The recent California Consumer Privacy Act of 2018 is basically a Californian version of the European Union’s GDPR (General Data Protection Regulation). California tends to lead the charge in developing privacy and data security standards in the United States and was one of the first states to provide an express right of privacy in its constitution.
Privacy policy
In 2002, California became the first state to enact breach-notification legislation, and 45 states, the District of Columbia, and Puerto Rico have since followed suit. California is currently the only state to require all online services that collect personal information from state residents to post a privacy policy.
The state’s Attorney General has shaped the mobile privacy practices by releasing guidelines for the mobile app industry. The Attorney General’s agreement with mobile app platforms has encouraged app developers to provide app privacy policies prior to download. A former California legislator is spearheading a movement that will make it easier for California privacy class actions to go forward by amending the California Constitution to create a presumption that individuals are harmed when their personally identifiable information is shared without obtaining consumers’ express opt-in consent.
The intent of this new law is to give consumers the following rights and abilities:
- The right to know what personal information is being collected about them.
- The right to know whether their personal information is sold or disclosed and to whom.
- The right to say no to the sale of personal information.
- The right to access their personal information.
- The right to equal service and price, even if they exercise their privacy rights.
DNV prepares for California Consumer Privacy Act
The new regulation will be in force 1 January 2020, and we offer a set of services to help our customers become compliant. Our competence with the California Consumer Privacy Act is based on internal preparation activities and training. DNV’s strong focus on assessment services and tools and the long history related to class, audits and certifications, are a natural base for the California Consumer Privacy Act services.
DNV's services relating to California Consumer Privacy Act consist of a 3-step model
Step 1: Identify personal data
The step involves interviews, document review and inspection to gain an overview of the processing, communication and storage of personal data in the organization. The output of this step will be a report showing where the data exists and how it is protected.
Step 2: Gap analysis and vital requirements
The second step involves interviews, document review and inspection to verify the controls in the DNV checklists. The output of the step will be a summary report containing the fulfillment of the controls in the checklists.
Step 3: Advisory services
Based on the gap analysis in step 2, we deliver advisory services to close the gaps. The first activity may be to establish a plan and to prioritize activities. Relevant activities may be a combination of services:
- Complete Gap analysis
- Privacy Policy
- Data Classification
- Risk Assessment
- Privacy Impact Assessment
- Awareness Training
- Incident Management
- Internal Audits
Deliverables to support compliance of California Consumer Privacy Act Services:
Step 1: Report showing data location and how it is protected
Step 2: Gap analysis report
Step 3: Deliverables depending on Advisory Services
Analysis based on the following relevant standards and guidelines:
ISO 27001: Information Security Management System
ISO 27002: Information Security Code of practice
ISO 27005: Information Security Risk Management
Combining IT security expertise and deep understanding of the operational technology (OT) of critical infrastructure industries
Unlike most other cyber security service providers, DNV combines traditional IT security expertise with a deep understanding of the operational technology (OT) of various critical infrastructure industries. Our team of local and international experts draw on extensive knowledge and experience in several relevant areas including industrial control systems (ICS) and risk management. Experience from certification, standardization and our strong risk based approach is vital. Moreover, the Cyber Security Initial Health Check is a part of our holistic cyber security approach and has been extensively proven in pilot projects and real-life case studies with companies around the world.