How Fortune 100 Companies Implement CCPA “Right of Erasure”
When addressing compliance, a good practice is to look up the food chain and learn how Fortune100 companies address CCPA. We are fortunate enough to serve a dozen of them and want to share insights from how CCPA was actually implemented in those major organizations as of January 2020:
“Right of erasure” requirement:
- No one is hard deleting inactive client records for “Right of erasure” in operational systems: The legal department manages to provide a waiver across the board noting that operational functions and systems do not require erasure. These consumer records can remain there until hell freezes or these old records get archived (whichever comes first). For example, one of the Fortune100 companies started with an initial “Right of erasure” scope of 3,000 operational and marketing/analytical type of systems, of which only 100 eventually remained in scope for erasure (the residual pure marketing/analytical systems).
- Simple deletion scripts do not suffice for deleting consumer records across hundreds of systems in scope. That is due to frequent data flows from the operational systems that reproduce the deleted client. In addition, new requirements exist for applying “Opt-out”, Consent and “Do not sell”.
- To solve both problems, the SecuPi overlay is installed on the source applications, applying the Client-filters needed to ensure that client data is not contaminating the analytical systems.