New data protection regulations, such as the GDPR and the California Consumer Privacy Act (CCPA), lay out the legal rights held by consumers over their personal data. Entities that collect and/ or process this type of data must extend these rights to consumers (in GDPR terms, natural persons known as “data subjects”), or face harsh penalties. Specific rights vary by regulation and region, although GDPR is the most far-reaching of any current data protection regulation.
KEY DRIVERS FOR THE GDPR AND CCPA
The current push around the world on data protection is the result of several fundamental trends:
- Aligning freedoms and responsibilities for data collection and processing of personal data
- Equal rules for all
- Very public bad behavior with personal data by some companies
- The extra-territorial scope of GDPR
- Forming new cultural norms where data protection and good business are not mutually-exclusive
ENTER THE CCPA
As a response to the GDPR, and to increasing privacy concerns by U.S. citizens, the government of the State of California passed the CCPA—Assembly Bill 3752—with great urgency in late June 2018. The CCPA, which is being implemented in the world’s fifth largest economy, is a good example of the type of patchwork of legislation with which organizations worldwide will have to contend. It serves as a call for organizations to develop a common approach to dealing with growing body of privacy legislation around the world.
The Act was passed, in part, to preempt a ballot initiative that was to be voted on in November 2018 and that, if passed, would have imposed stricter data privacy requirements. The Silicon Valley titans wanted to avoid that. The new Act introduces several of the principles of the GDPR to state law in California and, like the GDPR, applies to the personal data of people in a defined geography even when handled by organizations outside of that geography.
Finally, while California is a populous state, the law applies only to Californian residents and not to the broader United States or North America. CCPA is a local initiative, not a coordinated multi-state one like GDPR.
PRIVACY REGULATIONS ARE SPREADING
The GDPR has applicability for data subjects in Europe, but given the extra-territorial scope of this applicability, we have previously called it the “Global” Data Protection Regulation instead of the “General” Data Protection Regulation. GDPR is indeed having global effects, with more than 100 countries around the world implementing laws that draw on the principles of GDPR. Few are as extensive as GDPR, but many share similarities. For example:
INDIA India’s Personal Data Protection Bill of 2018 is very closely aligned with the GDPR, including rights for individuals, the tiers and scope of administrative fines, and the need for a legal basis for processing personal and sensitive personal data. Several differences also exist, such as the requirement for absolute data localization for “critical personal data,” although interestingly this phrase is not specifically defined, and that the State gets its own legal basis.
BRAZIL The new General Data Privacy Law 2018, or Lei Geral de Proteção de Dados Pessoais (LGPD), was signed into law in August 2018, and will go into effect in February 2020. LGPD contains many of the same privacy principles of the GDPR, requires a legal basis for collection and processing, applies in-country and extra-territorially, and adopts the two percent of global revenue fine level (but not GDPR’s four-percent one). Data breach notifications are also required. Brazil is yet to create an independent data protection authority, since the President vetoed this section of the law, stating that the task of creating such an agency sat with his office and will be forthcoming.
AUSTRALIA Australia recently introduced a new data breach notification law (in February 2017) that extended its existing data privacy legislation. Australia lacks a GDPR-type law at present, although some murmurs are starting to be heard about Australian’s owning their online footprint and personal data, which could indicate a GDPR-type initiative will be forthcoming shortly.
Several other U.S. jurisdictions have strengthened their data breach notification requirements—such as Colorado—although most of these breach-oriented initiatives lack the breadth of GDPR and don’t create the consumer rights of access, erasure, rectification, and limitation of processing, among others.
WHAT SHOULD YOUR ORGANIZATION BE DOING TO PREPARE AND COMPLY WITH THE GDPR AND CCPA?
The GDPR, CCPA and other data protection regulations address a common general theme, but there are overlapping requirements, regional variations, and multiple inconsistencies. Organizations operating in a single market under a single regulation will have a clearer regulatory pathway, but this is increasingly difficult with online commerce, digital markets, and globalization. While there will always be regional variations to account for—such as notification timeframes and contact details—organizations facing the need to comply with multiple data protection regulations will have to decide on one core guiding principle: to only offer specifically what is required per market, or to more broadly offer the same rights to all consumers anywhere in the world.
The choice of a guiding principle will dictate the complexity of an organization’s compliance journey, and with either pathway the following principles will be necessary for compliance.
SOLUTIONS TO CONSIDER FOR COMPLIANCE
Organizations subject to GDPR, CCPA and other data protection and data privacy legislation require a multi-faceted approach to compliance that includes a balanced set of organizational and technical measures. Technical measures should include:
- Security from Threats
- Security of Processing
- Device and Data Encryption
- Archiving Solutions
- Data Governance Solutions
- Geo-Ring Fencing
- File Analysis and Data Classification Solutions
- Pseudonymization and Anonymization
- Data Loss Prevention/Data Breach
- Identification and Adaptive Protection or Blocking Solutions
- Data Infiltration
- Identity, Access and Management Solutions
- Data Portability Solutions
- Application Security Testing
- Employee Training
- Other Technologies
Data protection requires a balanced set of organizational and technical measures. The above technical measures, implemented in line with a
“A failure to comply with the growing patchwork of regulations will almost certainly result in significant and negative consequences”
clear view of the risks to personal data in an organization, in combination with complementary organizational measures, will help craft a strong data protection approach and culture.
Data privacy regulations like the GDPR and CCPA are becoming the norm and organizations must implement a variety of technologies and best practices to ensure compliance with them. A failure to comply with the growing patchwork of regulations will almost certainly result in significant and negative consequences, including direct financial costs through punitive fines, as well as loss of corporate reputation, lost business opportunities, brand damage and the like.
OSTERMAN RESEARCH WAS FOUNDED BY MICHAEL OSTERMAN IN 2001. SINCE THAT TIME, THE COMPANY HAS BECOME ONE OF THE LEADING ANALYST FIRMS IN THE MESSAGING AND COLLABORATION SPACE, PROVIDING RESEARCH, ANALYSIS, WHITE PAPERS AND OTHER SERVICES TO COMPANIES LIKE MICROSOFT, AMERICA ONLINE, SUN MICROSYSTEMS, YAHOO!, NETWORK APPLIANCE, IBM, GOOGLE, HEWLETT PACKARD AND MANY OTHERS.