As the CPPA continues to meet on CPRA regulations and define requirements & enforcement initiatives, there has been a heavy emphasis on assessments. With new laws going into effect that require privacy risk assessments, US companies have to make completion a top priority this year. The value of assessments cannot be overstated, especially as privacy continues to overlap with cybersecurity.
CPRA, VCDPA, CPA, and CTDPA all require organizations in scope to complete impact assessments at different intervals. CPRA, for example, requires companies to perform “ongoing manual reviews and automated scans and regular assessments, audits, or other technical and operational testing at least once every 12 months. Companies will be held responsible for the sharing or selling of data with third parties that have high privacy risks.
As data incidents become more prevalent companies are seeing the overlap between privacy and security more than ever before. A data breach will call upon many departments within the organization to identify compromised data, report on the breach, and notify affected parties, as required. Assessments become the key to renewals as cyber insurance providers face an age where incidents are frequent.
The CPPA is seeking additional input on risk assessments, cybersecurity audits, and automated decision making to finalize regulations. But there’s no doubt that assessments of all types will be quintessential for companies in 2023. If companies cannot identify risks, gaps in policies, and have an incident response plan based on regulations & cross-departmental cooperation, those risks become a looming concern.
In a time where some regulations are unclear, we’re learning more about enforcement, and more laws are on the horizon, it’s hard to know where to start, but getting started is the key. Odia Kagan, Partner and Chair of GDPR Compliance and International Privacy at Fox Rothschild, doesn’t mince words saying, “Whether you call it a data protection assessment, a DPIA or a potato-IA, you need to start doing them. But the CPRA regs aren’t specific enough to start? Use the CPA draft regs or GDPR as your baseline and iterate as you go. Perfect is the enemy of great here and a ‘wait and see’ approach now may lead to a ‘rush and curse’ result later.”
A truly compliant company will have on hand completed privacy risk assessments, ISO & NIST assessments, and third-party assessments to be prepared for any potential incident. Knowing what PII you hold and where should be of the highest priority for the privacy department to inform the cybersecurity department in the case of a breach. Truyo’s privacy tool not only includes a full suite of assessments (privacy impact, NIST, ISO, CMMC, and more) we also provide comprehensive data mapping that will inform incident response & provide important documentation to cyber insurance companies.
If you have any questions about assessment requirements or Truyo’s assessments & data mapping, please reach out to hello@truyo.com.