This is part of a GDPR journey that every organization needs to take, including:
In some ways, CCPA goes farther than GDPR in the definition of consumer data and includes derived data into the protected bucket; “Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”.
Personal information categories include:
- “Unique personal identifiers” (as defined):
- Geolocation data
- Purchasing, browsing and search histories
- Biometric information; Notably, CCPA’s personal information includes “olfactory” and “thermal” information linked to a consumer or household
- “Purchasing or consumer tendencies”; all of which are quite broad and indefinite.
Given this broad categorization, how then is consumer data to be identified? Not only do companies have to tag information that is collected directly but also data that is linked to the consumer based on actions and other business processes. For many organizations, conducting an initial assessment across disparate heterogeneous platforms is a daunting and time-consuming exercise.
Sophisticated scanners such as the Orion Enterprise Information Intelligence Graph can quickly and automatically examine different vendor databases across disparate technologies, file types and even determine where and how such personal data is linked and moving across the enterprise. In addition, the content, format, range of values, and data types must be compared in an automated fashion for similarities, differences, and compliance with data management and data security policies.
Orion’s Term2Asset module maps business glossaries and terms that describe consumer data using a broad brush into the specific physical data for semantic querying, and can vastly enable reporting and discovery for the business data steward. Finally, the results must be analyzed, documented, and communicated to a broad, diverse audience.