In May 2018, the General Data Protection Regulation (GDPR) went into effect to protect internet users’ personal data and bring more transparency to how that data is used, collected and stored by entities operating in the EU. The GDPR terms stipulate that data should be collected legally and that those who collect it should protect it from being misused.
On the heels of the GDPR, comes the California Consumer Privacy Act (CCPA), signed into law in June 2019 and expected to take full effect in January 2020. The CCPA, like the GDPR aims to help consumers understand how companies collect and use their data.
However, unlike the GDPR which covers the whole of Europe, its jurisdiction is limited to California. The CCPA is also specific about the companies who need to comply; for instance, they must be for-profit entities with a gross revenue of over 25 million dollars. The act details further requirements.
The two laws have a few similarities. Both grant the consumer rights to have their personal data deleted or accessed, both call for encryption of data so that if it is stolen it cannot be used. These correlations and others mean that GDPR investments hold some lessons and strategies that can help companies prepare to be CCPA compliant.
1.Prepare Early for Data Subject Requests
Although GDPR was enforced in 2018, it was announced in 2016. Companies had time to make the necessary changes, but some did not meet the deadline, and some have still not yet fully caught up a year later. Both GDPR and CCPA go beyond a company simply amending its data privacy policies and extend to an examination of how they handle all consumer data. This takes time.
The CCPA will be implemented in 2020, so companies have the opportunity to make changes now. In particular, CCPA has a ‘look back’ provision, which entitles consumers to request their data from as far back as 12 months.
2.Understand the Effects of Non-Compliance
It is crucial for companies to familiarize themselves with the act because the consequences of non-compliance to CCPA could be severe. Fines go up to $7,500 per CCPA violation and $750 per record compromised-multiply that if millions of records are indeed compromised and the cost implications can be crippling. Some companies have been issued fines for GDPR non-compliance, famously, Google was slapped with a 50 million euro fine.
Non-compliance doesn’t only affect a company’s finances. Brand reputation will also take a hit. In some cases customers’ loss of trust that you can keep their data safe can be worse than a financial loss. Companies can take a few steps to make it easier to comply:
- Understand the law, a lack of understanding was one of the reasons cited for failure to comply with GDPR.
- Set up a budget for CCPA
- Have the right human resource at hand and/or get legal advise
- Give your company enough time to prepare for CCPA
3.Keep a record of processing
It is important for companies to know what personal consumer data they have. GDPR came with intense data scrutiny extending to where the data is stored/located and exactly how it is used and with whom it is shared.
Answers to questions like how long the data is retained should also be readily available. As mentioned, the CCPA will require companies to disclose data to consumers who request it and allow them to know about the data collection practices. System diagrams that document the lifecycle of collected data and data flow maps will help locate customers’ personal information and also aid in record keeping.
4.Think Long Term
If GDPR and CCPA have taught us anything, it is that people are taking data protection very seriously and that protection policies are going to likely increase in the future.
For instance, the ePrivacy Regulation, which came after GDPR defines policies about cookies and will require companies to adapt their data policies. So rather than segment data subjects to only residents of California, companies are better off building solutions that encompass all their customers and adjust those when new laws are put in place.
Is your business prepared for the future of privacy law?
The world is waking up to the importance of consumer privacy in this digital age and the onus falls on every organization to protect its customers’ personal data. As one of the top IT solution providers on the East Coast, ASB Resources can help your company handle GDPR and CCPA compliance and also prepare for any other new privacy laws in the pipeline around the world. Schedule some time with us soon!