More Information: https://flevy.com/browse/marketplace/california-consumer-privacy-act--implementation-toolkit-5570 The California Consumer Privacy Act (CCPA) Toolkit includes a set of best-practice templates, step-by-step workplans, and maturity diagnostics for any CCPA) related project. Please note the above partial preview is ONLY of the Self Assessment Excel Dashboard, referenced in steps 1 and 2 (see below for more details). Through a 3-step process, this toolkit will guide you from idea to implementation. Please find a below a summary of the 3 steps. STEP 1: Get your bearings Start with the latest quick edition of the CCPA Self Assessment book in PDF containing 49 requirements to perform a quickscan, get an overview and share with stakeholders. Organized in a Data Driven improvement cycle RDMAICS (Recognize, Define, Measure, Analyze, Improve, Control and Sustain), check the example pre-filled Self-Assessment Excel Dashboard to get familiar with results generation. STEP 2: Set concrete goals, tasks, dates and numbers you can track Featuring 999 new and updated case-based questions, organized into seven core areas of Process Design, this Self-Assessment will help you identify areas in which CCPA improvements can be made. The Self-Assessment Excel Dashboard; with the CCPA Self-Assessment and Scorecard you will develop a clear picture of which CCPA areas need attention, which requirements you should focus on and who will be responsible for them: * Shows your organization instant insight in areas for improvement: Auto generates reports, radar chart for maturity assessment, insights per process and participant and bespoke, ready to use, RACI Matrix * Gives you a professional Dashboard to guide and perform a thorough CCPA Self-Assessment * Is secure: Ensures offline Data Protection of your Self-Assessment results * Dynamically prioritized projects-ready RACI Matrix shows your organization exactly what to do next STEP 3: Implement, Track, follow up and revise strategy The outcomes of STEP 2, the self assessment, are the inputs for STEP 3; Start and manage CCPA projects with the 62 implementation resources. There are 62 step-by-step CCPA Project Management Form Templates covering over 1500 CCPA project requirements and success criteria. Got a question about this presentation? Email us at support@flevy.com.

1. Self-Assessment: California Consumer Privacy Act
Read
Introduction
Self-Assess
RACI Matrix
View Scores

2. Introduction, about the California Consumer Privacy Act Self-Assessment
Defining, designing, creating, and implementing a process to solve a business challenge or meet a business
objective is the most valuable role… In EVERY company, organization and department.
Unless you are talking a one-time, single-use project within a business, there should be a process. Whether that
process is managed and implemented by humans, AI, or a combination of the two, it needs to be designed by someone
with a complex enough perspective to ask the right questions. Someone capable of asking the right questions and step
back and say, 'What are we really trying to accomplish here? And is there a different way to look at it?'
For more than twenty years, The Art of Service's Self-Assessments empower people who can do just that - whether
their title is marketer, entrepreneur, manager, salesperson, consultant, business process manager, executive assistant,
IT Manager, CxO etc... - they are the people who rule the future. They are people who watch the process as it
happens, and ask the right questions to make the process work better.
This Self-Assessment is for managers, advisors, consultants, specialists, professionals and anyone interested in
knowing the right questions to ask.
Featuring new and updated case-based questions, organized into seven core areas of process design, this
Self-Assessment will help you identify areas in which improvements can be made.
In using the questions you will be better able to:
❑ diagnose projects, initiatives, organizations, businesses and processes using accepted diagnostic standards and
practices
❑ implement evidence-based best practice strategies aligned with overall goals
❑ integrate recent advances in the topic and process design strategies into practice according to best practice
guidelines
Using a Self-Assessment tool known as the Self-Assessment Radar Chart, you will develop a clear picture of the areas
where improvements can be made.
This spreadsheet has been designed for 1-10 participants and is easy to expand; multiple spreadsheets can be used to
assess with a large group or modify formula's etc.
You can use this spreadsheet as the starting point for deeper analysis. One suggestion is to use Pivot Tables, for even
more powerful analysis, or import the data in analysis and reporting tools like Tableau, SAP, ZOHO or the Business
Intelligence tool of your choice.
You are free to use the Self-Assessment contents in your presentations and materials for customers without asking us -
we are here to help. The Art of Service has helped hundreds of clients to improve execution and meet the needs of
customers better by applying process redesign.
How can we help you? For all questions regarding this Self-Assessment or to discuss how our team can help your
business achieve true results, please visit
https://store.theartofservice.com/contact-us/
Start
Self-Assessment
This document is a partial preview. Full document download can be found on Flevy:
https://flevy.com/browse/document/california-consumer-privacy-act--implementation-toolkit-5570

3. Below are the only valid entries for the assessment. This Self-Assessment is set up to process 1-10 participant's views.
When using for less than 10 participants, the entry fields need to stay clear/empty so it does not skew the results.
Each participants answer is to be recorded using the drop down box next to the question and select an answer of 1-5, or
leave at Non applicable for each question for each process area.
In my belief, the answer to the following question is clearly defined: (click 'Not applicable' under Participant name
to change value, leave at 'Not applicable' if the question is not matched to your goals/needs)
1 Strongly Disagree
2 Disagree
3 Neutral
4 Agree
5 Strongly Agree
Step 1 - Enter the names of the participants here:
Participant 1
Participant 2
Participant 3
Participant 4
Participant 5
Participant 6
Participant 7
Participant 8
Participant 9
Participant 10
Step 2 - Now have each participant answer each question for each Process area, under their name. Click 'Not
applicable' under Participant name to change value, leave at 'Not applicable' if the question is not matched to your
goals/needs.
1 Recognize Participant 1 Participant 2 Participant 3 Participant 4 Participant 5 Participant 6 Participant 7 Participant 8 Participant 9 Participant 10 Total Count Avg
"In my belief, the answer to the following question is clearly defined:" 0 0 0
1 Do you have the list of personal information elements that can be used to identify an individual, collected and stored with your organization? 5 5 5 1 5 5 5 2 5 2 40 10 4
2 What follow up actions are needed to restore normal operations? 3 5 5 5 5 5 1 5 5 3 42 10 4.2
3 What personally identifiable information triggers notification? 5 5 5 2 5 5 5 5 5 5 47 10 4.7
4 Will a response program recognize when a crisis occurs and provide some level of response? 5 5 4 4 5 5 2 5 5 5 45 10 4.5
5 What does your research do to help your eCommerce business needs? 5 5 4 5 5 2 5 5 5 4 45 10 4.5
6 Do you recognize California Consumer Privacy Act achievements? 5 5 5 5 5 5 5 5 5 5 50 10 5
7 How are you going to measure success? 5 5 5 5 4 5 5 2 5 5 46 10 4.6
8 What kind of communication research still needs to be done before making a choice? 1 5 5 5 5 5 4 5 5 5 45 10 4.5
9 How do you stay flexible and focused to recognize larger California Consumer Privacy Act results? 5 2 5 2 3 5 5 2 5 5 39 10 3.9
10 What would happen if California Consumer Privacy Act weren’t done? 5 5 1 5 5 5 5 5 5 5 46 10 4.6
11 What does California Consumer Privacy Act success mean to the stakeholders? 5 5 5 5 5 3 5 5 5 5 48 10 4.8
12 How do you recognize an objection? 5 1 5 5 5 5 5 5 5 2 43 10 4.3
13 Are employees recognized or rewarded for performance that demonstrates the highest levels of integrity? 5 5 4 5 5 5 5 5 5 5 49 10 4.9
14 Is additional clarification/information needed? 2 5 5 5 5 5 5 5 5 4 46 10 4.6
15 To what extent does management recognize California Consumer Privacy Act as a tool to increase the results? 5 5 3 5 5 5 5 5 5 5 48 10 4.8
16 How well can employees show and apply problem solving skills? 5 5 2 5 4 5 5 5 5 5 46 10 4.6
17 What is triggered if your organization collects personal information? 5 5 5 5 5 5 5 5 5 5 50 10 5
18 What does your organization need to do? 5 5 5 5 4 1 4 5 5 1 40 10 4
19 To what extent would your organization benefit from being recognized as a award recipient? 4 5 5 5 5 5 5 5 5 5 49 10 4.9
20 How are the California Consumer Privacy Act's objectives aligned to the group’s overall stakeholder strategy? 5 5 5 3 3 2 4 5 5 5 42 10 4.2
21 When a California Consumer Privacy Act manager recognizes a problem, what options are available? 5 5 4 5 5 5 5 5 5 5 49 10 4.9
22 Who will you need to contact and when? 2 5 5 5 5 5 5 2 5 5 44 10 4.4
23 To what extent does each concerned units management team recognize California Consumer Privacy Act as an effective investment? 1 5 5 5 1 5 5 3 5 5 40 10 4
24 Are there recognized California Consumer Privacy Act problems? 1 5 1 5 5 4 5 5 5 5 41 10 4.1
25 Who else do you need to involve within your organization? 5 3 5 4 5 5 3 5 5 5 45 10 4.5
26 Does your organization identify that it has recordings? 5 5 5 1 5 5 5 5 5 5 46 10 4.6
27 Is the need for organizational change recognized? 5 5 5 5 5 5 5 5 5 3 48 10 4.8
28 What is the recognized need? 1 5 5 2 5 5 5 5 2 5 40 10 4
29 Does a consumer need to initial the opt out box for it to be valid? 5 5 5 5 5 4 5 5 5 3 47 10 4.7
30 Are there any specific expectations or concerns about the California Consumer Privacy Act team, California Consumer Privacy Act itself? 5 5 5 5 5 5 5 4 5 5 49 10 4.9
31 What problems are you facing and how do you consider California Consumer Privacy Act will circumvent those obstacles? 5 5 5 5 5 5 1 4 1 5 41 10 4.1
32 When do you need to respond to a subject action request by? 5 5 5 2 5 3 5 5 5 5 45 10 4.5
33 What is the preferred time scale within which the problem must be solved? 4 5 5 5 1 5 5 5 3 5 43 10 4.3
34 How will you recognize and celebrate results? 3 1 5 5 5 5 5 5 5 5 44 10 4.4
35 Will the business need to change? 3 5 4 5 5 5 5 5 4 3 44 10 4.4
36 What are the expected benefits of California Consumer Privacy Act to the stakeholder? 5 5 5 2 4 5 4 5 5 5 45 10 4.5
37 How does the problem fit into the evolution of your organization, and of society? 5 5 5 5 4 5 5 5 5 5 49 10 4.9
38 Have you identified the personal information elements which in combination with others can be used to identify an individual? 5 4 5 5 1 5 5 5 3 5 43 10 4.3
39 What are the minority interests and what amount of minority interests can be recognized? 4 2 4 5 3 5 5 5 3 5 41 10 4.1
40 How and where can the employees views of the communication culture be found in the other problem areas? 5 5 5 5 5 5 4 5 5 5 49 10 4.9
41 Who else hopes to benefit from it? 5 5 3 5 5 5 5 5 5 4 47 10 4.7
42 Why do you need to provide personal information to receive your report? 5 4 5 5 5 5 5 5 5 5 49 10 4.9
43 How do you recognize an California Consumer Privacy Act objection? 5 2 5 5 5 2 5 1 5 1 36 10 3.6
44 What are the stakeholder objectives to be achieved with California Consumer Privacy Act? 5 5 5 5 5 5 5 5 5 1 46 10 4.6
45 Can management personnel recognize the monetary benefit of California Consumer Privacy Act? 5 3 1 5 5 5 1 5 3 5 38 10 3.8
46 What practices helps your organization to develop its capacity to recognize patterns? 5 5 3 5 5 5 4 3 3 5 43 10 4.3
47 Are losses recognized in a timely manner? 4 4 4 1 5 5 5 5 5 5 43 10 4.3
48 Are employees recognized for desired behaviors? 1 5 5 5 5 5 2 5 5 5 43 10 4.3
49 Are controls defined to recognize and contain problems? 5 5 5 5 5 5 2 5 5 5 47 10 4.7
50 Does California Consumer Privacy Act create potential expectations in other areas that need to be recognized and considered? 5 5 5 5 5 5 5 5 5 5 50 10 5
51 Will you need to amend your organizations online privacy policy? 3 5 5 5 3 5 1 5 4 5 41 10 4.1
52 Would you recognize a threat from the inside? 5 4 1 5 5 5 5 5 3 5 43 10 4.3
53
How much are sponsors, customers, partners, stakeholders involved in California Consumer Privacy Act? In other words, what are the risks, if
California Consumer Privacy Act does not deliver successfully? 5 5 5 5 5 5 5 5 5 5
50 10 5
54 What situation(s) led to this California Consumer Privacy Act Self Assessment? 5 5 5 5 5 5 5 5 5 5 50 10 5
55 Should the concept of specific business purpose or need be defined further and, if so, how? 5 5 1 2 5 4 1 3 5 5 36 10 3.6
56 As a sponsor, customer or management, how important is it to meet goals, objectives? 5 5 5 5 5 5 5 1 5 5 46 10 4.6
57 What does your business need to be compliant? 4 5 5 5 5 2 2 5 5 5 43 10 4.3
58 What kinds of problems occur and at which organizational levels? 5 5 5 5 5 4 5 5 2 5 46 10 4.6
59 Are California Consumer Privacy Act changes recognized early enough to be approved through the regular process? 5 5 4 5 5 5 5 5 5 5 49 10 4.9
60 Should you invest in industry-recognized qualifications? 5 5 5 2 5 5 5 1 5 5 43 10 4.3
0 0 0
SCORE 261 275 263 263 275 276 260 268 276 271 2688 600 4.5
2 Define Participant 1 Participant 2 Participant 3 Participant 4 Participant 5 Participant 6 Participant 7 Participant 8 Participant 9 Participant 10 Total Count Avg
"In my belief, the answer to the following question is clearly defined:" 0 0 0
1 Does the team have regular meetings? 4 1 5 4 4 4 2 4 4 2 34 10 3.4
2 How do you manage consumer privacy requirements and keeping the creepy out of retargeting? 4 4 5 4 4 4 5 2 5 5 42 10 4.2
3 Are customer(s) identified and segmented according to their different needs and requirements? 5 5 5 1 5 5 4 4 4 5 43 10 4.3
4 Are information security policies that provide management direction defined and regularly reviewed? 5 3 4 4 1 2 5 5 4 5 38 10 3.8
5 What are the compliance requirements? 4 5 5 5 5 5 5 4 3 4 45 10 4.5
6
How will variation in the actual durations of each activity be dealt with to ensure that the expected California Consumer Privacy Act results are
met? 5 4 5 5 5 4 5 5 5 5
48 10 4.8
7 Has the improvement team collected the ‘voice of the customer’ (obtained feedback – qualitative and quantitative)? 5 4 5 4 5 4 4 2 5 4 42 10 4.2
8 How is personal information defined? 4 5 3 4 4 4 1 5 5 5 40 10 4
9 When is the estimated completion date? 4 4 5 4 5 4 1 4 5 4 40 10 4
10 Who are the California Consumer Privacy Act improvement team members, including Management Leads and Coaches? 5 5 4 5 1 4 4 1 5 4 38 10 3.8
11 When are you required to provide privacy notices? 5 5 3 5 4 5 5 5 5 5 47 10 4.7
12 Has everyone on the team, including the team leaders, been properly trained? 4 5 2 5 5 1 4 4 4 5 39 10 3.9
13 When is/was the California Consumer Privacy Act start date? 3 4 5 4 4 5 4 5 5 5 44 10 4.4
14 How is the team tracking and documenting its work? 5 5 5 4 4 4 4 5 2 5 43 10 4.3
15 Are team charters developed? 2 4 5 5 4 5 5 1 5 5 41 10 4.1
16 When are meeting minutes sent out? Who is on the distribution list? 2 2 4 5 5 5 4 4 5 5 41 10 4.1
17 How do you keep key subject matter experts in the loop? 5 5 5 4 5 5 5 5 5 5 49 10 4.9
18 Have you defined clear roles and responsibility for request fulfillment? 4 4 5 4 4 5 5 5 1 5 42 10 4.2
19 How often are the team meetings? 5 4 3 5 5 5 4 5 4 5 45 10 4.5
20
Is there regularly 100% attendance at the team meetings? If not, have appointed substitutes attended to preserve cross-functionality and full
representation? 5 5 5 5 5 4 5 5 4 4
47 10 4.7
21 Is there a completed SIPOC representation, describing the Suppliers, Inputs, Process, Outputs, and Customers? 4 4 2 4 1 5 4 5 4 4 37 10 3.7
22 What are the dynamics of the communication plan? 5 5 4 5 4 5 1 5 3 2 39 10 3.9
23 Are improvement team members fully trained on California Consumer Privacy Act? 5 5 4 4 4 4 4 4 5 4 43 10 4.3
24 Has/have the customer(s) been identified? 5 5 5 4 4 5 4 3 4 5 44 10 4.4
25 Are stakeholder processes mapped? 4 1 4 4 5 4 5 4 5 5 41 10 4.1
26 Is there a critical path to deliver California Consumer Privacy Act results? 5 5 5 4 5 5 5 4 4 3 45 10 4.5
27 Is full participation by members in regularly held team meetings guaranteed? 5 4 5 5 5 4 5 4 4 5 46 10 4.6
28 Does the unilateral amendment exceed the scope of the GDPR? 5 4 2 5 1 5 5 5 4 5 41 10 4.1
29 Is there a completed, verified, and validated high-level ‘as is’ (not ‘should be’ or ‘could be’) stakeholder process map? 2 1 5 4 4 4 5 4 2 4 35 10 3.5
30
If substitutes have been appointed, have they been briefed on the California Consumer Privacy Act goals and received regular communications
as to the progress to date? 4 3 5 4 5 4 5 4 4 4
42 10 4.2
31 Are customers identified and high impact areas defined? 1 5 1 5 5 4 5 5 4 5 40 10 4
32 Do the problem and goal statements meet the SMART criteria (specific, measurable, attainable, relevant, and time-bound)? 5 5 5 3 5 1 5 4 1 5 39 10 3.9
33 What is the geographic scope of your organization? 5 5 4 5 5 5 1 5 1 5 41 10 4.1
34 What specifically is the problem? Where does it occur? When does it occur? What is its extent? 5 5 5 5 5 5 4 4 4 5 47 10 4.7
35
Has the California Consumer Privacy Act work been fairly and/or equitably divided and delegated among team members who are qualified and
capable to perform the work? Has everyone contributed? 5 5 5 4 5 4 5 5 5 4
47 10 4.7
36
Is there a California Consumer Privacy Act management charter, including stakeholder case, problem and goal statements, scope, milestones,
roles and responsibilities, communication plan? 5 5 1 4 4 1 5 5 5 5
40 10 4
37 What are the boundaries of the scope? What is in bounds and what is not? What is the start point? What is the stop point? 5 4 5 1 1 5 5 4 5 4 39 10 3.9
38 Has the direction changed at all during the course of California Consumer Privacy Act? If so, when did it change and why? 4 2 1 5 5 5 4 5 4 4 39 10 3.9
39 Has a project plan, Gantt chart, or similar been developed/completed? 4 2 4 5 4 5 5 4 2 4 39 10 3.9
40 Are there different segments of customers? 5 5 4 5 2 5 5 4 5 3 43 10 4.3
41 Is the team adequately staffed with the desired cross-functionality? If not, what additional resources are available to the team? 4 4 4 5 4 5 5 4 5 3 43 10 4.3
42 Will team members regularly document their California Consumer Privacy Act work? 1 4 5 4 4 3 4 5 3 4 37 10 3.7
43 How was the ‘as is’ process map developed, reviewed, verified and validated? 4 4 5 1 4 4 4 1 4 2 33 10 3.3
California Consumer Privacy Act Self-Assessment Questions
Sustain
Control
Improve
Analyze
Measure
Define
Recognize
Show RACI Matrix Results
This document is a partial preview. Full document download can be found on Flevy:
https://flevy.com/browse/document/california-consumer-privacy-act--implementation-toolkit-5570

4. 44 Is the team formed and are team leaders (Coaches and Management Leads) assigned? 4 5 5 4 4 4 4 2 5 3 40 10 4
45 Are different versions of process maps needed to account for the different types of inputs? 4 3 4 5 5 5 5 5 4 5 45 10 4.5
46 What are the minimum security requirements for IoT devices? 3 4 4 4 5 3 5 4 4 5 41 10 4.1
47 How you can measure the accountability of your privacy work outside legal requirements? 5 4 5 5 4 3 4 4 5 2 41 10 4.1
48 How will the California Consumer Privacy Act team and the group measure complete success of California Consumer Privacy Act? 3 4 5 5 5 4 5 5 3 4 43 10 4.3
49 When notice is required, may you mail just one privacy notice? 5 4 4 3 5 5 5 5 5 4 45 10 4.5
50 What constraints exist that might impact the team? 4 4 1 4 4 4 5 5 5 5 41 10 4.1
51 Is the team sponsored by a champion or stakeholder leader? 3 4 4 5 4 4 4 4 5 4 41 10 4.1
52 What are the Roles and Responsibilities for each team member and its leadership? Where is this documented? 4 5 5 5 4 4 5 4 4 4 44 10 4.4
53 Is the California Consumer Privacy Act scope manageable? 5 5 5 3 3 4 5 2 3 2 37 10 3.7
54 What are the compelling stakeholder reasons for embarking on California Consumer Privacy Act? 5 5 5 4 4 5 4 5 5 4 46 10 4.6
55 Is the current ‘as is’ process being followed? If not, what are the discrepancies? 4 3 5 3 5 5 5 4 4 4 42 10 4.2
56 Will team members perform California Consumer Privacy Act work when assigned and in a timely fashion? 3 4 5 4 4 4 5 4 5 4 42 10 4.2
57 Who must comply with the CCPAs requirements? 4 3 5 5 5 5 4 4 4 5 44 10 4.4
58 Has a high-level ‘as is’ process map been completed, verified and validated? 4 5 5 5 5 2 5 4 5 5 45 10 4.5
59
Are there any constraints known that bear on the ability to perform California Consumer Privacy Act work? How is the team addressing them? 4 4 4 5 5 2 4 4 4 5
41 10 4.1
60 Have you defined business rules to operationalize retention policy? 4 4 4 5 4 2 4 5 1 5 38 10 3.8
61 What constitutes would otherwise meet the requirements of a service provider? 2 3 5 5 5 3 4 5 5 4 41 10 4.1
62 Is data collected and displayed to better understand customer(s) critical needs and requirements. 5 4 4 1 5 5 4 5 5 5 43 10 4.3
63
Has anyone else (internal or external to the group) attempted to solve this problem or a similar one before? If so, what knowledge can be
leveraged from these previous efforts? 4 4 5 4 4 4 5 5 4 5
44 10 4.4
64 Is California Consumer Privacy Act currently on schedule according to the plan? 4 5 5 4 5 4 4 4 5 4 44 10 4.4
65 What would be the goal or target for a California Consumer Privacy Act's improvement team? 5 4 5 4 4 4 4 5 5 4 44 10 4.4
66 What critical content must be communicated – who, what, when, where, and how? 4 4 4 5 2 3 5 5 4 4 40 10 4
67 Is the team equipped with available and reliable resources? 5 5 5 2 4 5 5 5 5 5 46 10 4.6
68
Is the improvement team aware of the different versions of a process: what they think it is vs. what it actually is vs. what it should be vs. what it
could be? 4 4 4 4 5 4 3 5 2 5
40 10 4
69 What security measures are required? 4 3 4 4 5 5 5 5 1 3 39 10 3.9
70 Has a team charter been developed and communicated? 5 2 5 4 4 4 4 4 1 5 38 10 3.8
71 What are the rough order estimates on cost savings/opportunities that California Consumer Privacy Act brings? 4 4 3 5 5 4 5 4 4 4 42 10 4.2
72 What level of security is required? 4 5 5 4 5 4 4 4 5 4 44 10 4.4
73 What key stakeholder process output measure(s) does California Consumer Privacy Act leverage and how? 4 4 4 4 4 4 4 5 2 5 40 10 4
74 Have the customer needs been translated into specific, measurable requirements? How? 5 4 5 5 2 4 5 4 4 4 42 10 4.2
75 What customer feedback methods were used to solicit their input? 1 3 5 4 4 4 4 4 4 4 37 10 3.7
76 Is California Consumer Privacy Act linked to key stakeholder goals and objectives? 4 5 5 5 4 4 4 5 4 4 44 10 4.4
77 Are you required to purchase machines with screens large enough to hold your privacy policy? 4 5 4 4 4 5 5 3 4 2 40 10 4
78 What capacities are required for effective implementation of each policy and programme? 4 4 5 4 5 4 3 4 4 4 41 10 4.1
79 Is a fully trained team formed, supported, and committed to work on the California Consumer Privacy Act improvements? 4 5 5 4 1 4 4 4 5 5 41 10 4.1
80
How did the California Consumer Privacy Act manager receive input to the development of a California Consumer Privacy Act improvement plan
and the estimated completion dates/times of each activity? 5 5 4 5 4 5 4 5 4 4
45 10 4.5
81 How does the California Consumer Privacy Act manager ensure against scope creep? 5 4 5 5 4 4 4 4 5 5 45 10 4.5
0 0 0
SCORE 336 331 349 341 335 333 348 341 325 345 3384 810 4.2
3 Measure Participant 1 Participant 2 Participant 3 Participant 4 Participant 5 Participant 6 Participant 7 Participant 8 Participant 9 Participant 10 Total Count Avg
"In my belief, the answer to the following question is clearly defined:" 0 0 0
1 What particular quality tools did the team find helpful in establishing measurements? 5 3 3 4 3 4 4 5 3 4 38 10 3.8
2 Was a data collection plan established? 4 5 5 4 4 3 5 4 4 5 43 10 4.3
3 Should companies be able to charge a reasonable cost for certain types of access? 1 5 3 5 5 3 5 5 4 3 39 10 3.9
4 What social causes and activities are you passionate about? 5 3 3 2 5 3 4 5 1 4 35 10 3.5
5 What is the total relevant skilled labor cost of the contract? 3 5 1 4 5 3 3 5 5 3 37 10 3.7
6 Is there a Performance Baseline? 5 3 3 3 1 4 4 4 3 4 34 10 3.4
7 How will dsar impact your operations? 3 3 4 4 5 4 3 3 5 3 37 10 3.7
8
What are the agreed upon definitions of the high impact areas, defect(s), unit(s), and opportunities that will figure into the process capability
metrics? 5 5 4 3 5 3 3 4 3 4
39 10 3.9
9 What are the key input variables? What are the key process variables? What are the key output variables? 5 4 4 3 5 3 3 4 3 3 37 10 3.7
10 How responsive is business capital formation to its user cost? 4 4 2 2 5 5 5 5 4 5 41 10 4.1
11 How do you verify the identity of consumers? 3 3 3 3 3 1 3 5 4 5 33 10 3.3
12 What impact did GDPR have on your security organization? 3 3 3 4 1 5 3 3 4 4 33 10 3.3
13 How will CCPA impact your privacy operations? 5 3 5 4 3 3 3 4 4 4 38 10 3.8
14 What charts has the team used to display the components of variation in the process? 3 3 3 3 4 5 4 5 3 4 37 10 3.7
15 How will it impact loyalty programs? 4 3 5 5 3 5 5 4 3 3 40 10 4
16 Should the focus be on data ownership or on usage rights or a combination? 5 3 4 3 3 3 5 3 4 5 38 10 3.8
17 How much would it cost to do the same work a second time? 3 2 1 3 3 4 4 5 1 4 30 10 3
18 What factors are required for effective reconciliation or may impact on its effectiveness? 3 3 4 5 1 3 3 3 5 3 33 10 3.3
19 How will CCPA, GDPR effect measurement? 2 3 4 4 4 5 2 5 5 4 38 10 3.8
20 What are reasonable security measures? 3 5 4 5 3 5 4 2 4 5 40 10 4
21 Do consumers have a private cause of action? 3 3 5 4 5 5 2 4 5 5 41 10 4.1
22 Have you found any ‘ground fruit’ or ‘low-hanging fruit’ for immediate remedies to the gap in performance? 3 3 3 4 5 3 4 3 5 5 38 10 3.8
23 How does CCPA impact enterprises? 5 2 2 5 3 5 3 4 3 3 35 10 3.5
24 Have you measured how many hours staff and partners spend each year on acquisition? 4 3 3 2 5 5 4 3 5 3 37 10 3.7
25 What are the industry trends that are impacting you? 3 3 3 4 2 5 5 5 3 3 36 10 3.6
26 What is the limit on direct costs of solutions to the problem? 5 3 4 4 3 4 4 4 3 5 39 10 3.9
27 How will your organization verify consumer identities? 5 5 3 3 4 5 3 2 3 1 34 10 3.4
28 Does the CCPA impact loyalty programs or customer accounts? 4 5 3 4 4 3 5 2 3 4 37 10 3.7
29 How will you mitigate any negative impact? 4 3 5 5 1 3 4 5 4 5 39 10 3.9
30 What has the team done to assure the stability and accuracy of the measurement process? 5 5 3 3 5 4 5 1 3 3 37 10 3.7
31 What is the defect that causes the product hazard? 3 3 4 4 1 4 1 3 3 3 29 10 2.9
32 Are data processors liable for data breaches caused by the data processors sub processor? 5 4 5 3 4 4 3 5 5 3 41 10 4.1
33 Is Process Variation Displayed/Communicated? 1 5 1 5 4 3 3 1 5 1 29 10 2.9
34 What caused the product defect to occur in the first place? 4 4 4 4 5 2 4 5 5 5 42 10 4.2
35 What key measures identified indicate the performance of the stakeholder process? 5 5 4 4 4 5 3 5 3 4 42 10 4.2
36 Are key measures identified and agreed upon? 3 4 4 5 1 2 3 4 3 2 31 10 3.1
37 Are process variation components displayed/communicated using suitable charts, graphs, plots? 5 4 3 5 2 5 3 1 3 4 35 10 3.5
38 Does the policy cover the cost of retaining a forensic investigator? 3 5 5 3 5 5 5 3 5 3 42 10 4.2
39 Are high impact defects defined and identified in the stakeholder process? 3 4 3 4 5 3 2 1 3 4 32 10 3.2
40 Is your business impacted by the CCPA? 3 4 4 5 5 5 4 4 4 4 42 10 4.2
41 What impact have new laws had on your customers trust? 3 5 3 5 5 4 1 5 5 4 40 10 4
42 Is key measure data collection planned and executed, process variation displayed and communicated and performance baselined? 3 3 3 5 4 5 3 5 5 5 41 10 4.1
43 What is the total relevant cost of labor for the contract? 3 5 5 4 5 5 5 3 4 5 44 10 4.4
44 Is data collection planned and executed? 5 5 5 4 1 4 5 5 5 4 43 10 4.3
45 Why care about the impact of the GDPR on privacy? 3 2 4 3 1 5 4 4 5 3 34 10 3.4
46 Is long term and short term variability accounted for? 5 5 5 5 5 5 5 5 5 4 49 10 4.9
47 What process will business use to verify the consumer request, including any information the consumer must provide? 3 4 5 1 2 5 3 1 3 5 32 10 3.2
48 Are information security risks compared to the established risk criteria and prioritized? 3 4 4 4 3 3 4 3 3 4 35 10 3.5
49 Does the project have impacts that are individually limited, and cumulatively considerable? 4 4 4 4 5 4 4 5 3 4 41 10 4.1
50 Is your organizations business team aware of the change in regulation and how it may impact marketing and consumer reach? 3 5 3 5 4 4 4 2 2 3 35 10 3.5
51 How do regulations impact your ability to meet business objectives and marketing goals? 4 3 3 5 5 2 4 5 5 4 40 10 4
52 Which most causes you to distrust a brand when providing your personal information? 5 4 3 3 5 5 1 3 3 4 36 10 3.6
53 How will opting out impact consumers? 1 3 4 4 5 3 4 4 5 4 37 10 3.7
54 How large is the gap between current performance and the customer-specified (goal) performance? 4 4 5 3 1 5 3 5 5 5 40 10 4
55 Will small businesses incur more operational costs? 3 4 4 3 4 5 3 2 3 3 34 10 3.4
56 Will the CCPA be more impactful than many realize? 4 3 4 3 3 2 4 1 3 5 32 10 3.2
57 Who participated in the data collection for measurements? 4 2 3 3 3 4 1 3 3 5 31 10 3.1
58 What data was collected (past, present, future/ongoing)? 5 4 5 4 5 3 4 4 4 3 41 10 4.1
59
Does the CCPA allow an individual whose work email address or business contract information is compromised through a data breach to bring a
cause of action for damages? 3 1 4 5 5 3 3 4 4 4
36 10 3.6
60 What will be the impact if you cannot access your data, or if it is stolen? 4 4 5 4 5 4 5 2 3 2 38 10 3.8
61 How does the right to delete impact service providers? 5 4 4 3 5 3 4 5 4 3 40 10 4
62 Which of costs are classified as production costs? 5 4 5 3 3 3 5 5 3 3 39 10 3.9
63 Which organization has priority? 3 5 5 3 4 4 2 1 2 4 33 10 3.3
64 How does GDPR/CCPA shift the focus of data protection to include consumers? 5 1 5 2 1 2 5 5 2 4 32 10 3.2
65 Which costs are part of the prime cost for a manufacturing organization? 3 3 1 5 2 5 4 4 3 5 35 10 3.5
66 Is there a cost to privacy breaches? 3 3 2 5 3 3 5 5 2 3 34 10 3.4
67 Is data collected on key measures that were identified? 3 4 3 3 5 5 5 4 4 4 40 10 4
68 Which deductions from an employees pay has the highest priority? 5 3 4 5 4 3 4 5 2 4 39 10 3.9
69 Is a solid data collection plan established that includes measurement systems analysis? 4 5 3 4 2 4 5 5 1 1 34 10 3.4
0 0 0
SCORE 258 254 252 263 249 266 254 258 249 260 2563 690 3.7
4 Analyze Participant 1 Participant 2 Participant 3 Participant 4 Participant 5 Participant 6 Participant 7 Participant 8 Participant 9 Participant 10 Total Count Avg
"In my belief, the answer to the following question is clearly defined:" 0 0 0
1 Have you established processes to fulfill consumer rights? 3 4 4 3 5 4 4 4 3 3 37 10 3.7
2 What must a third party do to qualify for access, particularly in regard to cybersecurity? 3 3 4 4 3 4 4 4 1 3 33 10 3.3
3 Are pertinent alerts monitored, analyzed and distributed to appropriate personnel? 4 3 3 4 3 4 4 3 1 4 33 10 3.3
4 Do consumers trust brands with data? 3 4 4 4 3 5 4 4 3 4 38 10 3.8
5 How do you assure consumer privacy throughout the matching process? 4 4 3 3 3 3 4 3 2 3 32 10 3.2
6 What personal data is held by staffing departments? 4 3 3 3 3 3 3 4 3 3 32 10 3.2
7 What entities will be accessing personal data? 5 3 3 4 4 1 2 3 3 3 31 10 3.1
8 Have changes been properly/adequately analyzed for effect? 3 5 3 3 4 4 4 1 3 5 35 10 3.5
9 What data should be made available? 3 4 3 3 4 4 3 4 4 4 36 10 3.6
10 Have all non-recommended alternatives been analyzed in sufficient detail? 4 3 4 3 4 4 4 3 4 1 34 10 3.4
11 What data can a consumer review or control? 4 3 3 4 2 4 4 1 1 3 29 10 2.9
12 What are some reasonable means of allowing consumers an opportunity to opt out? 4 3 3 4 4 3 3 4 3 4 35 10 3.5
13 How should data issues be coordinated internationally? 2 3 3 3 3 3 5 4 3 4 33 10 3.3
14 How legalistic can the consent process be? 4 4 3 4 4 4 1 3 1 3 31 10 3.1
15 Is the processor directly governed by the GDPR? 3 3 4 3 5 2 3 3 3 3 32 10 3.2
16 Can the system inspect file objects embedded in a database? 4 3 5 3 3 3 4 3 3 3 34 10 3.4
17 Does your organization have a secondary use strategy for the data? 3 4 4 4 3 4 4 3 4 4 37 10 3.7
18 Are information processing facilities implemented with redundancy to meet availability requirements? 3 3 4 1 3 4 4 3 3 2 30 10 3
19 Where is your data currently stored? 1 1 3 4 1 3 4 3 4 4 28 10 2.8
20 How are vendors disposing of data? 4 3 3 3 5 4 4 4 4 3 37 10 3.7
21
Do you currently have processes and resources in place that preserves copies of specific pieces of personal information that the business has
collected about each consumer? 4 5 3 3 3 4 1 4 4 3
34 10 3.4
22 How do you better manage regulatory data requests or legal investigations? 4 3 3 3 5 4 4 4 4 3 37 10 3.7
23 Where is the data stored and how can it be accessed? 2 3 3 3 4 3 4 3 5 4 34 10 3.4
24 Are you subject to the general data protection regulation? 4 2 1 4 3 3 4 3 1 4 29 10 2.9
25 Did the consumer/ subject receive a functional copy of data at the end of the process? 4 3 3 3 4 4 4 3 4 4 36 10 3.6
26 Do staff have the necessary skills to collect, analyze, and report data? 3 3 4 2 4 4 3 4 4 4 35 10 3.5
27 What can / must you do with customer data? 3 4 4 3 4 5 4 3 3 4 37 10 3.7
28 What governance processes will be required within businesses? 3 4 4 4 4 3 3 4 4 2 35 10 3.5
29 How quickly must your organization notify affected consumers? 3 4 2 1 3 4 3 2 4 3 29 10 2.9
30 Who should own data decision making for your organization? 3 3 3 4 4 3 3 3 3 4 33 10 3.3
This document is a partial preview. Full document download can be found on Flevy:
https://flevy.com/browse/document/california-consumer-privacy-act--implementation-toolkit-5570

5. 31 What about any marketing databases? 4 2 3 3 4 1 3 3 3 3 29 10 2.9
32 Is there a process defined and documented for determining competence for ISMS roles? 5 4 3 4 4 4 3 4 3 4 38 10 3.8
33 What is going on in the data management and analytics space in general now? 4 4 4 1 3 4 3 3 3 1 30 10 3
34 What is happening with the data? 4 3 3 1 4 3 3 4 4 3 32 10 3.2
35 What is the process for clients to share the information that is collected with you? 4 4 3 3 3 3 4 4 3 4 35 10 3.5
36 Have the types of risks that may impact California Consumer Privacy Act been identified and analyzed? 4 3 4 3 4 1 3 4 4 4 34 10 3.4
37 Does the business area have an inventory of where personal information is collected, stored, processes or managed? 4 3 2 3 3 3 4 3 1 4 30 10 3
38 Is there a transfer of the data, if so to what entity and where is that entity located? 3 4 4 5 1 4 3 3 3 3 33 10 3.3
39 Is there any data deletion option located in the account settings? 4 4 4 3 4 4 3 3 5 4 38 10 3.8
40 What are data subject access requests? 3 4 3 4 4 4 2 4 5 3 36 10 3.6
41 Does your organization track data sharing among employees? 3 3 4 5 4 2 3 3 4 4 35 10 3.5
42 What type and level of resources are required for operating and organizationalizing the database? 5 3 4 3 3 3 3 4 4 3 35 10 3.5
43 What qualifies as personal information? 3 4 3 4 2 3 3 1 3 3 29 10 2.9
44 What data has been collected and for what purpose? 4 3 4 3 4 4 4 3 4 3 36 10 3.6
45 What are your key California Consumer Privacy Act indicators that you will measure, analyze and track? 1 5 4 4 4 1 4 3 4 4 34 10 3.4
46 What technologies are used to identify sensitive data? 3 3 3 4 2 4 3 3 4 3 32 10 3.2
47 Is there any information in the privacy policy that introduces how to delete your account data? 4 4 3 3 3 3 4 3 5 4 36 10 3.6
48 Can there be any right of access to data from an antitrust point of view? 1 4 4 4 2 3 3 3 4 3 31 10 3.1
49 How does your organization cure data that has already been stolen? 1 4 4 3 2 3 4 3 2 4 30 10 3
50 How are cloud and container technologies enhancing enterprise data management capabilities? 4 3 4 3 4 1 4 4 2 3 32 10 3.2
51 Where can the tool detect sensitive data? 4 3 3 2 2 4 3 4 4 3 32 10 3.2
52 Do you track your customer data security requirements? 4 3 3 3 3 3 4 4 5 4 36 10 3.6
53 What is process for coordinating policies within departments? 4 3 3 4 3 3 1 4 4 5 34 10 3.4
54 Where, how, and for how long is personal information being processed, stored, disclosed, or sold? 3 3 4 3 4 3 3 3 3 3 32 10 3.2
55 Are you selling business opportunities without knowing it? 4 3 4 2 3 3 4 5 3 3 34 10 3.4
56 Which processes developed between your organization and the press? 4 3 3 3 3 3 4 4 3 3 33 10 3.3
57 Which process owners will conduct the diligence for the requests? 3 3 3 3 3 3 4 4 1 3 30 10 3
58 Does California Consumer Privacy Act systematically track and analyze outcomes for accountability and quality improvement? 3 3 4 3 3 3 4 4 4 3 34 10 3.4
59 Are losses documented, analyzed, and remedial processes developed to prevent future losses? 5 3 2 3 3 4 3 3 2 3 31 10 3.1
60 Why should financial policymakers care about data rights? 3 4 4 4 3 4 4 4 4 5 39 10 3.9
61 Do you still need the equal credit opportunity act? 3 4 4 3 4 3 4 4 4 3 36 10 3.6
62 How often do you need to access your data? 4 4 4 4 4 4 4 4 4 3 39 10 3.9
63 Do you see the option to opt out of its marketing during the account creation process? 3 3 2 3 3 4 1 4 3 4 30 10 3
64 Is there a structured process for adding new alarms or modifying existing ones? 4 4 4 4 2 5 3 4 3 4 37 10 3.7
65 Do you quickly find data on any particular consumer? 4 5 3 3 3 4 4 4 1 4 35 10 3.5
66 What are the most important business processes? 4 2 4 1 4 4 4 3 4 3 33 10 3.3
67 Do you need any or all of the personal data? 4 2 3 5 3 4 3 4 3 4 35 10 3.5
68 What process exists for coordinating policies across departments? 3 3 4 3 3 3 4 4 3 3 33 10 3.3
69 How and where is the data hosted? 3 1 1 4 3 4 3 4 3 3 29 10 2.9
70 What data is it within do you have? 1 4 4 3 2 4 4 4 4 4 34 10 3.4
71 Why consider financial data separately from other types of data? 3 3 4 4 3 4 3 3 3 2 32 10 3.2
72 Does the policy cover contractual liabilities that result from a data security breach? 1 3 3 4 2 1 3 3 4 3 27 10 2.7
73 What is the primary change introduced by the general data protection regulation for processors? 4 4 4 3 4 4 4 4 3 4 38 10 3.8
74 Which technologies is your organization already using for data protection and privacy? 5 4 3 4 3 2 3 1 3 1 29 10 2.9
75 How do you identify and analyze stakeholders and their interests? 3 3 4 4 3 3 4 3 4 3 34 10 3.4
76 Does the CCPA allow an individual whose name is compromised through a data breach to seek statutory damages? 4 4 3 3 4 3 4 3 3 4 35 10 3.5
77 What about already existing processing operations? 4 3 1 2 4 4 4 3 3 4 32 10 3.2
78 What data do you collect, use, share and transfer? 3 4 3 4 3 3 4 3 3 4 34 10 3.4
79 What are the objectives of financial data policy? 4 3 4 1 2 4 4 3 4 4 33 10 3.3
80 How do estimates from different pollutant databases compare? 3 1 4 3 3 3 3 3 3 4 30 10 3
81 What data can a consumer turn off? 3 3 4 3 4 4 5 3 4 4 37 10 3.7
82 How should data be protected and by whom? 4 1 3 4 3 4 5 3 4 3 34 10 3.4
83 How much data do you create every day? 3 4 3 3 4 3 3 3 1 4 31 10 3.1
84 Does your organization have a data retention program? 3 4 4 3 3 3 4 4 4 3 35 10 3.5
85 What are the processes for translating each policy into concrete programs? 3 4 3 4 3 4 3 4 3 3 34 10 3.4
86 How should data rights be governed? 3 5 2 3 5 4 4 3 4 3 36 10 3.6
87 What happens if you sell your data? 3 3 4 4 4 3 3 4 4 2 34 10 3.4
88 Should your organization be able to charge the third party or individual for providing the data? 3 4 5 4 4 3 4 3 3 4 37 10 3.7
89 What elements do you capture in an inventory or data map? 4 2 3 4 3 1 1 4 3 4 29 10 2.9
90 What relationships do you have with service providers or third parties that involve personal data? 4 4 3 3 4 3 3 3 4 3 34 10 3.4
91 Has the meaning of big data changed? 1 3 3 3 4 3 3 4 4 2 30 10 3
92 What were the most important findings from your validation process? 4 4 3 2 3 3 3 4 4 5 35 10 3.5
93 How should data rights be regulated? 4 4 3 4 1 4 3 4 3 3 33 10 3.3
94 Are procedures in place for regularly testing data integrity and vulnerabilities? 3 4 2 3 3 4 3 3 1 3 29 10 2.9
95 What qualifies as personal information under the statute? 3 3 4 4 4 4 3 5 3 4 37 10 3.7
96 Which stakeholder characteristics are analyzed? 3 3 3 4 3 3 2 4 4 2 31 10 3.1
97 What capacities are required for operating and organizationalizing the database? 3 4 3 3 4 3 3 4 3 3 33 10 3.3
98 What are the trends in you and foreign data security compliance requirements? 4 4 5 1 3 2 4 4 3 3 33 10 3.3
99 Is data orchestration spreading? 4 4 5 3 4 1 3 2 4 3 33 10 3.3
100 Does the link in the privacy policy to the data deletion choice work? 3 4 4 4 4 3 4 3 3 1 33 10 3.3
101 Do you process personal information or is personal information processed on your behalf? 3 4 4 3 2 2 3 3 3 3 30 10 3
102 What is data processing and when does it take place? 4 4 3 5 3 3 4 4 3 4 37 10 3.7
103 What do you see as the biggest challenges for data privacy in your jurisdiction during the next decade? 4 3 4 3 4 4 4 4 1 3 34 10 3.4
104 What qualifies as personal data? 4 3 3 4 3 4 4 3 1 3 32 10 3.2
105 How could the data subjects be made whole or the potential harm reduced? 4 4 4 1 3 4 3 3 4 3 33 10 3.3
106 Are the data security measures you have taken adequate? 3 4 4 4 3 4 3 4 4 4 37 10 3.7
107 How do you update/move/delete consumer data? 3 4 3 4 4 3 4 3 5 3 36 10 3.6
108 What are the most efficient ways of securing data for a particular retention period? 4 2 1 3 4 4 2 4 4 4 32 10 3.2
109 Does your organization systematically track and analyze outcomes related for accountability and quality improvement? 4 3 4 4 3 4 4 5 3 4 38 10 3.8
110 Is your organization aggregating that data? 1 1 3 3 3 4 3 3 3 5 29 10 2.9
111 Are the provisions that govern the process of arranging and giving cautions appropriate? 3 3 2 3 2 3 5 3 4 4 32 10 3.2
112 How will new hire data be safeguarded? 4 4 4 3 3 3 3 3 3 5 35 10 3.5
113 How long do you need to store your data? 3 4 3 3 3 3 3 5 3 5 35 10 3.5
114 Has your organization adopted data discovery and classification technology? 4 3 3 3 4 3 3 3 4 3 33 10 3.3
115 Can organizations achieve success with the data governance initiatives? 4 3 3 4 3 1 3 4 1 3 29 10 2.9
116 Who is responsible and what are the penalties if there is a data breach? 3 4 4 4 4 4 3 4 3 3 36 10 3.6
117 Have the concerns of stakeholders to help identify and define potential barriers been obtained and analyzed? 3 4 5 3 3 4 3 4 4 3 36 10 3.6
118 Where did you get the data from and where is it stored? 4 3 4 4 1 4 4 3 4 3 34 10 3.4
119 Does your organization have effective processes in place to ensure that no actions are taken in violation of the privacy policy? 5 3 3 1 3 4 4 2 4 4 33 10 3.3
120 Who would contact affected data subjects and control any messaging? 4 4 2 4 2 3 5 4 4 4 36 10 3.6
121 Why are you requesting the data? 4 4 3 4 3 3 3 4 3 4 35 10 3.5
122 Is your senior management requesting more reports on data security than a year ago? 5 3 2 5 4 3 5 3 1 4 35 10 3.5
123 Does servicenow comply with data privacy laws like the GDPR, CCPA, and others? 3 3 5 4 4 3 4 4 3 4 37 10 3.7
124 Have you fully mapped your data? 4 2 2 4 4 4 4 3 4 4 35 10 3.5
125 Do you have a data privacy program in place? 3 4 3 4 3 4 3 3 4 4 35 10 3.5
126 What data do you hold from consumers and what benefits do consumers get from requesting access? 4 4 3 3 3 3 3 4 4 4 35 10 3.5
127 What is your verification process? 4 5 4 4 5 4 3 1 2 4 36 10 3.6
128 Does the privacy policy include any links to delete your account data? 4 4 4 4 3 4 1 1 3 2 30 10 3
129 How should financial data rights be regulated? 4 3 2 3 3 3 3 1 4 3 29 10 2.9
130 Why managing consumer privacy can be an opportunity? 3 3 3 1 3 4 5 5 3 3 33 10 3.3
131 Does the information fit the information needs that result from organization and management processes? 4 4 4 4 4 5 4 3 3 3 38 10 3.8
132 Is an improvement or modernization process in any way involved? 4 3 1 3 3 4 3 3 3 3 30 10 3
133 Does the CCPA allow an individual whose ip address is compromised through a data breach to seek statutory damages? 3 4 4 4 4 3 4 4 4 3 37 10 3.7
134 Who owns the data generated by the device/system? 4 4 4 3 3 3 3 4 3 4 35 10 3.5
135 Where will data governance be most successful? 3 3 4 1 3 5 3 5 3 3 33 10 3.3
136 What data dimensions are important for setting policy? 4 4 4 3 3 4 4 1 4 4 35 10 3.5
137 How will the California Consumer Privacy Act data be analyzed? 3 4 3 4 3 4 5 3 4 3 36 10 3.6
138 How do you help mitigate the risk of external threats & insider data breaches and losses? 4 4 4 3 5 4 3 3 4 2 36 10 3.6
139 Are you a processor in the meaning of the general data protection regulation? 3 1 1 3 3 5 3 1 2 4 26 10 2.6
140 Are processes automated to ease the fulfillment of consumer rights? 4 3 4 4 3 4 4 3 3 3 35 10 3.5
141 How should the implementation process be guided? 4 1 3 4 3 2 5 3 4 3 32 10 3.2
0 0 0
SCORE 487 474 470 462 465 476 486 473 459 477 4729 1410 3.4
5 Improve Participant 1 Participant 2 Participant 3 Participant 4 Participant 5 Participant 6 Participant 7 Participant 8 Participant 9 Participant 10 Total Count Avg
"In my belief, the answer to the following question is clearly defined:" 0 0 0
1 Are improved process (‘should be’) maps modified based on pilot data and analysis? 3 3 2 3 3 2 2 2 3 3 26 10 2.6
2 How can risk appetite inform your interpretation of each privacy regulation? 3 3 3 3 3 2 2 3 2 3 27 10 2.7
3 Is there a small-scale pilot for proposed improvement(s)? What conclusions were drawn from the outcomes of a pilot? 3 4 3 5 3 5 3 4 3 2 35 10 3.5
4 What does the ‘should be’ process map/design look like? 3 3 3 3 4 3 2 4 3 2 30 10 3
5 Is the implementation plan designed? 2 3 3 2 3 2 3 1 3 2 24 10 2.4
6 Describe the design of the pilot and what tests were conducted, if any? 2 2 2 2 3 1 3 3 3 2 23 10 2.3
7 Did good corporate governance improve organization performance during the financial crisis? 2 3 2 2 3 2 2 5 2 2 25 10 2.5
8 Can anything be deduced from your organizations evolution concerning possible resistance to solutions? 2 3 3 1 2 3 3 2 3 2 24 10 2.4
9 What are the risks of non compliance? 1 3 4 2 2 3 2 2 2 3 24 10 2.4
10 Are new and improved process (‘should be’) maps developed? 5 2 2 3 1 1 2 2 2 2 22 10 2.2
11 Do you have validation and sign off strategy for privacy risk mitigation and acceptance by the compliance team? 3 3 2 2 3 2 5 3 3 3 29 10 2.9
12 Does the policy cover regulatory proceedings that may result from a breach, including legal fees? 2 2 2 3 2 2 3 2 5 3 26 10 2.6
13 What is the implementation plan? 2 3 1 3 3 5 2 5 5 2 31 10 3.1
14 What communications are necessary to support the implementation of the solution? 1 2 3 5 3 3 5 2 2 3 29 10 2.9
15 Are possible solutions generated and tested? 2 2 2 5 2 2 2 2 2 2 23 10 2.3
16 Is the information security performance and effectiveness of the ISMS evaluated? 2 1 2 2 3 3 2 2 5 1 23 10 2.3
17 What error proofing will be done to address some of the discrepancies observed in the ‘as is’ process? 4 3 2 3 3 2 3 2 2 3 27 10 2.7
18 Is the policy documented and communicated to employees and relevant interested parties? 3 3 3 2 5 3 2 3 2 5 31 10 3.1
19 What tools were used to evaluate the potential solutions? 3 2 2 2 3 2 3 2 2 3 24 10 2.4
20 Is there a cost/benefit analysis of optimal solution(s)? 3 2 3 2 3 3 2 2 3 3 26 10 2.6
21 How does the solution remove the key sources of issues discovered in the analyze phase? 5 2 5 3 3 2 3 3 3 3 32 10 3.2
22 How should compliance be documented? 2 2 3 2 3 3 3 2 2 2 24 10 2.4
23 Can improving exchange mechanism provide consumers more control? 3 5 2 3 3 3 2 2 2 2 27 10 2.7
24 What attendant changes will need to be made to ensure that the solution is successful? 3 3 2 2 2 2 2 3 2 3 24 10 2.4
25 What method do you use to evaluate employees? 1 3 4 3 2 2 4 2 2 3 26 10 2.6
26 How is an employee evaluated and promoted? 5 3 2 5 2 2 2 3 2 3 29 10 2.9
27 Is a contingency plan established? 1 1 2 3 3 2 2 2 2 3 21 10 2.1
28 Is the optimal solution selected based on testing and analysis? 2 3 1 1 3 2 1 3 3 5 24 10 2.4
29 Does consumer information usage improve your organizations performance in business to business market? 2 4 2 2 2 3 2 3 2 2 24 10 2.4
30 Were any criteria developed to assist the team in testing and evaluating potential solutions? 3 3 1 2 2 2 2 2 2 2 21 10 2.1
31 Are the best solutions selected? 3 3 3 5 3 3 2 2 3 3 30 10 3
32 Was a pilot designed for the proposed solution(s)? 2 2 2 1 3 3 4 2 2 4 25 10 2.5
33 What tools were used to tap into the creativity and encourage ‘outside the box’ thinking? 2 3 3 3 4 2 2 3 3 2 27 10 2.7
34 What decisions do policymakers need to make? 2 1 2 5 2 2 3 3 3 2 25 10 2.5
35 How are consumer concerns affecting the growth and development of online commercial activity? 3 3 3 3 3 2 3 2 2 3 27 10 2.7
36 What information do you need from your organization to make decisions? 2 2 3 3 1 3 3 5 3 3 28 10 2.8
37 Is pilot data collected and analyzed? 2 2 5 2 3 2 3 2 2 2 25 10 2.5
38 How did the team generate the list of possible solutions? 3 3 3 3 2 3 2 3 3 5 30 10 3
39 Are there any constraints (technical, political, cultural, or otherwise) that would inhibit certain solutions? 2 2 2 5 3 2 2 2 3 3 26 10 2.6
40 How will the team or the process owner(s) monitor the implementation plan to see that it is working as intended? 3 2 3 2 4 5 3 3 3 5 33 10 3.3
This document is a partial preview. Full document download can be found on Flevy:
https://flevy.com/browse/document/california-consumer-privacy-act--implementation-toolkit-5570

6. 41 What are the risks of legacy personal information? 3 3 3 3 5 3 2 2 3 1 28 10 2.8
42 What lessons, if any, from a pilot were incorporated into the design of the full-scale solution? 2 3 2 2 2 2 3 2 2 3 23 10 2.3
43 How well do employees understand spoken information? 3 3 2 2 3 3 3 2 3 2 26 10 2.6
44 What were the underlying assumptions on the cost-benefit analysis? 2 3 2 1 2 3 3 4 3 2 25 10 2.5
45 Do you receive and retain the necessary information to support key business decisions and actions? 2 3 2 2 3 3 3 3 2 2 25 10 2.5
46 Why should you develop user centric privacy controls? 2 2 3 3 2 3 2 2 2 2 23 10 2.3
47 What is the risk of non compliance? 1 1 2 1 3 2 3 5 2 3 23 10 2.3
48 Has the level of risk been appropriately assessed and appropriate action taken? 1 3 1 2 2 2 3 2 2 3 21 10 2.1
49 What is California Consumer Privacy Act's impact on utilizing the best solution(s)? 2 2 3 2 3 1 3 3 2 3 24 10 2.4
50 What is the team’s contingency plan for potential problems occurring in implementation? 3 4 5 2 2 3 2 2 5 3 31 10 3.1
51 How and when will your organization or its environment be involved in the evaluation? 2 2 2 2 3 2 2 3 3 2 23 10 2.3
52 Who are the proponents and opponents of the various solutions, and what are arguments? 5 2 2 2 2 3 2 5 3 2 28 10 2.8
53 What tools were most useful during the improve phase? 2 3 2 2 3 3 2 4 3 5 29 10 2.9
54 How will the group know that the solution worked? 2 1 1 2 3 2 2 3 2 5 23 10 2.3
55
Is a solution implementation plan established, including schedule/work breakdown structure, resources, risk management plan, cost/budget, and
control plan? 2 2 1 2 3 2 2 5 3 1
23 10 2.3
0 0 0
SCORE 136 141 135 143 151 138 140 152 146 150 1432 550 2.6
6 Control Participant 1 Participant 2 Participant 3 Participant 4 Participant 5 Participant 6 Participant 7 Participant 8 Participant 9 Participant 10 Total Count Avg
"In my belief, the answer to the following question is clearly defined:" 0 0 0
1 Is knowledge gained on process shared and institutionalized? 2 2 4 1 1 1 2 2 1 2 18 10 1.8
2 How should a universal choice mechanism be designed for consumers to control online behavioral advertising? 2 2 2 1 2 2 1 4 1 1 18 10 1.8
3 Is reporting being used or needed? 1 4 1 3 4 2 2 1 2 1 21 10 2.1
4 Are information systems regularly reviewed for technical compliance with policies and standards? 2 2 2 2 4 1 1 1 1 1 17 10 1.7
5 Do you have the internal resources and expertise to implement enhanced privacy controls? 2 1 1 1 1 1 2 2 5 1 17 10 1.7
6
How will new or emerging customer needs/requirements be checked/communicated to orient the process toward meeting the new specifications
and continually reducing variation? 1 2 1 1 1 2 2 1 1 2
14 10 1.4
7 Is there a recommended audit plan for routine surveillance inspections of California Consumer Privacy Act's gains? 1 1 2 2 2 3 4 1 1 5 22 10 2.2
8 Is there a control plan in place for sustaining improvements (short and long-term)? 1 1 2 1 1 2 2 2 1 5 18 10 1.8
9 How do you monitor changes in data privacy and security laws? 2 4 1 2 2 1 4 1 2 1 20 10 2
10 Are documented procedures clear and easy to follow for the operators? 1 1 2 2 2 1 2 1 1 4 17 10 1.7
11 What key inputs and outputs are being measured on an ongoing basis? 1 2 1 2 1 2 1 2 2 2 16 10 1.6
12 Are suggested corrective/restorative actions indicated on the response plan for known causes to problems that might surface? 1 2 4 1 2 1 1 1 2 3 18 10 1.8
13 What is the recommended frequency of auditing? 3 2 2 1 2 1 2 2 2 1 18 10 1.8
14 Are new process steps, standards, and documentation ingrained into normal operations? 1 2 1 5 2 1 1 2 2 2 19 10 1.9
15 How is compliance with the contract monitored? 1 2 2 2 2 2 1 1 1 2 16 10 1.6
16 How are customer service performance measurements monitored and reported? 2 1 2 2 1 2 2 2 2 5 21 10 2.1
17 Are operating procedures consistent? 1 1 1 2 1 1 2 1 2 4 16 10 1.6
18 Do you have a compliance plan in place? 2 3 2 1 2 1 2 2 5 1 21 10 2.1
19 What other areas of the group might benefit from the California Consumer Privacy Act team’s improvements, knowledge, and learning? 1 1 5 4 2 1 1 2 5 2 24 10 2.4
20 How might the group capture best practices and lessons learned so as to leverage improvements? 2 1 1 1 2 1 3 5 1 2 19 10 1.9
21 When was the last time a plan was reviewed and possibly revised? 1 2 1 2 3 2 2 1 1 2 17 10 1.7
22 What is the legal standard for compliance? 2 1 1 2 4 1 2 1 2 2 18 10 1.8
23 What does your organization do to plan and prepare? 2 1 1 1 1 2 2 1 1 1 13 10 1.3
24 Who is the California Consumer Privacy Act process owner? 4 4 1 2 4 1 2 1 5 4 28 10 2.8
25 How will the process owner and team be able to hold the gains? 1 1 1 3 1 1 1 1 1 2 13 10 1.3
26 What is the reasonable standard of care for an AI system? 2 1 2 2 1 1 2 5 4 4 24 10 2.4
27 Who is the beneficiary of a qualified plan? 2 1 1 2 2 2 1 1 1 1 14 10 1.4
28 Is there a transfer of ownership and knowledge to process owner and process team tasked with the responsibilities. 1 3 2 1 4 1 4 2 5 1 24 10 2.4
29 Has the improved process and its steps been standardized? 2 1 2 1 2 4 1 2 2 2 19 10 1.9
30 Is there a standardized process? 1 2 2 2 2 2 2 1 3 1 18 10 1.8
31 What makes risk based audit planning difficult? 2 5 1 2 2 2 2 4 1 2 23 10 2.3
32 Is new knowledge gained imbedded in the response plan? 2 1 1 2 2 2 1 1 1 1 14 10 1.4
33 Is there documentation that will support the successful operation of the improvement? 1 2 2 1 1 5 1 1 5 4 23 10 2.3
34 Does your organization monitor its employees on social media sites? 1 3 2 2 3 1 1 2 2 2 19 10 1.9
35 What should the next improvement project be that is related to California Consumer Privacy Act? 2 2 2 2 5 1 4 1 2 2 23 10 2.3
36 Have the coaches been provided with all the necessary forms and working plans? 2 2 2 2 2 2 1 1 2 1 17 10 1.7
37 Does the response plan contain a definite closed loop continual improvement scheme (e.g., plan-do-check-act)? 2 1 2 2 1 1 2 1 5 1 18 10 1.8
38 Does a troubleshooting guide exist or is it needed? 1 3 3 2 2 2 2 2 2 1 20 10 2
39 How will input, process, and output variables be checked to detect for sub-optimal conditions? 2 3 2 1 1 2 2 5 1 1 20 10 2
40 Is a response plan established and deployed? 4 2 5 1 1 1 1 1 2 2 20 10 2
41 What are the critical parameters to watch? 2 2 2 1 2 2 2 1 1 1 16 10 1.6
42 Do you have any plans to dispose of business interest during your lifetime? 2 1 3 2 1 2 2 2 2 2 19 10 1.9
43 What is a reasonable standard of care for an IoT device? 1 1 1 4 2 1 3 3 2 2 20 10 2
44 What is the process for monitoring and evaluating the implementation of each plan? 1 2 3 1 1 2 4 2 2 2 20 10 2
45 What is the control/monitoring plan? 2 4 2 2 4 2 2 2 1 2 23 10 2.3
46 How will report readings be checked to effectively monitor performance? 2 2 5 1 1 2 2 1 2 1 19 10 1.9
47 Are there documented procedures? 1 2 1 3 1 1 1 5 1 1 17 10 1.7
48 Is documented information retained as evidence of the results of monitoring and measurement? 1 2 2 3 2 4 1 2 1 1 19 10 1.9
49 Are changes planned and controlled, and unintended changes reviewed to mitigate any adverse results? 1 1 1 5 1 2 2 1 2 1 17 10 1.7
50 What quality tools were useful in the control phase? 1 1 1 1 2 2 1 2 1 2 14 10 1.4
51 Will any special training be provided for results interpretation? 1 2 1 2 1 2 2 2 3 2 18 10 1.8
52 Where are there synergies across the plans? 2 2 2 1 1 2 1 2 1 4 18 10 1.8
53 What other systems, operations, processes, and infrastructures (hiring practices, staffing, training, incentives/rewards,
metrics/dashboards/scorecards, etc.) need updates, additions, changes, or deletions in order to facilitate knowledge transfer and improvements? 1 1 2 1 2 2 1 2 1 2
15 10 1.5
54 Do employees perceive group projects as positive learning experiences? 2 3 1 1 5 2 4 2 2 1 23 10 2.3
55 Does job training on the documented procedures need to be part of the process team’s education and training? 4 2 2 2 2 3 1 1 2 4 23 10 2.3
56 Is there a documented and implemented monitoring plan? 4 2 2 2 1 1 2 1 1 1 17 10 1.7
57 What are your plans for digitally transforming your organization? 2 1 1 1 2 2 2 2 1 1 15 10 1.5
58 Are the existing mechanisms for providing consumer control adequate? 3 1 2 1 2 1 2 5 1 4 22 10 2.2
59 What have clients learned from GDPR year one? 1 2 1 2 2 2 2 2 2 1 17 10 1.7
60 Is documented evidence retained to demonstrate that processes have been carried out as planned? 3 3 1 2 1 5 2 2 1 2 22 10 2.2
61 Is a response plan in place for when the input, process, or output measures indicate an ‘out-of-control’ condition? 1 1 1 1 1 1 5 1 1 3 16 10 1.6
62 Have new or revised work instructions resulted? 2 4 2 1 1 2 2 1 2 1 18 10 1.8
63 Does the California Consumer Privacy Act performance meet the customer’s requirements? 2 1 2 3 2 1 2 1 2 1 17 10 1.7
64 How far into the future and what sorts of plans? 2 1 1 1 4 2 2 1 1 2 17 10 1.7
65 What is the status of each plan? 1 5 1 5 4 1 1 1 1 2 22 10 2.2
66
How will the day-to-day responsibilities for monitoring and continual improvement be transferred from the improvement team to the process
owner? 1 2 2 2 2 2 2 2 1 2
18 10 1.8
67 How will the process owner verify improvement in present and future sigma levels, process capabilities? 2 5 5 1 2 5 2 2 2 1 27 10 2.7
0 0 0
SCORE 115 134 125 124 133 121 129 122 128 133 1264 670 1.9
7 Sustain Participant 1 Participant 2 Participant 3 Participant 4 Participant 5 Participant 6 Participant 7 Participant 8 Participant 9 Participant 10 Total Count Avg
"In my belief, the answer to the following question is clearly defined:" 0 0 0
1 How will the customer right to deletion be ensured/addressed by third parties? 1 5 1 3 1 1 1 3 1 2 19 10 1.9
2 Have your vendors had any recent security incidents? 5 1 1 1 2 1 1 1 3 1 17 10 1.7
3 What is the service contract for? 1 1 2 1 1 1 1 1 1 1 11 10 1.1
4 What must businesses do to comply? 1 1 5 1 1 1 5 1 1 1 18 10 1.8
5 Has the impermissible use or disclosure compromised the security or privacy of the PHI? 1 1 3 1 1 4 1 5 1 1 19 10 1.9
6 How will businesses determine that a request for information received by a consumer is verifiable? 1 1 1 1 5 1 1 1 1 1 14 10 1.4
7 How can consumer products companies lead through innovation? 1 1 1 1 1 5 1 1 1 1 14 10 1.4
8 Do your vendor contracts comply with CCPA? 1 1 1 1 3 1 1 1 1 1 12 10 1.2
9 How do third parties handle your information? 3 1 1 1 1 1 5 1 1 1 16 10 1.6
10 How does your organization distinguish itself from others? 1 1 1 1 1 1 1 1 3 5 16 10 1.6
11 Is there a policy for the use of cryptography and key management? 4 1 1 1 1 1 1 5 1 2 18 10 1.8
12 What factors affect consumer name removal preferences? 2 1 1 1 3 1 1 1 1 1 13 10 1.3
13 Does the message show the role of the target groups in and for your organization? 4 1 1 1 3 1 2 1 1 1 16 10 1.6
14 Who is responsible for the communication tool? 1 1 4 1 1 1 1 3 1 1 15 10 1.5
15 Can a consumer request that your organization delete the information? 5 4 1 1 5 1 1 3 1 1 23 10 2.3
16 Do you understand your management processes today? 1 1 1 1 1 1 1 1 1 1 10 10 1
17 How do you use your personal information? 1 1 5 1 1 2 1 1 1 3 17 10 1.7
18 Does your organization utilize a backup system? 1 3 1 3 3 1 1 1 1 1 16 10 1.6
19 What information does the consumer notice have to include? 1 1 1 1 1 1 1 1 1 1 10 10 1
20 What do you do when your employee says the information on the notice is wrong? 1 1 1 1 2 1 3 1 1 1 13 10 1.3
21 Why do you care so much about privacy? 1 1 1 1 1 1 1 1 3 1 12 10 1.2
22 What could be gained by the consumer as participant perspective? 1 4 1 5 2 1 1 3 1 1 20 10 2
23 What kind of ongoing obligations do other organizations have? 1 1 4 1 1 1 1 4 1 1 16 10 1.6
24 Are the services and/or the providers appropriate for the task? 1 4 3 1 1 1 1 1 1 1 15 10 1.5
25 What checks and balances are in place for employee/individual/organizational accountability? 5 5 1 1 1 1 4 1 1 1 21 10 2.1
26 Does the businesses interpretation of the exceptions always win? 2 1 1 1 1 1 1 1 1 1 11 10 1.1
27 What kind of information is covered? 1 1 4 1 1 2 1 1 3 1 16 10 1.6
28 What is considered personal information? 1 1 1 1 1 1 1 1 1 1 10 10 1
29 Did you overestimate the role of social preferences? 1 2 1 1 2 1 3 3 1 5 20 10 2
30 Does GDPR apply to your organization? 1 5 1 1 1 1 1 1 1 1 14 10 1.4
31 Are you responsible for information collected about a large number of consumers? 1 1 1 4 1 1 1 1 1 1 13 10 1.3
32 Which communication tool does your organization prefer, and why? 1 1 1 3 1 1 1 1 1 1 12 10 1.2
33 Does the message show where your organization is going and how it is doing? 1 1 5 1 1 1 5 1 1 1 18 10 1.8
34 How do you execute that response wherever the personal information is located? 1 1 1 1 1 1 1 1 1 1 10 10 1
35 Who in a democracy is opposed to freedom of information? 1 1 5 1 1 1 1 1 1 1 14 10 1.4
36 Where have the virtues of care and compassion gone? 1 1 3 1 1 1 1 1 1 1 12 10 1.2
37 Is smarstheet compliant with the GDPR and the CCPA? 3 1 4 1 3 1 1 1 1 1 17 10 1.7
38 What sectors within consumer products are performing particularly well right now and why? 2 4 2 1 1 1 1 1 1 1 15 10 1.5
39 Does the business have to be within your organization? 5 1 1 1 1 1 1 1 1 1 14 10 1.4
40 How do you collect consumer personal information? 1 1 1 1 5 1 1 3 1 1 16 10 1.6
41 What are subject rights requests? 1 1 2 1 1 1 1 1 1 1 11 10 1.1
42 What are the new privacy rights? 1 4 4 1 1 1 3 1 1 1 18 10 1.8
43 Is the influence of privacy and security on online trust the same for all type of consumer? 1 1 1 1 1 4 3 1 1 1 15 10 1.5
44 Are you a retaining a service provider? 1 1 1 1 1 1 3 1 1 4 15 10 1.5
45 What conflict strategy styles does your organization employ? 1 1 4 1 1 3 4 1 1 1 18 10 1.8
46 What place do ethics have in business? 1 1 1 1 1 1 3 1 1 1 12 10 1.2
47 What can businesses do to prepare? 1 1 1 1 1 1 1 1 1 1 10 10 1
48 How have the authorities and responsibilities of the staff been arranged? 1 4 1 1 1 1 1 1 1 2 14 10 1.4
49 What are the California Consumer Privacy Act security risks? 1 1 1 2 1 1 1 1 1 1 11 10 1.1
50 Does your organization have a unique characteristic or capability? 1 1 1 1 1 1 1 2 1 2 12 10 1.2
51 Are you currently covered by the HIPAA rules, as a covered entity or business associate? 1 1 1 1 1 1 2 1 1 1 11 10 1.1
52 How will personal information be used? 1 1 3 1 2 3 4 1 1 1 18 10 1.8
53 Has there been unauthorised access to, disclosure or loss of personal information? 1 1 1 1 1 3 1 1 1 1 12 10 1.2
54 Who are the California Consumer Privacy Act decision-makers? 1 1 1 1 2 1 1 1 1 1 11 10 1.1
55 How well do consumers protect themselves from identity theft? 3 1 1 1 1 2 1 3 1 1 15 10 1.5
56 How do you collect your personal information? 1 1 1 1 5 1 5 1 1 1 18 10 1.8
57 What level of consent has been sought from the consumer or user? 2 1 1 1 1 1 1 3 1 3 15 10 1.5
This document is a partial preview. Full document download can be found on Flevy:
https://flevy.com/browse/document/california-consumer-privacy-act--implementation-toolkit-5570

7. 58 What specific techniques and/or appeals did you use to try to sell your product? 1 1 1 1 1 1 2 1 1 1 11 10 1.1
59 Are the various social work techniques evident in conducting the social investigation? 1 1 1 3 1 1 1 4 1 2 16 10 1.6
60 Where should financial policymakers seek to change or clarify rights or constraints? 2 1 5 3 2 1 1 1 3 4 23 10 2.3
61 How should revised expectations be trained across your organization? 1 1 3 1 1 1 1 1 1 1 12 10 1.2
62 Has the mobility access manager been enabled for each mobility user in your organization? 1 1 1 1 1 1 1 1 1 4 13 10 1.3
63 When denying a request know or delete, how specific does the reason provided to the requester have to be? 1 1 1 1 1 1 1 1 1 1 10 10 1
64 Have you filled in all the information requested? 3 1 1 1 1 5 1 1 1 1 16 10 1.6
65 Do companies use always on device to authenticate consumers? 1 1 1 1 1 1 1 1 1 1 10 10 1
66 What are the daily routines of your organization? 5 1 1 1 1 1 1 1 1 1 14 10 1.4
67 When should a process be art not science? 1 1 1 5 1 1 5 4 1 5 25 10 2.5
68 Can organizations address privacy concerns through procedural fairness? 2 3 1 1 1 1 1 4 1 1 16 10 1.6
69 Who pays the cost? 1 2 1 1 1 1 1 1 1 3 13 10 1.3
70 Should CCPA regulated businesses execute CCPA compliant agreements with service providers? 5 1 1 1 1 3 1 1 1 1 16 10 1.6
71 How many employees will be involved in using the program materials? 1 1 1 1 1 1 1 1 4 1 13 10 1.3
72 How do always on consumer devices operate? 1 1 4 2 1 1 1 1 5 1 18 10 1.8
73 How many total consumer records do you have? 5 1 1 5 1 1 1 1 4 1 21 10 2.1
74 Does anyone read online privacy policies? 1 4 1 1 2 1 1 1 1 1 14 10 1.4
75 Are there consumer privacy considerations and if so, how are being managed? 1 2 1 1 1 4 1 1 1 1 14 10 1.4
76 Who must provide the initial privacy notice? 1 1 1 1 1 1 1 1 1 1 10 10 1
77 What constitutes an affirmative act? 1 1 5 1 1 1 3 3 1 1 18 10 1.8
78 Do employees perceptions of group experiences change after participating in a group project? 5 1 1 1 1 1 4 3 1 1 19 10 1.9
79 Did the product fail to comply with government safety regulations? 1 2 1 1 1 1 4 1 1 1 14 10 1.4
80 What challenges have you encountered in getting your organization to comply with laws? 4 1 1 1 1 1 2 1 1 4 17 10 1.7
81 How great a demand do you make on the time employees? 5 1 3 1 1 1 1 1 5 2 21 10 2.1
82 Does the CCPA affect your business? 1 1 3 1 1 1 1 1 1 1 12 10 1.2
83 What is done with the new hire information? 1 1 1 1 1 2 1 1 5 1 15 10 1.5
84 Which privacy laws apply to your organization? 1 1 1 1 1 1 1 1 1 1 10 10 1
85 Is there an official model privacy notice? 1 1 1 1 1 5 3 1 1 1 16 10 1.6
86 What will you entrust to a third party service provider? 1 1 1 1 1 5 1 1 1 1 14 10 1.4
87 Are there any exceptions for small companies? 1 1 1 1 1 1 1 2 1 1 11 10 1.1
88 What type of information is protected? 1 1 1 1 5 1 1 1 1 4 17 10 1.7
89 Will CCPA become a catalyst that finally brings attention and funding to neglected information governance programs? 1 1 2 1 3 2 1 2 1 1 15 10 1.5
90 What steps do you take to reduce barriers and increase employee attendance and capture rate? 1 1 1 1 1 1 1 1 2 1 11 10 1.1
91 What is design in privacy by design? 2 1 1 1 1 1 1 1 1 5 15 10 1.5
92 Why did the employee revolt break out? 1 1 1 1 4 1 3 5 1 1 19 10 1.9
93 Should you wait to see if CCPA is amended? 5 1 1 1 1 4 1 4 1 3 22 10 2.2
94 Does GDPR compliance cover CCPA? 4 1 1 1 2 4 1 1 5 1 21 10 2.1
95 Are you able to track the various metrics related to the service of requests? 1 3 3 1 1 1 1 1 1 5 18 10 1.8
96 Does the CCPA apply to employer employee relationships? 1 1 4 1 1 1 1 1 4 3 18 10 1.8
97 How is your organization handling consumer privacy and communication preferences? 1 1 5 1 1 1 1 1 1 1 14 10 1.4
98 What are the differences between primary and secondary uses of personal information? 1 1 1 1 1 1 1 1 1 5 14 10 1.4
99 What amounts are considered income for your employee? 1 1 1 1 4 1 1 1 1 1 13 10 1.3
100 How do you involve your organization? 1 1 5 1 1 1 1 1 3 1 16 10 1.6
101 What types of personal information do you collect? 1 1 3 2 1 1 1 1 1 1 13 10 1.3
102 Does your organization have the appropriate agreements in place? 1 2 1 1 1 1 1 1 1 1 11 10 1.1
103 Does CCPA apply to your organization? 1 1 1 1 1 2 1 1 5 1 15 10 1.5
104 Is CCPA applicable to b2b industries? 1 1 1 1 1 1 1 1 1 1 10 10 1
105 Has your organization reviewed how you obtain consent from customers, prospects and others? 1 1 1 1 2 1 4 1 1 1 14 10 1.4
106 How easy it is to make requests? 1 1 1 1 1 1 1 1 5 3 16 10 1.6
107 Does the privacy policy include any links to marketing opt outs? 1 1 1 1 1 1 1 1 1 1 10 10 1
108 What makes permission marketing effective in influencing consumer interest and behavior? 2 1 5 1 1 1 1 3 1 2 18 10 1.8
109 Does your website or app have visitors from california? 1 1 1 1 1 1 4 1 1 1 13 10 1.3
110 Are there any products or services in your organization which are of lower quality? 1 5 1 1 4 1 1 1 1 1 17 10 1.7
111 How should CCPA compliance be future proofed? 5 3 1 1 1 1 1 1 1 4 19 10 1.9
112 What gaps do you still see in aligning security and privacy? 3 1 5 2 1 1 1 1 1 1 17 10 1.7
113 Is the desired behavior realistic, given your organizations policy, culture, and structure? 1 1 4 3 1 1 1 1 1 1 15 10 1.5
114 How do you protect collected personal information? 5 1 1 1 2 1 1 1 1 2 16 10 1.6
115 Why do you care so much what other people think? 3 1 1 1 1 1 4 1 1 1 15 10 1.5
116 How should notices be written and presented on your organization website or app? 1 4 5 1 1 5 1 1 1 1 21 10 2.1
117 Do you correct or update your information? 1 2 1 1 1 1 1 1 1 1 11 10 1.1
118 Do you follow cybersecurity norms and best practices? 2 1 5 4 1 1 1 4 1 1 21 10 2.1
119 Are you able to work occasional weekend hours? 1 1 1 1 1 1 5 1 1 1 14 10 1.4
120 What line of business does your organization belong to? 1 1 1 1 1 1 3 1 4 1 15 10 1.5
121 How does CCPA compliance relate to GDPR compliance? 1 1 1 4 4 3 1 1 3 1 20 10 2
122 What information should the regulated organization provide to the appraiser upon engagement? 1 1 1 1 1 1 1 1 1 1 10 10 1
123 Does your organization have an online catalog of goods? 1 2 3 1 1 1 1 1 1 5 17 10 1.7
124 Who should determine access to adoption records? 2 1 1 1 1 1 4 1 1 1 14 10 1.4
125 Are there more privacy laws coming? 1 1 1 4 4 1 5 1 1 1 20 10 2
126 What is the difference between organizational culture and organizational climate? 1 1 1 3 1 1 1 1 1 1 12 10 1.2
127 What do you know about your organization? 1 5 4 1 1 1 1 1 1 1 17 10 1.7
128 How do you care for frontline care workers? 2 1 1 1 1 1 1 1 3 2 14 10 1.4
129 Who in your organization provides oversight of your security program? 1 1 1 1 1 1 1 1 1 1 10 10 1
130 Who will see the personal information that is collected? 1 1 1 1 1 1 4 5 1 1 17 10 1.7
131 How will the employees work follow or complement others work? 1 1 1 1 1 1 2 2 1 5 16 10 1.6
132 What is your organizations mission? 1 3 1 1 1 4 1 1 1 1 15 10 1.5
133 What about privacy and security laws in the rest of the world? 1 1 1 3 2 1 1 2 1 1 14 10 1.4
134 How do you opt in to a product telling the manufacturer that it burned out? 1 1 3 1 1 1 1 1 1 1 12 10 1.2
135 Who are the California Consumer Privacy Act decision makers? 1 3 4 1 1 4 1 1 1 1 18 10 1.8
136 Who is stealing your information? 1 1 1 1 1 1 1 1 1 1 10 10 1
137 What information does HIPAA protect? 1 5 1 1 1 1 3 5 1 2 21 10 2.1
138 Who does the majority of unpaid work? 3 1 1 1 1 1 4 1 4 1 18 10 1.8
139 How will you authenticate the identity of the person making the request? 1 1 4 1 3 1 1 1 1 1 15 10 1.5
140 Does the act cover small businesses? 4 1 1 1 5 1 1 2 1 1 18 10 1.8
141 Who is responsible for implementing the policy? 1 1 1 1 1 1 1 1 1 1 10 10 1
142 Do you disclose categories of personal information collected and the purpose of collection? 1 1 1 3 1 2 1 1 1 1 13 10 1.3
143 How is it all linked together for production? 1 1 3 1 1 1 1 1 1 1 12 10 1.2
144 Who is protected and what type of information is protected? 1 1 1 1 2 1 1 1 1 1 11 10 1.1
145 Does the privacy rule apply to your trust operations? 1 1 1 1 1 1 1 1 1 5 14 10 1.4
146 Is your organization privately held? 1 3 1 1 1 3 1 1 2 1 15 10 1.5
147 How does GDPR compliance intersect with CCPA? 1 1 1 4 1 1 1 1 1 1 13 10 1.3
148 What is the environment other organizational units, other organizations, sphere of social influence? 1 1 1 1 1 1 3 1 1 1 12 10 1.2
149 What factors determine how soon you will make contact? 1 1 1 1 1 2 1 1 2 1 12 10 1.2
150 Are there fixed procedures within your organization? 1 1 1 1 1 1 1 1 2 1 11 10 1.1
151 Why is consumer privacy important? 1 1 1 1 1 2 1 1 1 1 11 10 1.1
152 What does CCPA cover in terms of protections for consumers? 1 1 1 1 1 1 1 1 1 1 10 10 1
153 When might a vendor also be your organization? 1 1 1 1 1 1 3 4 4 1 18 10 1.8
154 What steps does your organization take now to prepare for compliance? 1 2 1 5 1 1 1 1 1 1 15 10 1.5
155 Which would lead you to most trust that brand with your personal information? 1 1 1 1 1 1 5 1 1 1 14 10 1.4
156 Are the risks fully understood, reasonable and manageable? 1 1 1 1 3 1 1 1 1 2 13 10 1.3
157 How will corresponding data be collected? 1 3 1 1 1 1 1 1 1 5 16 10 1.6
158 Who owns what data? 3 1 2 4 1 1 1 1 1 1 16 10 1.6
159 Can consumer privacy concern be a thorn for loyalty programs? 1 5 1 3 1 1 1 1 1 1 16 10 1.6
160 How were all companies dealing with subject access requests? 1 1 1 1 1 1 1 2 1 1 11 10 1.1
161 Do the viable solutions scale to future needs? 2 1 1 1 1 1 1 1 5 1 15 10 1.5
162 How is CCPA different than GDPR? 1 1 1 1 1 1 1 1 1 1 10 10 1
163 What is GDPR and how does it relate to CCPA? 3 1 1 1 1 2 1 1 1 1 13 10 1.3
164 What are the specific, unique characteristics of your organization? 1 1 1 1 1 3 1 1 1 1 12 10 1.2
165 Has the mobility access manager been enabled for the entire firm? 1 2 1 1 1 5 1 1 3 1 17 10 1.7
166 Who is involved in the management review process? 1 1 1 1 1 1 1 1 1 1 10 10 1
167 What type of research resources do you have access to? 2 1 1 1 1 1 1 1 3 1 13 10 1.3
168 How does your values best show care for the clients wellbeing? 2 1 1 1 1 1 1 2 1 1 12 10 1.2
169 Does the CCPA apply to your firm? 1 1 1 1 2 1 1 4 1 1 14 10 1.4
170 Are the investigators collecting only the minimum necessary PHI to carry out the investigation? 1 1 1 1 1 1 1 3 1 1 12 10 1.2
171 How do you modify your privacy policy? 1 1 1 1 1 1 1 1 1 1 10 10 1
172 How is personal information stored and maintained? 1 1 1 1 1 1 1 1 1 1 10 10 1
173 How much will companies be fined for noncompliance? 1 3 1 1 1 1 1 1 1 1 12 10 1.2
174 When central board of revenue act was came into force? 2 1 1 1 2 1 1 1 1 1 12 10 1.2
175 How should corporations manage information privacy policies? 1 1 1 5 1 1 2 1 1 1 15 10 1.5
176 Which characteristics enhances the quality of information? 1 5 1 1 1 1 3 1 3 1 18 10 1.8
177 Does the CCPAs statutory damages apply to service providers? 1 1 1 1 1 1 1 1 5 1 14 10 1.4
178 Do you want your vendor to be a service provider? 3 2 1 1 2 1 1 4 3 1 19 10 1.9
179 What are the challenges in maintaining a privacy program? 1 1 1 3 1 1 1 1 1 1 12 10 1.2
180 Is there a written policy/strategy on alarms? 1 4 4 3 1 1 1 1 1 1 18 10 1.8
181 Do you have the optimal project management team structure? 1 3 1 1 1 4 4 1 1 1 18 10 1.8
182 Is an intermediary your organization? 1 1 1 1 1 1 1 1 1 4 13 10 1.3
183 Can a consumer opt in to personalized digital advertising in exchange for free or discounted news? 1 1 1 1 1 1 2 1 1 1 11 10 1.1
184 How do you simplify consumer choice? 1 1 1 3 1 1 1 1 1 4 15 10 1.5
185 What should be part of your compliance strategy? 1 1 1 1 1 1 5 1 1 1 14 10 1.4
186 What is the California Consumer Privacy Act business impact? 1 5 1 2 1 3 1 1 1 3 19 10 1.9
187 How will individual rights requests be received by your organization? 3 1 1 1 5 1 1 1 1 3 18 10 1.8
188 How will CCPA affect supply chain management? 1 1 1 1 1 1 1 1 4 5 17 10 1.7
189 Does the breach or potential breach involve personal information? 1 1 1 1 1 3 1 1 1 1 12 10 1.2
190 What does lost information look like? 1 1 1 1 1 1 2 1 1 1 11 10 1.1
191 How, and how often, will you report to the client and your organization? 1 1 3 5 1 1 1 1 4 1 19 10 1.9
192 Who do you share your information with? 1 1 1 1 3 1 1 2 1 1 13 10 1.3
193 Does your organization always have to comply with a consumer deletion request? 1 5 1 1 1 1 1 2 1 5 19 10 1.9
194 How to demonstrate reasonable security procedures? 1 1 4 1 1 1 4 1 1 2 17 10 1.7
195 How long does your organization have to respond to a verifiable consumer request? 1 1 2 1 1 2 1 4 5 5 23 10 2.3
196 Is it acceptable to have the information available on request or must it be prominently displayed? 1 4 1 1 1 1 1 1 1 5 17 10 1.7
197 Have you updated your service provider contracts? 1 2 1 1 1 1 1 1 1 1 11 10 1.1
198 What contract provisions should you be putting in place with service providers? 1 1 1 1 1 1 1 1 1 5 14 10 1.4
199 What about labor organizations and hiring halls? 1 1 1 1 1 1 1 1 1 1 10 10 1
200 How is it used to perform the services? 1 2 1 1 3 5 1 4 1 1 20 10 2
201 Who will facilitate the team and process? 1 1 1 1 5 1 4 1 1 1 17 10 1.7
202 How is the personal information managed and stored? 4 1 4 1 1 1 1 1 1 1 16 10 1.6
203 How do you use your information? 3 1 1 1 1 1 2 1 1 1 13 10 1.3
204 Who will have access to the information? 1 1 1 1 1 1 3 1 1 4 15 10 1.5
205 What rights do individuals have to access PHI? 1 1 5 1 1 1 4 1 1 1 17 10 1.7
206 Do any of the links in the privacy policy to the marketing opt outs work? 1 1 1 1 1 1 1 1 2 1 11 10 1.1
207 What can regulated businesses do to prepare? 1 1 1 1 1 1 1 1 1 1 10 10 1
208 Have you reviewed your security practices and procedures? 1 1 1 1 1 1 1 1 1 2 11 10 1.1
209 What assumptions are made about the solution and approach? 1 4 3 1 1 1 5 1 4 1 22 10 2.2
210 What do you anticipate will be early areas of legal enforcement and what are the deadlines on compliance? 1 1 1 1 1 1 1 5 1 1 14 10 1.4
211 How do consumers know that you are going to do all of that? 1 1 1 1 1 1 1 1 1 1 10 10 1
212 What was the fixed production overhead capacity variance? 1 2 1 1 1 1 1 1 1 3 13 10 1.3
213 What aspects of your privacy policies and practices must your notice address? 1 1 2 2 1 4 1 1 1 1 15 10 1.5
214 How will you handle incomplete requests? 1 1 1 1 1 1 1 1 1 1 10 10 1
215 What privacy principles should you follow? 1 5 1 1 1 2 5 1 1 1 19 10 1.9
This document is a partial preview. Full document download can be found on Flevy:
https://flevy.com/browse/document/california-consumer-privacy-act--implementation-toolkit-5570

8. 216 Will the information that you provide be provided or sold to other companies? 1 1 1 2 4 1 2 1 1 1 15 10 1.5
217 What personal information is being collected? 1 1 3 3 1 1 4 1 4 1 20 10 2
218 Is it a for profit organization? 1 2 1 1 1 1 1 1 1 4 14 10 1.4
219 Has your organization more than one geographical location? 1 1 1 1 1 3 3 1 1 1 14 10 1.4
220 What do you worry about most in security? 1 1 1 1 1 1 1 1 5 1 14 10 1.4
221 What are the penalties for non compliance? 5 1 1 1 1 1 1 1 1 1 14 10 1.4
222 Do you maintain audit trails for request fulfillment for audit purposes? 1 1 4 1 1 1 1 1 1 1 13 10 1.3
223 Can a consumer request that your organization delete the personal information? 1 1 1 3 1 1 1 1 1 1 12 10 1.2
224 Do you know where the personal information goes? 1 3 4 5 1 1 1 1 4 1 22 10 2.2
225 What kind of customer notice must you provide? 1 1 1 1 1 1 1 1 1 3 12 10 1.2
226 What are the elements of the right of consumer information privacy? 1 1 1 1 4 1 1 1 1 1 13 10 1.3
227 Does the CCPA affect your organization? 1 1 5 1 1 1 1 1 1 5 18 10 1.8
228 Do you combine payments from different employees into the same check? 1 1 1 1 1 4 1 1 1 1 13 10 1.3
229 What was the labor efficiency variance? 1 2 1 1 1 1 1 1 1 4 14 10 1.4
230 What exceptions exist for companies? 1 1 1 1 3 1 4 1 1 1 15 10 1.5
231 What have other organizations done with all that money? 4 1 1 1 1 2 2 1 1 1 15 10 1.5
232 Do you search for the personal information? 1 1 3 1 1 2 1 1 1 1 13 10 1.3
233 Does the GDPR apply to your you based organization? 2 1 1 1 1 1 1 3 1 1 13 10 1.3
234 What is the source for personal information? 1 1 5 1 5 1 1 1 1 1 18 10 1.8
235 Why should merchants care about consumer privacy? 1 1 1 1 1 1 1 1 1 5 14 10 1.4
236 What kinds of companies are affected? 1 2 5 1 1 1 1 5 1 1 19 10 1.9
237 What determines business fixed investment? 1 1 4 1 1 1 1 2 1 1 14 10 1.4
238 Is the opposition subject to mediation? 1 2 1 1 1 1 1 1 2 1 12 10 1.2
239 Do people have the necessary supports in place to benefit from the services that are being provided? 2 4 1 1 5 1 4 1 1 1 21 10 2.1
240 Do companies have to flow down deletion requests to service providers? 1 1 1 1 1 1 5 1 1 1 14 10 1.4
241 How well do employees communicate in writing? 5 1 1 2 5 1 1 1 1 1 19 10 1.9
242 What is the driving force behind your organization? 1 1 1 1 1 1 1 1 1 1 10 10 1
243 What personal information do you collect? 1 1 1 3 1 1 1 1 1 1 12 10 1.2
244 Are customers notified of policy changes? 1 1 4 1 1 1 1 1 1 1 13 10 1.3
245 How does brand misconduct affect the brand consumer relationship? 1 2 2 1 2 1 1 1 1 1 13 10 1.3
246 What gets examined? 1 1 1 1 2 4 5 1 3 1 20 10 2
247 Should CCPA extend to your entire customer base? 1 1 1 1 1 1 1 1 1 1 10 10 1
248 What is a sale of personal information? 1 1 1 5 1 4 2 1 5 1 22 10 2.2
249 Can you integrate quality management and risk management? 3 1 1 5 1 1 1 1 4 1 19 10 1.9
250 What are the financial penalties that any size of business may face? 1 1 5 1 1 4 4 5 1 1 24 10 2.4
251 What methods may you use to report new hire information? 1 2 1 1 1 1 1 1 3 1 13 10 1.3
252 How do you as an individual fit in all organizations? 5 1 1 1 1 1 1 4 1 1 17 10 1.7
253 What is a worst-case scenario for losses? 1 1 4 1 1 3 4 2 2 1 20 10 2
254 What constitutes personal information? 5 1 5 1 1 1 1 3 1 1 20 10 2
255 Are employees from other businesses consumers? 1 1 1 5 2 1 1 1 1 1 15 10 1.5
256 How far out should the next level center be? 1 1 4 1 1 1 2 1 1 1 14 10 1.4
257 Are tech companies destroying consumer privacy? 1 1 1 5 1 1 3 1 4 1 19 10 1.9
258 What personal information is covered? 1 1 1 1 1 1 1 1 1 1 10 10 1
259 Are you an international employee? 1 3 1 1 1 1 1 1 1 1 12 10 1.2
260 How will the information be stored during the investigation? 1 1 1 1 1 1 1 1 1 3 12 10 1.2
261 What businesses are subject to the GDPR? 1 1 1 1 1 1 1 1 1 1 10 10 1
262 What are the California Consumer Privacy Act design outputs? 1 1 1 1 1 1 1 1 1 4 13 10 1.3
263 Do third parties manage information for the business area? 4 1 5 1 1 1 1 1 1 4 20 10 2
264 What consumer personal information do you sell, if any? 1 1 1 4 1 1 1 2 1 1 14 10 1.4
265 Is everyone informed about your organizations objectives? 1 3 1 1 5 1 1 4 1 2 20 10 2
266 How do you set it up in a commercial world where it works to the consumers satisfaction and yet still works? 1 1 1 1 1 3 1 1 1 1 12 10 1.2
267 What should employers do about the california consumer privacy act? 1 1 1 1 1 1 1 1 1 1 10 10 1
268 Can affiliates be part of a single business? 1 1 1 1 1 1 1 1 1 1 10 10 1
269 Is there an independent review of information security? 1 4 1 1 1 1 1 1 1 1 13 10 1.3
270 How do you build the right business case? 1 2 1 4 1 1 1 1 1 1 14 10 1.4
271 Are your organizations values and norms expressed in communication behavior? 1 1 1 1 1 3 1 5 1 1 16 10 1.6
272 Should CCPA formulate a response? 1 1 1 1 1 1 1 1 3 1 12 10 1.2
273 How often is systems access reviewed and individual access rights updated? 1 1 1 2 1 1 1 1 5 1 15 10 1.5
274 Does the repository type change the capabilities of the tool? 1 3 1 1 2 4 1 1 1 2 17 10 1.7
275 Are some elements different for privacy versus a records management inventory? 1 1 1 1 1 1 1 1 1 1 10 10 1
276 Has the pclaw link as a service been installed? 1 2 1 5 1 1 1 1 1 1 15 10 1.5
277 Does your organization have an updated privacy notice? 1 4 1 1 1 1 1 1 5 1 17 10 1.7
278 How are you accountable for privacy information? 3 1 1 2 1 1 1 1 1 2 14 10 1.4
279 What is the primary location of your organizations headquarters? 1 1 1 1 1 1 1 1 1 1 10 10 1
280 How do you calculate the maximum to withhold for an employee? 1 4 1 1 1 2 1 4 1 1 17 10 1.7
281 How many consumers would likely choose to avoid receiving targeted advertising? 3 1 1 3 1 1 1 4 1 2 18 10 1.8
282 What users will be impacted? 1 1 1 1 1 1 1 1 2 3 13 10 1.3
283 Which of the different theories of consumer confusion are implicated by facts? 1 1 2 1 1 1 1 1 1 2 12 10 1.2
284 What was the value of the closing work in progress for last period? 1 1 5 1 4 1 1 1 1 1 17 10 1.7
285 How can you better manage risk? 1 1 1 1 1 1 1 1 3 1 12 10 1.2
286 What are you doing with your personal information? 1 1 1 1 1 1 2 1 1 1 11 10 1.1
287 What is next for the financial services industry? 1 1 5 1 1 2 1 1 1 1 15 10 1.5
288 How do you build privacy by design into an AI/IoT device? 1 1 1 1 1 1 1 4 1 5 17 10 1.7
289 What products/services is your organization looking to introduce/eliminate in the near future? 1 1 1 2 2 1 1 1 1 2 13 10 1.3
290 Are all requirements met? 1 1 1 1 1 5 1 1 5 5 22 10 2.2
291 How and when should companies begin compliance efforts? 1 1 1 1 1 3 1 1 1 1 12 10 1.2
292 What are the potential short term and long term effects on consumer privacy? 1 1 4 1 1 1 1 1 1 5 17 10 1.7
293 Has the social worker observed the principles of engagement in social work? 3 1 1 1 1 3 1 2 1 1 15 10 1.5
294 How likely are you to share personal information with industries? 5 1 1 1 4 1 2 1 3 1 20 10 2
295 Is your organization a covered business? 1 1 1 1 1 1 1 1 1 1 10 10 1
296 What exposure does the GDPR present? 1 1 1 1 1 1 1 1 1 1 10 10 1
297 What is the employees disposable pay? 1 1 1 1 1 4 2 1 1 2 15 10 1.5
298 What frameworks and tools have helped your organization respond? 1 1 1 1 1 1 1 1 1 1 10 10 1
299 What aspects of deprivation are more and less served by the policies and programs? 1 1 1 3 3 1 2 1 1 1 15 10 1.5
300 Are risk management tasks balanced centrally and locally? 1 1 4 1 1 1 5 1 3 1 19 10 1.9
301 Does privacy have sufficient stature in your organization? 1 1 1 2 2 1 1 1 1 1 12 10 1.2
302 What California Consumer Privacy Act data will be collected? 1 2 1 1 1 1 1 1 5 1 15 10 1.5
303 Where is the cost? 1 1 1 1 2 1 1 1 1 1 11 10 1.1
304 Is the work to date meeting requirements? 1 1 1 2 1 1 3 1 1 1 13 10 1.3
305 Will you include small business accounts too? 1 1 1 1 1 1 1 5 1 1 14 10 1.4
306 What changes has the GDPR brought to the profession? 1 1 3 1 1 1 1 1 4 1 15 10 1.5
307 Do you know of any organization that sells any private information that comes through it? 1 1 1 4 1 1 1 1 1 1 13 10 1.3
308 What does the CCPA consider personal information? 2 1 1 1 1 1 1 1 1 1 11 10 1.1
309 When did the CCPA go into effect? 1 1 1 1 5 1 5 1 1 1 18 10 1.8
310 How many people leave each year, and how difficult is it to recruit staff? 1 1 1 2 1 1 4 1 1 5 18 10 1.8
311 How will you demonstrate compliance? 2 5 1 1 2 1 1 1 1 1 16 10 1.6
312 Are you selling everywhere your consumers want to buy? 1 1 1 1 1 1 1 1 1 1 10 10 1
313 How does the GDPR/CCPA right to be forgotten affect backups? 1 1 5 1 1 1 4 1 1 1 17 10 1.7
314 How does sycamore protect your personal information? 3 1 1 1 1 1 1 1 1 1 12 10 1.2
315 Is there an established change management process? 1 5 1 1 4 4 1 1 1 1 20 10 2
316 Who will provide care and services to a future aging population? 1 1 1 1 1 1 1 1 1 1 10 10 1
317 Do companies have to flow down access requests to service providers? 1 1 1 1 2 1 1 1 4 1 14 10 1.4
318 What social networks do you advertise on? 1 1 1 1 1 2 1 1 1 3 13 10 1.3
319 What are financial organizations currently doing to rebuild reputation? 4 1 1 3 1 1 1 1 1 1 15 10 1.5
320 What personal information do you collect and share, and for what purpose? 1 1 1 2 1 2 1 1 1 1 12 10 1.2
321 Why CCPA privacy language must be included in procurement contract with the providers? 1 3 1 1 1 1 1 1 1 3 14 10 1.4
322 How will the data be checked for quality? 1 1 1 1 1 1 1 1 1 1 10 10 1
323 Do you believe that types of information are being collected by digital platforms? 1 1 1 4 1 4 1 1 1 1 16 10 1.6
324 Does it apply to non profit organizations? 1 3 1 5 1 1 5 1 1 1 20 10 2
325 Is the quality assurance team identified? 1 1 2 1 1 1 1 5 1 1 15 10 1.5
326 When/with whom do you share personal information? 1 1 1 5 1 1 3 1 5 1 20 10 2
327 What personal information will be collected? 5 1 1 1 1 1 1 1 1 4 17 10 1.7
328 Have financial organizations gone far enough with privacy disclosures? 1 1 1 1 1 1 1 3 1 1 12 10 1.2
329 Are employees usually able to take first choice courses? 3 1 1 1 1 1 1 1 1 1 12 10 1.2
330 Where is your organization going? 1 1 1 1 1 1 1 1 4 1 13 10 1.3
331 What personal information do you collect or possess? 5 1 1 4 1 1 1 1 4 5 24 10 2.4
332 When is a related entity considered part of the business? 1 1 1 1 1 1 5 2 1 1 15 10 1.5
333 How do you ensure that security can be kept current on an IoT device? 1 1 1 1 1 1 1 2 1 1 11 10 1.1
334 How does information acquisition affect physical/ social structure in a work environment? 5 2 1 1 1 2 1 3 1 1 18 10 1.8
335 Are procedures documented for managing California Consumer Privacy Act risks? 1 3 1 3 3 1 1 1 1 1 16 10 1.6
336 How fast did your organization investigate and respond to the incident? 1 4 1 1 1 1 3 1 3 4 20 10 2
337 Who will lead the implementation? 1 4 1 1 4 1 1 1 1 1 16 10 1.6
338 What systems/processes must you excel at? 1 1 3 1 1 1 1 1 1 1 12 10 1.2
339 How does GDPR affect organizations? 1 1 1 2 1 1 4 1 1 1 14 10 1.4
340 What kind of employee thrives in your program? 1 1 4 1 1 1 4 1 1 1 16 10 1.6
341 How long to keep data and how to manage retention costs? 1 1 1 1 1 1 1 1 2 1 11 10 1.1
342 Does the GDPR apply to your organization? 1 5 1 1 1 1 1 1 1 1 14 10 1.4
343 Who is covered by the privacy rule? 1 1 1 1 1 4 1 1 1 1 13 10 1.3
344 How should privacy rights be protected? 1 1 1 1 1 1 1 1 1 1 10 10 1
345 Does that constitute tracking of a consumer? 1 1 1 1 1 1 1 1 1 1 10 10 1
346 Should directory information services and products be prescribed as specified services? 1 1 2 1 1 1 1 1 1 1 11 10 1.1
347 What is that function for the various policy areas? 5 1 1 1 1 1 1 1 5 2 19 10 1.9
348 What knowledge or experience is required? 1 1 2 1 1 1 1 1 1 1 11 10 1.1
349 How do you obtain your personal information? 1 1 1 2 2 2 1 1 1 2 14 10 1.4
350 Who do you share your personal information with? 1 1 1 1 1 2 1 1 5 1 15 10 1.5
351 Did you find any other type of opt outs in the privacy policy? 1 5 1 5 1 5 4 1 1 1 25 10 2.5
352 Is the California Consumer Privacy Act solution sustainable? 1 1 1 1 1 1 1 1 1 1 10 10 1
353 What does CCPA want you to do with it? 1 3 1 3 1 1 1 1 1 1 14 10 1.4
354 What are management teams to do? 1 1 3 1 1 1 1 1 1 1 12 10 1.2
355 Which part of the sheet are you sharing? 1 1 1 1 1 4 3 1 1 1 15 10 1.5
356 What are the ramifications of non compliance? 2 1 1 1 1 1 4 1 1 1 14 10 1.4
357 What subcontractors and suppliers support your lead service providers? 1 1 1 1 1 1 1 1 1 2 11 10 1.1
358 How relevant is the information you are collecting about the potential compromise? 1 1 5 5 1 1 1 1 1 1 18 10 1.8
359 What does a modern industrial policy look like? 5 1 1 1 2 1 1 1 1 1 15 10 1.5
360 How will the change process be managed? 1 1 1 1 1 1 1 1 1 1 10 10 1
361 What about employees of your organization? 1 1 1 1 1 1 1 1 1 5 14 10 1.4
362 What is your organization purpose? 1 1 1 1 1 1 1 2 1 3 13 10 1.3
363 Have you recently changed positions? 3 1 1 1 1 1 1 1 1 1 12 10 1.2
364 How should consumers make a request for access or opting out? 1 1 1 3 1 3 1 1 1 1 14 10 1.4
365 Which apply to your organization? 4 1 1 1 1 1 1 1 1 2 14 10 1.4
366 How many officials are registered with your organization? 4 4 1 1 1 1 1 1 1 1 16 10 1.6
367 Is your organization held liable for the actions of a third party with which it may share information? 1 1 1 1 1 1 1 1 1 4 13 10 1.3
368 What are the key steps toward compliance? 1 1 1 4 1 1 1 1 1 1 13 10 1.3
369 Why should privacy by implemented into design? 1 1 1 1 5 1 1 1 1 1 14 10 1.4
370 Has your organization determined the interested parties that are relevant to the ISMS? 1 4 1 1 1 1 1 1 1 1 13 10 1.3
371 How do financial services providers differentiate themselves? 1 1 3 1 1 1 1 1 2 1 13 10 1.3
372 Where is privacy best aligned within your organization? 1 1 3 2 1 1 1 1 1 1 13 10 1.3
373 Which companies and industries are making the most progress in reducing wastes? 1 1 1 1 1 1 1 3 1 1 12 10 1.2
This document is a partial preview. Full document download can be found on Flevy:
https://flevy.com/browse/document/california-consumer-privacy-act--implementation-toolkit-5570