Yes, yes, I know CCPA doesn’t go into effect until January 2020 and won’t be enforced until June 2020. The problem I foresee is there is going to be an industry-wide bandwidth issue I expect to crop up starting in mid to late Q3 of this year.
We saw this when ISO 27001 transitioned from 27001:2008 to 27001:2013, we saw it last year with GDPR and DFS 500, and we see it every December with network penetration testing. We all tend to procrastinate and then pay a price when we realize there isn’t enough bandwidth to address our requirements. I think that price is going to be pretty steep with CCPA, which is why I am encouraging you to address CCPA now.
The International Association of Privacy Professionals (IAPP) estimates that 500,000 US-based companies will need to comply with CCPA, with the clear majority being small to mid-sized organizations. That’s a lot of companies needing privacy and security expertise in a short period of time. Unfortunately, there are a limited number of folks with enough Privacy expertise to address CCPA adequately.
For perspective, the IAPP, which is “the” association for privacy professionals, boasts a worldwide membership of only 40,000. If we assume that the US membership is proportional to its portion of the world’s GDP, that would put us at around 7,000 US members. As the US is notably behind the EU in terms of Privacy, I think it would be safe to say that number is less, but let’s assume 7,000 members for this exercise. Of these 7,000, a majority work in a Fortune 500 level enterprise, with many of them in the financial industry. So how many privacy professionals does that leave to help those 500,000 small to mid-sized organizations achieve CCPA compliance? If it’s 5,000 I would be surprised.
Further, dealing with CCPA requires both privacy and security expertise. Of those 5,000, how many also have the security expertise necessary to architect and operate a CCPA program? Assuming all 5,000 are capable, how many of them are readily available? It’s fair to assume most already have full-time jobs. So, let’s blend in some folks that are not IAPP members or CIPP/CIPT certified but who are still great resources, and bring that number back up to 5,000.
That’s 100 companies for each single resource and all those companies are going to want to do this work over about an 8-month time frame. If we assume providing CCPA implementation support is about 15 days of work effort, then each resource would need to complete approximately 1,500 person-days of work to complete all the work needed in the US. The reality is there are only 135 person-days in 8 months (using typical consulting firm assumptions) per each resource.
It’s likely the demand will be more than ten times greater than capacity from late 2019 through mid-2020. What does that mean for you?
- You won’t be able to find a resource to help you, which means you delay CCPA, which puts you at significant risk; or
- You won’t be able to find a resource to help you, which means you develop your own CCPA program (delaying other work efforts), which puts you at significant risk; or
- You find a sub-optimal resource who isn’t capable but is doing the work anyway, which puts you at risk; or
- You find a great resource, but they charge you significantly more than you would have paid if you did the work in September 2019.
Even if my estimates are off by a factor of two, it’s going to be ugly. Address CCPA as soon as possible. You can thank me later.