Reducing CCPA Cybersecurity Audit Risk

A Two‑Phased Approach for Data Retention and Disposal Programs

Given the lead time required, corporations subject to upcoming California Consumer Privacy Act cybersecurity audits should prioritize the assessment and enhancement of their retention and disposition programs.

New incremental regulations for the California Consumer Privacy Act (CCPA) are now in effect, including updates that introduce requirements for organizations to conduct risk assessments, cybersecurity audits and additional control implementations related to the use of automated decision-making technologies.

This article examines one of the most challenging of the 18 domains within the CCPA’s Article 9 cybersecurity audit requirements, specifically, why organizations should modernize programs to manage the risks associated with data retention and disposition.

Article 9 Cybersecurity Audits

Under Article 9, organizations must submit annual cybersecurity audit certifications to the California Privacy Protection Agency if they: derive 50% or more of revenue from selling or sharing personal information, or exceed $25 million in revenue, while processing 250,000+ consumers’ personal information or 50,000+ consumers’ sensitive personal information. Organizations with more than $100 million in revenue must certify to the completion of the cybersecurity audit by April 1, 2028, with smaller organizations needing to submit their initial certification in 2029 or 2030 (depending on size). The certification must also be submitted annually thereafter.

The CCPA identifies 18 key control domains as in scope for annual audits, ranging from authentication, encryption and access controls, to cybersecurity awareness and training. Article 9 specifically references the National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0 as a potential framework for organizations to follow.

As part of the 18 control domains, the CCPA calls for organizations to maintain retention schedules and proper disposal of personal information that is expired or no longer needed for regulatory or business purposes. Specifically, Section 7123 requires businesses to maintain “[r]etention schedules and proper disposal of personal information no longer required to be retained, by (A) shredding, (B) erasing, or (C) otherwise modifying the personal information in those records to make it unreadable or undecipherable through any means.”1

Implementing or modernizing effective data retention and deletion programs will require the most lead time of all the CCPA audit requirements.

Operationalizing Retention Schedules and Disposal Programs

Organizations can follow a two-phased approach when operationalizing data retention and deletion. The first phase is foundational, focused on building a defensible governance program. The second is operational, enabling deletion of personal information at scale.

Foundational Phase

The foundational phase establishes the core documentation, governance structures and baseline understanding to support a defensible retention and disposal program. This process begins by assessing the organization’s current data governance practices, reviewing existing policies and identifying gaps in retention schedules and asset inventories. This phase also focuses on creating or modernizing the organization’s retention schedule and mapping business and system assets to respective requirements.

Key Implementation Activities Include:

  • Assessment, policy and roadmap development
    • Review existing records and information governance documents.
    • Conduct stakeholder interviews to assess current state.
    • Review and update the governance policy or develop a new template.
    • Review gaps in the existing retention schedule.
    • Develop gap analysis, project plan and roadmap.
  • Data retention schedule
    • Conduct stakeholder interviews.
    • Gather existing asset inventories.
    • Identify relevant jurisdictions.
    • Review and modernize the retention schedule.
    • Conduct follow-up interviews with functional areas.
    • Create revised and streamlined retention schedule.
  • Map system assets to retention schedule
    • Build a prioritized list of in-scope business and system functions.
    • Identify information types stored in system repositories.
    • Map retention periods for those repositories.

Implementation Phase

During the implementation phase, organizations must operationalize their defensible retention and disposal program by:

  • Establishing data minimization standards.
  • Assessing risk across information assets.
  • Designing a governance framework.
  • Executing deletion sprints.

During this phase, policy and schedules are translated into actionable workflows, supporting processes and approval mechanisms are built, and business and technical teams collaborate to conduct defensible deletion activities.

Key Implementation Activities Include:

  • Data minimization standard and procedures
    • Develop the data minimization policy.
    • Develop a disposal procedure that considers aspects such as legal hold requirements.
    • Design data deletion approval processes.
    • Identify software or tools to support deletion workflows.
  • Information asset risk ranking
    • Create an information asset risk register.
    • Conduct risk analysis and produce recommendations.
    • Adjust and confirm risk ranking with stakeholders.
  • Data deletion governance framework
    • Define governance and audit trail requirements.
    • Design the data deletion approval process.
    • Identify tools to support approval workflows.
    • Develop, test, and deploy governance processes.
  • Deletion sprints and change management
    • Develop deletion options based on repository types.
    • Support technical teams in pilot deletion execution.
    • Develop and review lessons learned.

Expert Support and Guidance

Organizations that delay data retention and deletion efforts face increased audit risks and compressed timelines for compliance.

FTI Consulting’s privacy, security and information governance experts support clients in achieving CCPA cybersecurity audit readiness. This includes assessing organizational maturity across the 18 control domains, establishing audit processes and documenting current practices. Pre-audit assessments identify gaps, enabling remediation in a timely manner. As the April 2028 certification deadline approaches, preparing now will be paramount in enabling timely compliance and avoiding risks associated with last-minute response.

Footnotes:

1: Cal. Code Regs. Tit. 11, § 7123(c)(16) (2026).

A lire aussi

Date

8 juin 2026

temp Contacts

David Manek

Senior Managing Director

Matthew McClelland

Senior Managing Director

Steven Stein

Senior Managing Director

Colleen Yushchak

Senior Managing Director

Mir Ali

Managing Director

Most Popular Insights

  1. Hybrid Energy Strategies for Data Centers Expose Complex Constraints
  2. Venezuela’s Oil Sector Recovery: Navigating the Post-Maduro Investment Landscape
  3. How the War on Iran Is Reshaping Transportation & Logistics
  4. Four Predictions for Private Equity in 2026
  5. Global CFO Survey 2026

Inscrivez-vous pour accéder à FTI Consulting Insights

S’abonner