First GDPR, and Now CCPA
The European Union's General Data Protection Regulation (GDPR) went into effect in May of this year, affecting any organization that operates in the EU regardless of its physical location. Even if your business does not need to comply with GDPR, if operating in the U.S., you will very likely to be covered under the similar data privacy regulations in California that are due to become mandatory in 2020.
For some organizations that may still need to get a better understanding of GDPR and ensure they are in compliance, the U.K. publication, "Guide to the General Data Protection Regulation," could be a helpful resource. The guide helps explain the provisions of GDPR, includes references to other helpful documents, and is written specifically for those individuals who have day-to-day responsibilities for data protection.
Changing Privacy Landscape (DPO/CPO)
GDPR itself has promoted the role of the Data Protection Officer (DPO), also known as the Chief Privacy Officer (CPO). Privacy is too important to leave to someone in an organization who is not dedicated to privacy control. In fact, there is a GDPR requirement that you designate a DPO/CPO if you are covered by the regulation.
A survey conducted by the International Association of Privacy Professionals determined that 75,000 new DPO/CPO roles would need to be created worldwide to meet that GDPR requirement -- 9,000 of which would be in the U.S.
A DPO/CPO is the person that leads the compliance program and monitors the program's implementation. The DPO/CPO position is by law independent from the organization that funds it. This independence may be particularly foreign to those working in countries outside the EU, like the U.S. One task of the DPO/CPO is to monitor an organization's compliance with the regulations. Other tasks include training staff on proper data handling, coordinating with the organization's management, and having the ability to understand and balance data processing risks.
Comply for EU Citizens or Everyone?
Assume your business is primarily in the U.S., but you have some customers who are EU citizens and fall under GDPR protections. You could comply with the GDPR for the EU citizens only, but not for anyone else. Or you could protect U.S. citizens' privacy in the same way by following GDPR across the board. You might have an increased cost from spending on something that you don't legally need to do, but compliance will increase customer goodwill, loyalty, and trust. And with the impending California regulations that mimic GDPR protections, the covered customer base expands in the U.S.
California Consumer Privacy Act of 2018
On June 28, 2018, California passed the California Consumer Privacy Act of 2018 (CCPA). The new law "goes into effect on January 1, 2020, providing Californians with increased control over the information organizations collect on them, and imposing new requirements and prohibitions on organizations.
Non-compliance violations of the CCPA will expose organizations to penalties, and the cost is significant. The CCPA imposes penalties of $750 per consumer per incident (e.g., $750,000 for an incident involving 1,000 consumers) or actual damages, whichever is greater.
This changes the U.S. privacy and compliance landscape. The CCPA is one of the toughest data privacy laws in the U.S. and will dramatically impact how organizations handle data. Without the federal government implementing GDPR/ CCPA regulations, you can expect other states to follow California's example. The privacy protection regulations will keep geographically expanding, state-by-state, so organizations need to get ahead of the U.S.-based regulations now.
GDPR/CCPA Impact Checklist
If you have not fully analyzed the GDPR or CCPA requirements, then you should review this checklist to ensure you understand the ramifications of these regulations:
- The regulations expand the definition of personal data.
- The regulations apply to all the citizens of the EU (GDPR) and California (CCPA).
- The GDPR and CCPA tighten the rules for obtaining valid consent to using personal information.
- The regulations introduce mandatory privacy impact assessments (PIAs).
- A rapid data breach notification requirement is enforced.
- Citizens have the absolute right to be forgotten by the information holders.
- Liabilities have increased for those that collect, store, and transport privacy data.
- Data holders must deliver privacy by design.
The benefit for organizations operating in the EU is that they will have to deal with only one supervisory authority rather than a different one for each EU country. But that may not be the case for the U.S. regulations that are sure to emerge in the coming years.