Clarkston Consulting recently partnered with a global retailer to achieve CCPA compliance. The client owns and operates a chain of travel essentials stores, newsstands, specialty and luxury brands stores, cafes, bookstores, and duty-free shops in the United States and Canada. In 2018, the state of California passed a new regulation for businesses with an annual gross revenue exceeding $25 million requiring compliance with guidelines intended to protect the personal data of consumers and company employees. Clarkston aligned with the company’s chief information security officer (CISO) to create and implement a strategy to comply with the 2020 California Consumer Privacy Act (CCPA).
Clarkston oversaw the gathering of legal documents, finalized the data subject request procedure, conducted interviews for data inventory mapping, and jointly completed the client’s reasonable security assessment. As a result of the work, the company now has an operational data subject request strategy, infrastructure, and supporting documentation to be compliant with the CCPA guidelines.
The primary objectives for the CCPA compliance team were to realize a data subject request procedure, as well as an accompanied IT infrastructure. The team needed to identify consumer, employee, and vendor personal information data storage locations and overall retention procedures. They additionally would update employee and consumer privacy policies and complete an internal reasonable security assessment.
This resulted in finalization of the data subject request process with the legal team and the CISO, updated consumer-facing website and employee handbook that included the new privacy policies and links to the data subject request form. In order to align with CCPA compliance a secure online portal for consumers to access their personal information was created and a clear role of customer service was created and communicated throughout the updated process.
The key benefits for this project concluded with the company aligning on CCPA compliance and guidelines, and has the infrastructure to protect themselves in the future against CCPA violations.