The CCPA is here, and your SAP system is not compliant. Now what?

22 January 2020
Written by Gericke Potgieter

Gericke is responsible for marketing systems management and data analytics at EPI-USE Labs. He is a qualified ISO 27001 Lead Implementer and has an MA in Socio-informatics (Decision Making Theory). He has spent most of his career in IT, strategy consulting and software development.

CCPA-is-hereHeader-image

Since its hasty inception, the California Consumer Privacy Act (CCPA) has stirred up debate across the United States. As more states develop data privacy laws, many businesses struggle to comply with laws that often contradict each other. Read on to learn how the CCPA impacts you.

  1. The CCPA landed on 1 January 2020
  2. Am I supposed to comply?
  3. What can I do to comply with the CCPA?
    1. I have no data privacy program
    2. I am busy implementing a program in line with GDPR or other legislation
    3. I have a fully developed data privacy program
  4. Need some help?
  5. Disclaimer

The CCPA landed on 1 January 2020

Regardless of differing opinions, the CCPA has taken effect, and companies doing business within the jurisdiction of California must comply with it.

The complexity of SAP® makes compliance with data privacy legislation particularly challenging. And without the right tools, CCPA compliance can seem like an insurmountable task.


Am I supposed to comply?

In broad terms, the CCPA applies to any for-profit entity that engages Californian consumers and households. For a more in-depth discussion on the thresholds for compliance, you can look at Chapter 2 of our guide here.

Even if your business is registered in a different state or country, the CCPA applies to your business. Some may argue that federal law doesn’t have jurisdiction internationally (or even in other states), but that same argument was made for the GDPR and proven to be a myth.

In fact, when future courts levy fines and penalties against companies that are non-compliant, they are likely to test the CCPA’s ‘extra-territorial’ nature. Nobody knows at this early stage how the courts will respond, but with the current emphasis on data privacy, they are likely to favor the consumer.

This uncertainty is a cause for concern, and a good enough reason not to be complacent about compliance.

What can I do to comply with the CCPA?

What you need to do will depend on the extent of your current data privacy efforts. Some organizations already have fully developed compliance programs in place, while others haven’t needed to consider it until now.

I have no data privacy program

If you have no data privacy program in place, you should urgently start the process. You should consider:

CCPA: First steps to compliance

I am busy implementing a program in line with GDPR or other legislation


If you are currently preparing for compliance with other data privacy legislation, you will need to identify the differences in requirements between that legislation and the CCPA.

In many ways, the CCPA shares similarities with other legislation, allowing you to apply the same processes. However, compliance with GDPR, for example, won’t guarantee compliance with CCPA, as there are some key differences.

I have a fully developed data privacy program

If you have a fully developed data privacy program, there are a few quick wins you can apply to get you closer to full CCPA compliance:

CCPA: Additional steps to compliance with a full data privacy program

Need some help?

We understand the complexity of implementing data privacy compliance in large organizations, especially when it comes to complex SAP systems. Read our white paper on making compliance easier from an SAP perspective to understand your options.

Making CCPA compliance easier - from an SAP perspective

Disclaimer

This blog is not intended as legal advice and should not be construed as such. Its purpose is to provide information for educational purposes only and makes no claims or guarantees with regards to efficacy, accuracy or full compliance with the law discussed herein.

Please consult with an appropriate legal advisor before implementing any part of a CCPA compliance project. EPI-USE Labs will not take any responsibility for misinterpretation or incorrect application of practical measures towards compliance resulting from the use of this information.

 

 

Explore Popular Tags

GDPR Data Privacy Data Security Data Secure GDPR compliance Data Redaction data scrambling Data Redact General Data Protection Regulation POPI Act POPIA SAP Data Security SAP GDPR SAP data privacy and compliance Data Archiving Data Sync Manager Data privacy regulations Right to be forgotten Data privacy compliance GDPR readiness GDPR deadline Personal data SAP SAP security SAP systems GRC for SAP SAP data privacy and security Access Risk management Access risk controls Data Privacy suite Data minimisation Data security breaches Governance, Risk Management and Compliance (GRC) compliance COVID-19 Data privacy by design Risk monitoring SAP data copying and masking SAR Soterion Subject Access Request anonymised data Australian Privacy Act 1988 CCPA Cenoti Client Sync Data Protection Day Data masking EPI-USE Labs’ solutions European operations Federal Law GDPR fine Guest order ICO May 2018 Object Sync One-time customer Privacy by Design Reducing risk Right to Erasure Risk minimisation S/4HANA Migrations SAP S/4HANA SAP data SAP data privacy & security Secure scrambled production data for testing Test Data Management security breach Backlog privacy debt Black Friday Black Friday hangover Black Friday sales Breach Notification Brexit Budget Canada data privacy legislation Cenoti, connecting SAP with Splunk Cloud migrations Confidentiality Consent DSM DSM Readiness Assessment Data Diclose Data Portability Data Removal Data Replication Data Sync Manager (DSM) Data integrity Data privacy assessment Data processor versus controller Data retention rules Documentation Employee data Europe Friday 25 May 2018 GDPR-type legislation GRC GRC for SAP tools General Data Protection HCM HR ILM Information Commissioner’s Office Information transfer Infotype 41 JSOX New Zealand Privacy Act News Online shopping Penalties Personal Data Protection Law (PDPL) Phantom Proportional Data Protect personal employee data Removing data in SAP Right to Access Rise with SAP Risk management S4HANA SAP Cloud SAP Data Privacy Suite SAP RISE SAP SuccessFactors SAP access risk simulations SAP data encryption SIEM SOX Sarbanes-Oxley (SOX) legislation Saudi Arabia Security Security Information and Event Management Security for SAP. Live Sensitive HCM data South African data privacy legislation Splunk Splunk UBA Splunk’s Enterprise Security Success Factors Territorial Scope UK Government User Access Review Virtual conference What does the European GDPR mean for Australia? ebook masking rules quality of test data system copy uk sox
+ See More

Get Instant Updates


Leave a Comment: