GDPR, CCPA, LGPD, and more: Staying afloat in the sea of global privacy regulations
A version of this post originally appeared in CPO Magazine.
The global privacy legislation landscape continues to be a complex sea to navigate. To date we have seen 117 omnibus laws (GDPR) and another 28 sectoral laws (CCPA) come into play. We are expecting more amendments to the CCPA and LGPD, and there seems to be no end in sight to countries and regions bringing their own legislation into effect over the coming months.
In this sea of regulatory uncertainty, how do you maintain an ongoing capacity to comply?
GDPR, LGPD and CCPA: Overlap and Outliers
As expected, the GDPR has created a rising wave of privacy regulations, most aimed at providing individuals more control over their data. While GDPR has certainly set the stage for global privacy legislators, it is important to note that not every law is fully comparable, most notably the LGPD and CCPA. GDPR and LGPD are omnibus laws covering a wide spectrum of privacy concerns including data transfer, data security, and data breaches. The CCPA on the other hand, applies only in the State of California and mainly deals with consumer data rights.
Even within the GDPR, there is the potential for differences in obligations as EU member states can enact their own national laws to supplement the GDPR. (Nymity tracks national laws daily and provides updates to its subscribers through the Nymity GDPR Implementation Tracker™, delivered through Nymity Research & Alerts™.)
When looking at the GDPR, CCPA, and LGPD, it is clear there is a fair amount of overlap, especially where data subject rights are concerned. When looking at the overlap, the “outliers” also become clear; for example, the elements of the law that are specific to a single jurisdiction such as deadlines or time constraints.
An Accountability Approach: A Life Raft for Privacy Compliance
An accountability approach to compliance means organizations implement and embed relevant policies, procedures and other measures throughout the organization, and assign responsibility for these activities to be completed. Ideally, the activities are also reviewed on a regular basis (for example annually). As a result, documentation such as minutes of meetings, memos preparing decisions, the actual policies and procedures, and log files are produced and can serve as evidence to demonstrate compliance to regulators and other stakeholders.
When we began preparing organizations for the GDPR, Nymity mapped the text of the Regulation to the Nymity Privacy Management Accountability Framework™ and identified 39 Articles requiring evidence of a technical or organizational measure in order to demonstrate compliance. Those 39 Articles mapped to 55 privacy management activities (technical and organizational measures) that if implemented, may produce documentation to demonstrate compliance with the requirements (the remaining 60 provisions do not require evidence of technical or organizational measure to demonstrate compliance, since they mainly focus on definitions or attribution of tasks to the supervisory authorities).
Taking a similar approach for the CCPA, we have identified nine of the 23 provisions requiring evidence of a technical or organizational measure in order to demonstrate compliance. These nine provisions have been mapped to nine privacy management activities. For the LGPD, Nymity has identified 43 privacy management activities, linked to 24 provisions of the law.
Getting started with compliance across multiple laws
With clarification from lawmakers on various elements of the CCPA is still pending, and the LGDP has an estimated 133 amendments in process, organizations may not have a sense of urgency when it comes to getting their compliance programs ready. However, we learned from GDPR that the level of effort for developing a compliance program can be a lengthy process, so it is critical to get started as soon as possible.
If your organization has put mechanisms in place to become GDPR compliant, you can leverage them to comply with the CCPA, LGDP and other privacy laws. The key is transitioning from a point in time GDPR project to a scalable, regulatory-agnostic, and efficient privacy program.
We recommend a two-step approach to building compliance programs that can address multiple privacy laws:
- First, identify which of the mandatory privacy management activities that apply to the law you have based your privacy program on are embedded in your organization including the policies and procedures you have implemented to ensure compliance. Compare them to the new law you are dealing with and verify that all elements that are embedded in the new laws’ legal provisions are also part of your internal policies and procedures.
- Second, review the privacy management activities that are considered mandatory for the new law you are working on, but are not part of your existing data protection compliance program. It may be that you have implemented these activities in your organization, for example as part of your security program. If so, you can repeat the check described above. If you have not implemented those activities, then you will likely have to implement new policies and procedures to address the gaps.
Empowering privacy professionals around the world
The GDPR has set the stage for new or enhanced privacy legislation from jurisdictions around the world. The introduction of a new law, or changing requirements of an existing law, will always require some effort to ensure ongoing compliance. While it may seem increasingly challenging to navigate the sea of privacy regulations, taking an accountability approach to compliance enables organizations to leverage existing accountability mechanisms to meet revised compliance goals.
Nymity empowers privacy professionals around the world through research-based compliance software solutions enabling organizations to develop sustainable privacy programs that achieve and demonstrate ongoing data privacy compliance across hundreds of global privacy regulations.