A leading fashion retailer based in Seattle was preparing for the California Consumer Privacy Act (CCPA) to go into effect. Because the organization had not previously been subject to Europe’s General Data Protection Regulation (GDPR), this would be their first experience complying with regulations surrounding Data Subject Rights (DSR).
The Governance, Risk, and Compliance (GRC) team that was coordinating this effort across the entire organization (corporate plus two subsidiaries) required program leadership to bring security, compliance, program management, privacy, and customer experience into alignment.
Our client contacted Kalles Group (KG) for assistance shepherding this complex project across the finish line.
As a trusted partner to our client, KG jumped right in and quickly came up to speed. The team partnered closely with the Privacy and Customer Platform organizations, in addition to GRC, on primary CCPA and internal requirements, design, and implementation strategy.
The team was facing a number of challenges with this program:
- Lack of a single, common repository for all customer information (multiple applications with redundant data)
- Client infrastructure not ready to support leadership goal of single point of interface to client systems from workflow platform
- Newly selected compliance workflow platform, with which none of the team was familiar
- Designing for scalability for additional requirements on future privacy regulations
- No enterprise-wide test system and no way to create dummy production customers
- Coordination with subsidiary organizations that operated independently with little transparency
- No clear owner for the program going forward
KG started with the project artifacts already in place and evolved them as the project progressed. Since the application teams and subsidiaries each managed their own project tasks using a variety of tools and standards, KG developed a tracking mechanism to monitor progress across teams at the program level. The team coordinated closely with application owners and subsidiary teams to evaluate degree of applicability for CCPA compliance, provide guidance on the regulations, make recommendations for extensibility and scalability to accommodate future regulations, and monitor/report progress.
The overall project encompassed a combination of third-party platform implementation, custom-developed automation, and manual fulfillment process design. The technical solution had several components:
- OneTrust (third-party SaaS) platform to manage request intake and fulfillment workflow
- Customized web form
- Fulfillment workflows for Access, Delete, Opt-out, and Disclosure request types
- System tasks to perform automated steps
- Manual tasks with instructions for completing tasks offline
- Internally-developed hub to manage API requests between OneTrust and customer platform systems, as well as result file storage
- Additional API development to call subsidiaries and selected systems outside customer platform
- Subsidiary fulfillment automation once request API call is received from OneTrust
One particularly challenging obstacle the team faced was end-to-end testing. The client lacked an enterprise test environment, and since CCPA request fulfillment crosses many applications, non-production end-to-end testing was impossible. There also was no capability to create dummy customers in the production environment and manipulate their data in multiple systems to meet specific scenarios.
We had to get creative. Kalles Group worked with the client team to solicit volunteers among their fellow employees to be test subjects: to submit DSR requests using their own customer information, and self-validate their results.
The team was able to cover the key test scenarios to confirm that the overall process functioned as designed and met the end-to-end testing objective.
Our client successfully met the compliance requirements for CCPA request intake and subsequent fulfillment by the launch date.
Although the California Attorney General announced they would not enforce compliance for a period of 6 months, our client did not need to count on or exercise this grace period, nor did they require any activation of available request fulfillment extensions.
During post-production support, KG also took on the troubleshooting and reworking of complex automated workflows in the OneTrust platform when the internal resources who initially developed automations were pulled away, learning the tool and quickly evolving into SME for the organization.
The KG team compiled a full backlog of outstanding work to set the direction for the program, including:
- Preparation for new regulations
- Requirements for new application development and on-boarding to maintain compliance
Kalles Group then helped GRC transition ownership of the program to the dev-ops team designated as new owner, and our client is now well-positioned to handle CCPA and future Data Subject Rights regulations.