California Consumer Protection Act (CCPA) – Do You Have an Action Plan for your ERP?

By Scott Lavery • October 24, 2019

CCPA – A Quick Review

CCPA takes effect on January 1,2020. The spirit of CCPA revolves around consumers taking back control of their personal information – pushing data privacy to the forefront. According to the regulation, California citizens will have the right to know what personal data (PII) has been collected by a business. Consumers also have the right to say ‘No’ to the sale of their information and delete all data that an organization owns (related to them.) Once CCPA comes into effect, consumers can file lawsuits against companies for breaches.

After being implemented (on Jan 1, 2020), CCPA will also have a Look Back period – organizations will need to disclose how they have been collecting, using, storing, and sharing data over the past year. 

Consequences of Non-Compliance

In the case of non-compliance, organizations run the risk of facing hefty fines. CCPA imposes up to $2,500 per unintentional violation and $7,500 per each intentional violation. 

Preparing your ERP for CCPA in (2) Steps

To ensure compliance and avoid high penalties, organizations need to have additional mechanisms in place. Here are a couple tactical strategies organizations should consider to prepare their ERP systems for the 1/1/2020 deadline:

1.   Enhance Visibility into User Activity

CCPA requires organizations to have complete visibility into how their data is obtained, used, stored, and shared with third parties. Note the term: used. To achieve detailed visibility around data usage, organizations need to adopt a robust, real-time logging strategy. Logging user information (such as date of access, UserID, IP address, device, location of access, etc.) is crucial for understanding how data is being used within your organization.

Traditional ERP systems like PeopleSoft, SAP ECC and Oracle EBS do not provide this level of granularity. It is recommended that logging enhancement tools be scoped, as actionable insights that highlight who viewed what data field(s) are currently a blindspot inside these systems.

Logging data can be leveraged inside a SIEM to provide trends and analytics – making audit practices more efficient.

2.   Prevent Unnecessary Data Exposure for High Privilege Users

Today, CIO’s all over the country are leading efforts to define what constitutes PII, identifying where it resides and furiously writing policies to restrict access. When it comes to ERP systems, the static rules that govern access and data exposure can be limiting – this is especially true when it comes to the ability to mask or redact data fields.

User-centric vs. data-centric

Use Case: Should PII, like a user’s social security number be visible to even high privilege users? Is there a ‘business process’ reasons for that (or any personal info: marital status, home address, health insurance info, etc.) to be accessible by anyone except the individual who owns that PII?

These scenarios are difficult to manage in ERP systems because roles and privileges are user-centric, not data-centric. The distinction being a user centric role says a person (or group in most cases) can view something under any circumstances. And, data-centric means the nature of the data defines the access. People (and roles) may come and go, but the data remains the centerpiece of the policy.

Having the ability to mask any data field (via a data-centric policy) is the best way to ensure that access to PII is limited under the most strict of circumstances. After all, the principal of least privilege dictates that a user should only be accessing what’s truly necessary. Having your data exposure be defined by static user roles (and not the data itself) will inevitably lead to compliance problems.


Once an organization goes through the process of locating and defining their PII – the true compliance efforts begin! The (2) steps above provide helpful framing around how an organization should approach tactical ERP data compliance strategies. And Appsian can help!

CCPA and GDPR are the beginning of a series of compliance mandates expected to follow. Several states in the U.S. are drawing up their own mandates for data privacy. It’s a given that visibility into ERP data access is no longer an option but a necessity. Contact us to learn how you can fast track your preparation for compliance by enhancing your visibly and applying a data-centric ERP compliance framework.

Example CCPA Analytics Dashboard (powered by Appsian)
Use Cases Highlighted: PII access volume (by User ID) and Sensitive data access volume (by IP)

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Start your free demo

"Learn how you can reduce risk with rapid threat protection, audit response and access control. All from a single, comprehensive platform"

Trusted by hundreds of leading brands