are subject to PIPEDA are required to report security breaches involving PI that “pose a real risk of significant harm,” notify affected individuals of the breach, and maintain records of every breach, reported or not, for at least two years. Businesses that fail to comply with the Regulations may be subject to fines of up to CA$100,000 per offense.
Continue Reading Canada’s New Breach Regulations