What’s to worry about California taking on Data Privacy Rights legislation that aims to protect the individual’s data and punish businesses that make their cash by peddling it? Well, it seems that if you Google “California GDPR”, ironically you might find results indicating that Google is none-too-happy, for one. Yes, that’s right, California has passed, in lightening speed, comprehensive user data privacy legislation that looks quite a bit like GDPR from the EU. According to a recent article in The Register:

“The legislation will give new rights to the state’s 40 million inhabitants, including the ability to view the data that companies hold on them and, critically, request that it be deleted and not sold to third parties. It’s not too far off Europe’s GDPR.

Any company that holds data on more than 50,000 people is subject to the law, and each violation carries a hefty $7,500 fine. Needless to say, the corporations that make a big chunk of their profits from selling their users’ information are not overly excited about the new law.”

This law, that was signed by Gov. Jerry Brown on June 28th, 2018, appears to apply to any company…. not just those doing business in California. Essentially, if you have Californians’ data, prepare to get audited. What’s fully included in the scope of the law can take a while to digest, but here’s a quick snippet of the biggies:

(h) People desire privacy and more control over their information. California consumers should be able to exercise control over their personal information, and they want to be certain that there are safeguards against misuse of their personal information. It is possible for businesses both to respect consumers’ privacy and provide a high level transparency to their business practices.

(i) Therefore, it is the intent of the Legislature to further Californians’ right to privacy by giving consumers an effective way to control their personal information, by ensuring the following rights:

(1) The right of Californians to know what personal information is being collected about them.

(2) The right of Californians to know whether their personal information is sold or disclosed and to whom.

(3) The right of Californians to say no to the sale of personal information.

(4) The right of Californians to access their personal information.

(5) The right of Californians to equal service and price, even if they exercise their privacy rights.

Reading the snippet, there are two huge takeaways that pop out immediately:

1. Just look at the data lineage (movement) complexity involved here. We’re talking seriously strict data management – heavy duty and fully matured. How have you implemented anything like this? How would you even start?

2. Just like with smog control, automotive safety and workplace safety standards, you can be sure that what California has passed here will be adopted by many other states or even at the Federal level. It’s not so clear that the proverbial head in the sand approach is going to be a sound long-term strategy here – check the magic 8 ball – yeah, all signs point to: “outlook not so good”. How can you be sure that this doesn’t and won’t ever apply to your organization? Given that, what might be your long-term strategy?

While larger companies have the cash to lobby and fight for change in this legislation, the rest of the business community will just have to abide the law. So, suppose for a second that you’re a business leader with several million customer (user) records that you use for marketing and analytics. You don’t have a complete understanding of how you might be at risk of an audit – and failing said audit. What to do? Well, assuming the cost of ignoring the law and paying the penalties is too steep, here’s a multi-part plan to adopt.

1. Know the law
2. Build a strategy
3. Implement a minimum viable approach
4. Discover your data
5. Ensure you can pass the audit
6. Repeat step 1 through 6

Wow, not that bad, but this is high-level stuff. Still, there are two key areas that touch on the tactical matter of user data localization that we should briefly cover, and believe it, locating the data is the first step in figuring out if this law applies to you. Still, consider as part of your strategy, the data locality question and then approach it with a minimum viable approach, that is, find something that can easily find and identify your data. How do you do this?

The main problem here is data lineage. Well, let’s take a step back, it’s first about identifying where the data is – this starts with an inventory of your systems. The ability to quickly identify and map out master data for visual inspection in a logical and intuitive manner is well within the reaches of modern graph database solutions. Understanding that you must do this is the “why”, then understand the mapping is the “what”, and the “how” is with a graph database solution.

Knowing where the data is and how it moves across your organizational systems as it’s used for business purposes is key.

With this model solution in place, your organization could quickly visualize and prove that your meaningful implementation of a responsible customer user data infrastructure abides by the law.

Here you can see just how easily one could view and understand the locality, movement and relationships of various data elements. With this approach, one could very quickly determine all the instances of a single user relative to their data location and purpose within a simple view.

However, this is by no means a cheap and simple solution. A solution like this has got to be something worth considering, weighing the costs over the risks, before even trying out. Having said that, this type of graph-based solution can be very effective in demonstrating compliance with the law.

If you’d like to hear more about this or see a demo of this solution, please contact me directly at bthurston@cptech.com.