Demonstrating Compliance with Multiple Laws, from GDPR to CCPA
The dust has barely settled on GDPR preparation, and another big law is coming down the pipeline that will affect organisations established in the state of California or doing business there. This law is the California Consumer Privacy Act (CCPA), entering into application on the 1st of January 2020. It will provide for extensive data subject rights, including right of access, data portability, and data deletion.
For multi-jurisdictional organizations subject to both the GDPR and CCPA, yet another major law may seem daunting, but it does not need to be. And it is not the only one. Before the GDPR, there were over 700 privacy laws and regulations worldwide and recently, Brazil also passed its privacy law, Data Protection Bill of Law. The good news is that, if you have implemented a GDPR compliant privacy program, it is relatively easy to leverage your work to prepare for CCPA compliance and any other privacy or data protection law.
About the Two Laws
It is worth noting that the GDPR and CCPA are not fully comparable. First of all, GDPR is applicable in 31 countries, whereas the CCPA applies solely to California and mainly deals with data subject rights. Topics like data transfers, data security, and data breaches are not covered by the CCPA.
Since data protection in Europe is regarded as a fundamental right, the rights extended under the GDPR apply to anyone, regardless of nationality or place of habitual residence. What triggers the law is the location of the company processing the data. If they are established in the EU, or offer goods and services to people in Europe and/or monitor their behavior, they are subject to the GDPR, and thus their customers are protected by the regulation.
This differs from the CCPA, which applies to companies doing business in California and extends protection only to consumers residing in that state. Although this is a more limited protection than offered by the GDPR, it does not mean that compliance requirements are lighter.
Steps Towards Compliance
Nymity analysed both the GDPR and CCPA and found that seven out of the nine privacy management activities that are relevant to demonstrating CCPA compliance are also relevant under the GDPR, and are thus likely to already be part of your privacy program. The Nymity Privacy Management Accountability Framework™ is now mapped to both the GDPR and CCPA, so you can visualise where the overlaps occur.
For the sake of this blog, here are the overlapping activities at a glance.
Overlapping Privacy Management Activities Between the GDPR and CCPA:
- Maintain a data privacy notice
- Maintain procedures to respond to requests for access to personal data
- Maintain policies/procedures for the collection and use of personal data of children and minors
- Maintain policies/procedures for obtaining valid consent
- Maintain procedures to respond to requests to opt–out of, restrict, or object to processing
- Maintain procedures to respond to requests for data portability
- Maintain procedures to respond to requests to be forgotten or for erasure of data
Privacy Management Activities That Do Not Overlap between the GDPR and CCPA:
- Conduct privacy training reflecting job-specific content
- Maintain procedures to respond to requests for information
Now that the overlap between the two laws is clear, you can set to work to adapt your privacy program to deal with the CCPA.
STEP 1. To get started, first identify which of the seven mandatory privacy management activities that apply both to the GDPR and CCPA have been embedded in your organisation, and which policies and procedures you have implemented to ensure GDPR compliance. These policies and procedures are now up for review, and you will need to verify that all elements that are embedded in the CCPA legal provisions are also part of your internal policies and procedures.
STEP 2. The next step is to take a look at the two privacy management activities that are considered mandatory for the CCPA, but are not part of a standard GDPR compliance program. It may be that you have implemented these activities in your organisation. If so, you can repeat the check described under step 1. If not, new policies and procedures are likely required. For example, for job-specific training, you could update your existing training with a section on CCPA compliance. This would be especially relevant for your web editing, customer services, and legal team training.
Additional Recommended Activities
The two steps described above will help you prepare for the nine mandatory privacy management activities to demonstrate compliance with the CCPA. However, Nymity has identified five additional measures to further facilitate compliance:
- Maintain an inventory of processing activities
A processing activities register is required under Article 30 GDPR. If you have created such a register, it is advisable to also use it for CCPA compliance. While the California law does not require a register to be in place, it does require organisations to be able to identify categories of personal data processed, categories of companies personal data is shared with or sold to, and purposes of processing. Since all of that information would be included in a processing activities register, a register would help you to deal with information and access requests more quickly and easily.
- Identify ongoing privacy compliance requirements
Given that the text of the CCPA is still subject to change before 1st January 2020 (and can also be amended in the future), it would be wise to have a process in place to identify new or changed compliance requirements.
- Conduct privacy training
Most organisations that offer comprehensive privacy training report an overall rise in data protection standards in their organisation. General privacy training is recommended, to ensure a better understanding within your organisation of the reasoning behind your privacy program.
- Integrate Privacy by Design into system and product development
Clearly advocated by the GDPR and many Data Protection Authorities around the globe, privacy by design and by default means organisations will consider privacy and data protection from the start of the design process of their products and services. This has the advantage that the product or service is more likely to be compliant from the outset, avoiding costly alterations later on.
- Conduct PIAs for new programs, systems and processes, as well as for changes to existing programs, systems and processes
Privacy and Data Protection Impact Assessments (PIAs & DPIAs) for both new and existing processes take time, but they can also help avoid problems in the future. Organisations can always consider doing a quick-scan (or threshold) impact assessment to find out if any major risks would occur during the envisaged data processing, and only in case of high risk, complete a full impact assessment, including risk mitigation steps.
Although the final text of the CCPA is still subject to change, many impacted organisations have already started their preparations to comply with the law. If you would like to take a deeper look into how to demonstrate accountability and compliance with a multitude of laws, including the GDPR and CCPA, download our paper now.