GDPR lessons can help with CCPA Compliance
In May 2018, to protect an individual right, the General Data Protection Regulation (“the GDPR”) outlined a new set of guidelines or rules for data collections, usage, and storage for the companies processing personal data. After the GDPR, the California Consumer Privacy Act (“the CCPA”) was signed, helping customers to understand how companies are processing and using their personal data. As of Jan 01, 2020, the CCPA will be in full effect.
“GDPR represents the beginning, not the end, of the data privacy journey”
California is the fifth largest economy that organizations can’t ignore and many global companies that have already adopted Europe’s GDPR have started on many changes that are or will be crucial for the CCPA compliance. The CCPA differs from the GDPR in several ways, specifically with regard to the scope of application; the nature and extent of collection limitations; and rules concerning accountability. Let’s have a look at similarities and differences for “personal scope”.
The GDPR implemented companies have learned several lessons that can help any company for the CCPA compliance along with the implementation of technical and organizational measures across the organization. Here are some lessons learned from the GDPR that can ease your company for the CCPA compliance transition.
How it affects the entire company
It was a big question how the data protected by these regulations is stored, processed and moved throughout a company? After examination, it was noticed that certain departments believed that they do not have access to personal data, however, they did have the access – they didn’t need it, hence were not using it. Companies must perform a full analysis to see do they or their departments have access to any personal or sensitive data and if there are any data access points that should be eliminated. Internal teams must work together to analyze, map data, create data flow, and data privacy framework including how the data is being collected, stored, used, transferred, processed, or disposed of. Departments must implement, monitor and comply with the applicable regulations by creating uniform policies and procedures to ensure only authorized personnel to have access to personal data, for the specific reason and on the basis of documented instructions from the client and the data subjects.
Companies must perform a full analysis to see do they or their departments have access to any personal or sensitive data and if there are any data access points that should be eliminated. Internal teams must work together to analyze, map data, create data flow, and data privacy framework including how the data is being collected, stored, used, transferred, processed, or disposed of. Departments must implement, monitor and comply with the applicable regulations by creating uniform policies and procedures to ensure only authorized personnel to have access to personal data, for the specific reason and on the basis of documented instructions from the client and the data subjects.
To ensure compliance with the regulatory requirement, the companies must monitor data usage and access across departments.
Non-compliance will impact your company
Data privacy rules are becoming more complex and stringent, especially in the US. What so ever is their origins but, their impact is global. There is no doubt that the CCPA is more complex than the GDPR and HIPAA, and have included more stringent compliance requirements. Penalties under the GDPR are up to €20 million, or 4% annual global turnover – whichever is greater, and are more discretionary rather than mandatory. Whereas, The CCPA non-compliance penalties can reach up to $7,500 per customer per violation, so more likely the cost for non-compliance will be much higher than that of cost to ensure compliance in the long run.
No chance to get rid of data privacy frameworks/acts
Most recent legislative developments have proved that no company is going to get rid of the data privacy law’s radar. Whether it’s a small to large scale company, if it is processing and using personal data of the data subjects and infringing any of the data protection laws then, you are under the observation. Anytime, the respective data subjects may raise a complaint against your company violations related to their personal data. So, it is better to go through these data privacy laws, understand, and implement.
The clock is ticking, GDPR is not the only thing that matters
The GDPR imposes very strict compliance requirements on companies which deal with personal data, however, in order to manage compliance effectively, companies must implement, future-proof, end-to-end solutions that are nimble enough to respond to new regulations and requirements. More and more states in the US and countries across the globe are gearing up for similar regulations, including:
- Australia – The Privacy Act 1988 (Privacy Act)
- Canada – The Personal Information Protection and Electronic Documents Act (PIPEDA)
- EU – ePrivacy Regulation Proposal
- India – Personal Data Protection Bill
- Hawaii – SB 418
- Maryland – SB0613
- Massachusetts – SD 341
- Mississippi – HB 2153
- New Mexico – SB 176
- New York – S00224
- North Dakota – HB 1485
- Rhode Island – S0234
To protect the interest of the company and mitigating exposures, preparation and readiness of the team are necessary. Companies need to act fast and avoid last minute preparation for these regulations. If not, there is a risk of potential heavy penalties that come along with not being compliant.
