With over 15,000 Californian residents employed by Australian companies that span more than 83 different industries, including wine production, manufacturing and investment, a new privacy law means Australian organisations must ensure more privacy regulations and compliance are adhered to off the back of GDPR.

The California Consumer Protection Act (CCPA), which went into effect on 1 January 2020, but is now being enforced globally is the first law of its kind in the US, but may also set the precedent for privacy legislation in other states. Though the CCPA focuses on the data of California consumers, this legislation has international scope as organisations anywhere in the world may need to be compliant with it.

“The expansive reach of the CCPA and scope of data it covers can make compliance feel daunting to many,” says David Bowden, vice president, information security, data privacy, compliance and information technology at Zwift, and member of the ISACA Privacy Advisory Group.

“Having a comprehensive audit program is an incredibly valuable tool for guiding through these intricacies, avoiding repercussions and assuring compliance.”

To assist companies navigate this complex privacy landscape, ISACA has launched a new CCPA Audit Program and a free white paper entitled Privacy: Beyond Compliance to equip audit and privacy professionals with the tools to comply with this regulation, as well as understand philosophies and approaches related to privacy. 

Accordingly, the new ISACA audit program will assist auditors to:

1. evaluate the design and operating effectiveness of the organisation’s practices and ongoing management of CCPA compliance
2. identify control weaknesses

The audit program also includes sections on data security and managing security incidents and data breaches. By following the detailed testing steps outlined in the accompanying program spreadsheet, auditors can help organisations mitigate business impacts through three key elements:

• Strong data classification supporting identification and location of consumer data
• Consistent private data methodology ensuring that third-party vendor handling of private data mirrors that of the entity
• Agile project management and solid change management programs

To provide additional context, ISACA has also published Privacy: Beyond Compliance, a white paper that explores the current state of privacy as it relates to compliance, ethics and humanity. Delving into a range of considerations, including COVID-19 contact tracing and how enterprises can stay accountable for temporary privacy violations during a crisis, the publication also outlines eight key focus areas for boards of directors around privacy—including surveillance and tracking, privacy by design, and looking at data as a reflection of a person’s life.   

“Beyond complying with privacy regulations, today’s privacy professionals should recognise the human impact of poor privacy practice, and augment their privacy strategies in response to a rapidly evolving global digital landscape,” says Guy Pearce, lead developer for the white paper, and chief digital officer, Convergence.tech.

“This foundation equips organisations to perform their fiduciary duties to their customers, clients or citizens more ethically and more sustainably, benefiting not only those the organisation serves, but also differentiating the organisation as one that can be trusted because of what it does, not only because of what it says it does.”