top of page
Search

De-Mystifying the European and California Data Privacy Regulations and How Growing Companies Should

Updated: Jul 22, 2021

Data Privacy is an important topic with many different laws, the best known are General Data Protection Regulation (GDPR) in the European Union (EU) and California Consumer Protection Act (CCPA) in California. It is likely the regulatory impact will expand across the United States (US), so it is imperative that companies understand the impact and how to be prepared. This is especially important as institutions merge, become larger, and begin to compete in new markets.


As corporations face a never-ending list of data privacy regulations and customers become more knowledgeable about their privacy rights, being prepared for data privacy legislation has never been more important. If you were to ask a business executive in the EU what one of their major challenges is today, they would more than likely say data privacy regulations. To be more specific GDPR. Over the last few years, data privacy has become a major regulatory and compliance issue for any firm with information on EU citizens and California citizens across the EU and US

.

The two major data privacy regulations that corporations are facing in the EU and US are:

  • GDPR – General Data Protection Regulation

  • CCPA – California Consumer Privacy Act

In this article, we will explain in plain language the current regulations and their impact. We will demonstrate that data privacy doesn’t just impact organizations in Europe, but also in the United States. We will discuss which types of data are considered private and should be protected, who is protected, and what the penalty is for not complying. Finally, we will propose what companies need to do to get ready for the future of data privacy.


Introduction to General Data Protection Regulation (GDPR)


GDPR is an EU law that focuses on data protection and privacy in the EU and the European Economic Area (EEA). It addresses the transfer of personal data outside the EU and EEA. The GDPR law aims primarily to give individuals (called Subjects) control over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.[1] Once Subjects opt-in to allow their personal data to be processed and shared by other individuals or organizations, GDPR requires that the personal data of the Subject must be protected by any organization that processes it.


GDPR went into effect on May 25, 2018, after allowing companies a two-year transition period to be compliant with the law. Companies that are noncompliant with GDPR will face huge fines that can be as high as €20M or four percent of the organization’s worldwide revenues.


Protected Classes of Data


GDPR requires that different types of personal data must be protected. This includes basic information such as name, address, and identification numbers, as well as web data such as location, IP address, cookie data, and RFID tags. It additionally includes the following classes of data:

  • Health and genetic data

  • Biometric data

  • Racial or ethnic data

  • Political opinions

  • Sexual orientation

To whom does the GDPR law apply?


The GDPR is applicable to any organization, business, or individual who handles the personal data of European citizens. GDPR affects every company, but the hardest hit will be those that hold and process large amounts of consumer data (e.g., technology firms, marketers, and the data brokers who connect them).


Under these new rules, if a US company collects data from EU citizens, it would be under the same legal obligation as though the company had headquarters in France, United Kingdom, Germany, or any other European country, even though it doesn’t have any servers or offices there! How to prepare for GDPR


There are certain safeguards that can be put into practice to facilitate compliance with GDPR. Accountability, one of the data protection principles, assumes that companies will take responsibility for complying with the GDPR and that they must be able to demonstrate their compliance. Your organization can best show compliance by planning and establishing the following: [2]

  • Adopting and implementing data protection policies that carry out appropriate security measures

  • Recording and, where necessary, reporting personal data breaches

  • Carrying out data protection impact assessments for uses of personal data that are likely to result in high risk to individuals’ interests

  • Appointing a data protection officer

  • Maintaining ongoing accountability obligations. You must review and, where necessary, update the measures you put in place

Introduction to California Consumer Privacy Act (CCPA)


California is one of the first states in America to provide a right of privacy in its constitution. Since it was the first state to pass a data breach notification law, it was not surprising when California lawmakers passed the CCPA in June 2018. But the CCPA isn’t just a state law; it is becoming the de-facto national standard for America.


On January 1, 2020, the CCPA took effect. The CCPA grants California residents new rights regarding their personal information and imposes various data protection duties on certain entities conducting business in California. Because of the number of companies doing business in California, the rest of the country will have to comply.[3] Organizations doing business in the US have a limited amount of time to conform with the CCPA regulations, and they must determine how to manage those regulations going forward. If they find themselves out of compliance, companies risk being fined, or even worse, losing brand reputation and consumer trust.


The requirements aren’t insignificant. Companies will have to disclose to California customers what data has been collected. If the customer requests, companies must delete and stop selling that personal data. Fines could easily add up: $7,500 per violation if intentional, $2,500 for those lacking intent, and $750 per affected user in civil damages.


GDPR vs CCPA Comparisons


So far, we have learned what the GDPR and the CCPA are and what they are not. While it incorporates several GDPR concepts, such as the rights of access, portability, and data deletion, there are several areas where the CCPA requirements are more specific than those of GDPR, or where GDPR goes beyond the CCPA requirements.


Evolution of Personal Information


It used to be that the meaning of personally identifiable information (PII) from a legal standpoint was clear. It was considered data that can distinguish the identity of an individual from another. By contrast, the standard for mere personal information (PI) was lower because there was so much more of it. If PI is a galaxy, then PII is the solar system. However, GDPR and CCPA have shifted the definition to include additional types of data that were once fairly benign. The CCPA includes personal data rights for consumers, a concept that GDPR first brought into play when it was established.


The chart below provides a high-level comparison of key requirements under the CCPA and the GDPR.[3] While it is not a comprehensive list of all measures required under the CCPA or the GDPR, it does give a closer look at the key similarities and differences between the two regulations:


Regulation Comparison Chart



Biggest Implementation Challenges facing GDPR/CCPA


Privacy experts in the EU and the US have identified the biggest challenges your organization might face in implementing data privacy and protection under GDPR and CCPA.


Top Five Major Implementation Challenges:


1. The Growth of Data is Exponential


Data is growing faster than ever. More than 1.7 megabytes of new data is created every second.[4] Organizations must keep up with protecting not only their customers’ personal information, but also sensitive personal information. Over the last decade, data has grown exponentially, yet poor security practices continue to put organizations at risk of a data breach. PII is one of the biggest concerns in data privacy. Because of the veracity and volume of data in our technology-driven world, it could become overwhelming to handle millions, and possibly even billions, of data records.


2. Institutional Responsibility


Identifying the person responsible in the enterprise for data privacy is key. Many companies are realizing that the role of the Chief Data Privacy Officer (CDPO) is an important function in the legal or compliance department. The CDPO is responsible across the enterprise to address privacy issues, compliance, and reporting to the Board on progress.


3. Cost of Maintaining Data Privacy


Not protecting your data can result in your company experiencing a data breach. Many cybersecurity professionals believe it’s not a question of if, but when you will have a data breach. A data breach can cost organizations millions of dollars in lost revenue. In fact, the Ponemon Institute[5] found that the total average cost of a breach in 2017 was $3.62 million. What’s more, there is a 30% chance for an organization to experience a data breach over the next two years.


If an organization is breached, they face intense regulatory penalties from an array of entities. For example, companies operating in or with customer data in the EU that experience a sizable breach from a lack of security controls could face up to 4% of Adjusted Gross Revenue or €20 Million (whichever is greater).


Organizations must make investments in several key security technologies such as data archiving, backup, and redundant infrastructure to ensure their data is safeguarded and can be recovered and restored.


4. An Advanced Technology Landscape – Internet of Things (IoT) and Mobile


IoT is the network of interconnected things/devices that are embedded with sensors, software, network connectivity, and necessary electronics, which enables them to collect and exchange data, thereby making them responsive. IoT is certainly a major area of concern for all security professionals.


In their 2017 survey designed to gauge consumers’ and business decision makers’ thoughts about the current state of the IoT ecosystem, Gemalto, a digital security firm, asked its consumers to weigh in on how security influences IoT security. They shared their survey results of 10,500 customers in their State of IoT Security report.[6]


5. Human Error Creates a Level of Complexity


Everyday human errors can significantly affect your data privacy and protection. Security analysts claim that human error is the biggest challenge in data privacy and security today. Employees who are unaware and uninformed can use weak passwords, mistakenly delete data, fall prey to phishing scams, and browse websites that fall under non-acceptable use.


It’s up to your team of security experts to create a security awareness and training program that helps empower your employees and reduce the risk. Data loss prevention tools can help you prevent end users from leaking sensitive data, either maliciously or by mistake.


Summary


Data privacy and protection is no easy matter. It is a complex issue, not only in the EU, but also in the US. Across the entire information security lifecycle, you can experience pitfalls and hurdles. GDPR and CCPA are designed to protect and restrict the use of personal data by others. As a consumer, you need to be aware that your data is being stored and used by a whole host of companies; you must make sure that you don’t share more information than what’s necessary.


As a corporation, data privacy is even more important. Following regulations and protecting customer data is paramount. Your company needs to meet legal responsibilities about how you collect, store, and process personal data. Noncompliance could lead to major fines. To face these challenges, you must improve your organization’s security strategy or security maturity and monitor the flow of data. Your data privacy officer should work with your compliance department to make sure that you are ready to tackle the new compliance requirements. Investing in key security technologies and data loss prevention tools can help safeguard your data and prevent sensitive personal data breaches. Stay ahead of the curve and develop a data privacy strategy that works.


For More Information

For more information, please contact Michael Andrud, President, FinResults, Inc. (michael.andrud@finresults.com).


References


[1] Hern, Alex. (2018, May). What is GDPR and how will it affect you? The Guardian. https://www.theguardian.com/technology/2018/may/21/what-is-gdpr-and-how-will-it-affect-you


[2] Information Commissioner’s Office. (n.d.). Guide to Data Protection. ICO. https://ico.org.uk/for-organisations/guide-to-data-protection


[3] Jehl, Laura & Friel, Alan. (n.d.). CCPA and GDPR Comparison Chart. Thomson Reuters Practical Law.


[4] RadarFirst. (n.d.). Trends in Changing Data Breach Notification Laws: Stricter Regulations, Greater Complexity Will Challenge Privacy and Security in 2020. RadarFirst. https://www.radarfirst.com/resources/ebook/trends-in-changing-data-breach-notification-laws-2020


[5] Ponemon, Larry. (2018, July 11). Calculating the Cost of a Data Breach in 2018, the Age of AI and IoT. SecurityIntelligence. https://securityintelligence.com/ponemon-cost-of-a-data-breach-2018


[6] UL. (2017, October). Security Concerns Escalate as IoT Expands. UL.com. https://www.ul.com/sites/g/files/qbfpbp251/files/2019-04/security-concerns-escalate-as-iot-expands.pdf


About the Author: Denis Kosar specializes in data governance readiness assessments, establishment of data governance, as well as education and training within the financial services industry. He has over 30 years experience in banking, brokerage and insurance.

bottom of page