Going the Extra Mile to Get a Global Bank Ready for CCPA

September 18, 2020
4 Minute Read

When California passed one of the most comprehensive data privacy laws in US history, a Europe-based multinational bank chose RGP to help them prepare for compliance. In eight weeks, we provided an enterprise-wide view of their compliance-readiness posture, documenting 32 data inventories across four major lines of business.

With nearly 40 million residents, California is the most populous state in the US. Home to tech startups in Silicon Valley, the world’s entertainment capital in Hollywood, and the “salad bowl” in the Central Valley, if California were a country, it would represent the fifth largest economy in the world—behind the US, China, Japan and Germany.

Suffice it to say: what happens in California has broad implications. Even though their headquarters are in Europe, our multinational banking and financial services client has customers in the Golden State, which means they must comply with the California Consumer Privacy Act (CCPA). That’s why, 18 months before the law took effect on January 1, 2020, the company reached out to RGP to help them conduct their due diligence to achieve compliance.

“CCPA shifts the decision-making power about how personal information can be used and shared back to the consumer, including what creators of the law call ‘the right to know’ and ‘the right to say no.’”

“CCPA shifts the decision-making power about how personal information can be used and shared back to the consumer, including what creators of the law call ‘the right to know’ and ‘the right to say no,’” says Lynn Rohland, VP of RGP’s Cybersecurity & Data Privacy practice. “Consumers now have the backing of a regulation that mandates clarity on privacy policy practices and transparency on what personal information has been collected, processed or shared about them. They can also opt out of the sale of their data—or have it deleted, where appropriate.”

However, designing for compliance with the CCPA—the most far-reaching statewide privacy law in the US—means designing for the strictest standards of privacy, a challenge Lynn eagerly accepted.

Tenaciously Tracking Data Privacy Details

As Lynn details her meticulous work for our multinational client, it’s clear that her intense familiarity with data privacy isn’t the only thing that sets her apart. Lynn’s zeal for mastering new concepts and for creating a holistic, well-defined approach when tackling fresh projects is underscored in everything she does.

“Our team immediately front-loaded hours into doing our homework, first by thoroughly reviewing over 40 of the company’s documented policies, procedures, process flows and business practices. We didn’t want to get in front of stakeholders and ask questions that we could have found elsewhere,” Lynn says.

Before conducting 28 stakeholder meetings with executives, directors and power users across four major lines of business, Lynn spent her nights laying out the law—literally—creating a Requirements Matrix and Assessment Tool (RMAT), which detailed all the requirements of the newly created CCPA, line by line.

Although there are a number of automated technologies available, Lynn says that reviewing an organization’s compliance posture may require greater scrutiny than machine-driven software can effectively provide. “It just depends on where a business is in its CCPA compliance journey and where they believe they require a deeper analysis of their processes.”

By defining the RMAT control(s) for each CCPA requirement, as well as specifying the objective for each control, Lynn’s approach enabled her team to account for every regulatory line item and determine whether or not the mandate was satisfied completely, partially or not at all.  By profiling the evidence to substantiate the observations, this approach demystified how each determination was made. This gave our client confidence in the gap analysis and our prioritized recommendations for gap remediation. It also enabled them to showcase their compliance due diligence.

“Frontloading the technical approach and then actually building a customized methodology that can successfully be deployed—that’s what I love. That’s the heavy lift,” says Lynn, who pauses for a moment before adding: “Until you put up those bowling alley bumpers, you’re not going to get a team that’s delivering strikes.”

Leaving the ‘Chocolate on the Pillow’

After assessing the organization’s readiness for the CCPA, Lynn’s team created a detailed roadmap, providing a hierarchy of action items to remediate numerous compliance gaps and risks. They then got to work implementing the tasks they knew they could quickly accomplish in advance of the enterprise-wide compliance effort.

“We pride ourselves on getting our clients that much closer to compliance by taking on agreed upon tasks that we can knock out ourselves with a nominal level of effort,” she says.

“Until you put up those bowling alley bumpers, you’re not going to get a team that’s delivering strikes.”

After reviewing our client’s privacy policy on their website—which covered three different microsites targeted to various audiences and locations—Lynn’s team quickly created one holistic policy that addressed data protection principles and handling policies across the board for multiple audiences such as clients, prospective customers, employees and contractors.

Over the course of just eight weeks, with only a few people on the project, Lynn’s team enabled an enterprise-wide view of CCPA compliance for our client, documenting some 32 data inventories related to each business process. Always thinking ahead, Lynn’s team also established a CCPA playbook that enabled our client to scale their compliance in a way that could grow with the evolving law.

“It’s the chocolate on the pillow,” says Lynn with a knowing smile. “That’s our market differentiator: always going above and beyond.”

Let's Have a Discussion Icon

Is Your Business CCPA-Compliant?


Willkommen bei RGP.

Als globales Beratungsunternehmen betreuen wir Kunden auf der ganzen Welt. Dementsprechend ist unsere Website in englischer Sprache verfasst. Sie können uns jederzeit auch auf Deutsch kontaktieren, indem Sie sich an unsere Standorte in Hamburg und Zürich wenden. Besuchen Sie gerne auch unsere LinkedIn-Seite von RGP Deutschland.

Scroll To Top