Solving 3 Practical Data Management Challenges of the Virginia Consumer Data Protection Act (VCDPA)
If you’re feeling a migraine coming on when you think about the approaching tidal wave of data privacy laws, take an automated data lineage solution instead of Tylenol.
Join the DZone community and get the full member experience.Join For Free
“We’d like to give a hearty welcome to the newest privacy legislation on the scene! Ladies and gentlemen, please give a big round of applause to... the Virginia Consumer Data Protection Act!”
The crowd may be going wild — but your BI team may be going crazy.
Another privacy legislation? Another one?
Depending on where you do business, you may already be dealing with multiple consumer data privacy laws, including (but of course not limited to):
- EU’s General Data Protection Regulation (GDPR)
- California Consumer Protection Act/California Privacy Rights Act (CCPA/CPRA)
- Canada’s Digital Charter Implementation Act (DCIA)
And chances are that by the end of the year several other US states will have their own consumer data privacy acts, including Florida, Colorado, New York, Connecticut, Washington, Oklahoma, Ohio, and Minnesota.
Of course, each data privacy act has to be slightly different. Even for businesses that are completely CCPA/CPRA compliant, some of the additional elements they’ll have to add to their compliance strategy for the Virginia Consumer Data Protection Act (VCDPA) solution are:
- Different classifications for “personal” and “sensitive” data
- An opt-out process for targeted advertising
- Data minimization
- An appeals process
(Here’s a really well-done list we found that shows you how to successfully update your CCPA/CPRA privacy strategy for VCDPA compliance.)
When you think about the practical implications of another 48 state data privacy acts… actually, don’t think about it! It’s a migraine trigger.
If Data Isn’t Part of the Solution, It’s Part of the Problem
The one thing critical for compliance with all current and future privacy laws is a data management solution.
Compliance with any regulation regarding data requires that you know exactly what data you have, plus:
- Where it came from
- Where it is going
- Where it is right now
When Richie Rich from Richmond calls you up and demands that you remove his personal data from your system, you need to be able to find it all, get rid of it, and prove that you did so.
If you can’t guarantee you got it all, the Virginia Attorney General can slap you with a fine of $7,500.
If it takes your BI team hours or days of work to guarantee you got it all, over time that’s going to add up to way more than $7,500.
Automated data discovery solutions are your BI team’s time-saver, money-saver, and perhaps life-saver.
Automated data lineage enables you to trace a consumer’s PII as it travels through your system. Find one piece of Richie Rich’s personal data, and an automated data lineage tool can tell you in seconds or minutes exactly what other system data is linked to or influenced by it.
Let’s take a look at three practical challenges of the Virginia Consumer Data Protection Act and where up-to-date data management solutions can protect your business — and your BI team’s sanity.
The Identification and Classification of “Sensitive” Personal Information
Unlike CPRA, VCDPA makes a distinction between regular personal information and “sensitive” personal information. “Sensitive” data is defined as:
- Racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship, or immigration status
- Genetic or biometric data for the purpose of uniquely identifying a natural person
- Any personal data collected from a known child
Under VCDPA, you must have explicit consumer opt-in to process their sensitive data.
If you have consumer data in your system to which you have only recently been sensitized — how are you now going to find it and give it a different status from regular personal data?
Automated data discovery enables you to find those data sets quickly and efficiently. Then automated data lineage can be utilized to trace the journey of those data sets throughout your data landscape and give you a clear visualization of their path. You can now mark every point on those data paths as sensitive data and feel confident that you haven’t missed any lurking sensitive data.
Letting Consumers Access, Obtain Copies of, Correct Errors in, and Request Deletion of Their Personal Data
When a consumer makes a request regarding their personal data, the VCDPA dictates that you must make like a genie and say, “Your wish is my command.”
How easy will it be for you to do that? Is it a five-minute job? Or a five-hour job?
Automated data lineage gives you the magical power to instantaneously track down every piece of an individual’s PII and make it go poof! or turn it into a rabbit, or whatever else your consumer desires.
Now that you don’t have to waste your BI powers on busy work, you can put them all toward the real BI magic of creating a more effective and productive business.
Restricting Data Use to What Was Disclosed or Compatible With Disclosed Uses
When a consumer’s personal data enters your business systems, do you know all the places it might end up? It could be:
- Used by accounting for billing and other transactional purposes
- Used by marketing to customize promotions and special offers
- Used by marketing to deliver targeted advertising on third-party platforms
- Shared with partners to enable them to directly or indirectly market to the consumer
- Sold to other businesses or to data brokers to use for… who knows what
How much of that did your consumers agree to when they gave you their personal information? Under VCDPA, if any use was not explicit in your privacy policies and you now want to use your customer’s data for it, you need to get new consent for that specific use.
That’s where automated data lineage is a time- and money-saver for your BI team. Data lineage solutions empower you to see instantly where any consumer’s personal information ended up, and if it is compatible with the uses disclosed when they gave you the information.
Be Prepared for the Inevitable
Today the new kid on the block is the Virginia Consumer Data Protection Act. Tomorrow it will be the consumer privacy act of New York, or New Jersey, or maybe Idaho.
If you’re feeling a migraine coming on when you think about the approaching tidal wave of data privacy laws, take an automated data lineage solution.
It works even better than extra-extra-extra-strength Tylenol.
Opinions expressed by DZone contributors are their own.