Navigating the Complexities of GDPR and CCPA Compliance

INTRODUCTION

CCPA

1. The right to know about the personal information a business collects about them and how it is used and shared.
2. The right to delete personal information collected from them (with some exceptions).
3. The right to opt out of the sale or sharing of their personal information.
4. The right to non-discrimination for exercising their CCPA rights.
5. The right to correct inaccurate personal information that a business has about them.
6. The right to limit the use and disclosure of sensitive personal information collected about them.

Some of these rights were part of the California Privacy Rights Act (CPRA) amendment to the CCPA which became effective at the beginning of 2023. The rights are related to personal information as defined in the CCPA including name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state ID card number, insurance policy number, education, employment…the list goes on and on…and is referenced in our service overview here.

GDPR

GDPR originated in the European Union (EU) and, effective May 25, 2018, regulates the processing and protection of personal data of EU citizens. Like CCPA, GDPR addresses a broad set of people and organizations. GDPR is focused on protecting personal data beyond just the geographical borders of the EU and its member states. GDPR applies to any entity that processes the personal data of EU residents, while CCPA affects businesses that collect and handle the personal information of California residents. A business subject to GDPR is categorized as a “data controller” or “data processor” based on its functions and data handling. GDPR has seven core principles:

1. lawfulness, fairness & transparency
2. purpose limitations
3. data minimization
4. accuracy
5. storage limitation
6. integrity & confidentiality
7. accountability

Variances, Complexity, and a Phased Approach

Variance is a contributing factor to complexity, as different external requirements can include different criteria and minimum expectations for the security and privacy of personal data. GDPR and CCPA can vary in scope, business applicability, specific privacy rights, as well as fines and actionable events. An organization could be considered subject to GDPR based on its handling of EU personal data, while it might not handle California consumer data. Organizations need to understand the overlap and variance, in addition to having a solid understanding of their data processing activities, flows, and related processes. Organizations need trusted advisors to determine how to manage applicable, competing laws and requirements.

A phased approach to determining GDPR and CCPA compliance is essential, to ensure adequate effort is invested in discovery, design, controls implementation, control operation, and maintenance. Discovery of business processes and stored data is a significant endeavor. For organizations that do not have well-documented and understood processes, data discovery may feel more like an expedition across the frozen tundra, but it is fundamental to the success of all subsequent phases. Through the discovery process, data elements should be identifiable and classified. Where is the data? How is it identified, labeled, or tagged? Why is it collected?

Things to consider as part of the initial phased effort:

-Do we know what personal data we process, how it is handled, and where it is located?

-What third parties and service providers do we have, what are the services, and how does it relate to our data processing activities?

-What justifications do we have for processing the data? Is it even needed?

-What data security controls do we currently have in place, such as encryption?

-What policies and notification processes are documented and in use?

-How do we handle consent? Opt-in? Opt-out?

-Who is accountable for ongoing compliance?

-How are we currently communicating privacy rights to customers?

Moving through the phases, discovery and design may lead to the identified need for additional tools and methods to “de-identify” or anonymize data and minimize the data footprint. Additional security controls need to appropriately protect data and may include encryption for stored data or tokenization.

Organizationally, controls may include assignment of an individual with the responsibility of Data Protection Officer or expansion of its security training and incident response capabilities. Teams of data custodians, security officers, and/or other related personnel may need to be trained on the security controls surrounding their stored customer data as well as understand the appropriate response to a data breach incident to minimize exposure.

Conclusion

Privacy laws cross borders and requirements surface in countries across the globe. The cost of implementing controls to meet compliance can be significant, in addition to impacting how internal processes are designed and operated on an ongoing basis. Complying with GDPR or CCPA (or both!) can quickly become complex and pose a challenge to organizations of varying sizes. The challenges and requirements span several areas including scope identification, consent, data governance, security, third-party vendor compliance, and enterprise data protection programs. Navigating the complexities of GDPR and CCPA compliance necessitates a phased approach, management support, and patience. Failure to comply with applicable laws can result in large fines, business disruptions, and the privacy of individuals and their personal data being exposed.

MegaplanIT partners with clients, tackling the complexities of privacy laws and associated requirements. Through gap analysis and compliance assessments, we provide specific guidance and advisory services, to improve and validate security and compliance programs. Are you ready to bring your processes into alignment with GDPR, CCPA, and other external requirements?

Need additional support and guidance on how to plan, design, or implement control requirements? Contact us today and let our experienced team support your compliance goals and initiatives.