GDPR implementation lessons can help with CCPA compliance

The ever increasing number of data breaches has made consumers more aware of how their data is being used and has emphasized the importance of keeping personal data private, says Sovan Bin, CEO and founder of cloud data management firm Odaseva.

“In terms of the general public, the California Consumer Privacy Act (CCPA) is a wake-up call for consumers to know and understand their data privacy rights. They should feel free to exercise these rights without fear to keep their personal data safe. The general public should ensure companies are being transparent about their personal data usage including what information the organization holds, how it is being used and who it is being shared with,” he told Help Net Security.

And with the introduction of the legislation quickly approaching, companies are also feeling the pressure to ensure they are prepared to handle the new strict requirements, including revealing what data they collect on their customers in California and responding to consumer requests to delete and not sell their data.

“A recent TrustArc survey based on the replies by 250 privacy professionals at companies with 500 or more employees has revealed that 86% of companies are not prepared for the advent of the CCPA, which goes in effect on the first day of 2020,” Bin noted.

Their efforts may be hampered by the short deadline, the lack of company bandwidth, budget and tools to prepare for the new law, and by insufficient support from the company’s leadership, but it’s important that they take compliance seriously as CCPA penalties can quickly add up, he added.

GDPR vs CCPA

The EU General Data Protection Regulation (GDPR) provides valuable lessons and takeaways for CCPA, as several concepts, principles and constraints overlap between the two laws.

Both legislations are designed to offer strong protection for individuals regarding their personal data, apply to businesses that collect, use, or share consumer data, allow consumers to request their personal data be deleted, and allow for companies to be penalized for non-compliance.

But unlike the GDPR, the CCPA:

• Considers personal data to include data that relates to the consumer as well as their household (spouse and children)
• Applies only to businesses that have annual gross revenues in excess of $25 million, possess personal information of 50,000 or more consumers, households or devices (per year), or earn at least 50 percent of their annual revenue from selling or sharing consumers’ personal information, and
• Allows consumers to request their personal data be deleted for ANY reason.

Also, while the GDPR penalizes companies for non-compliance as well as data breaches, the CCPA prescribes fines for non-compliant businesses (up to $2,500 per unintentional violation and up to $7,500 per intentional violation) and make them liable to civil class action lawsuits and paying restitution to California residents in case of data theft or a security breach.

Preparing for CCPA compliance

“Before January 2020, companies must make sure to understand the CCPA and where it applies and understand where personal data resides and who has access to it/how it is being used,” Bin says.

They must also have an easy way to locate/secure consumer data to quickly respond to consumer access requests, ensure their data management/security system allows the right people to access data, and leverage an automated solution to handle CCPA requirements and maintain detailed logs proving compliance.

“The GDPR validated the importance of checking data access points within an organization and highlighted the importance of adopting data management solution,” Bin added. “Enterprises often find that more users have access to data than they think. Monitoring data flow and usage to ensure only authorized individuals have access to personal information is key to compliance.”

Finally, he also advises smaller businesses unaffected by the new legislation to use it as motivation to be mindful about personal data usage. “New regulations will likely arise in the future, and it’s never too early to be prepared,” he pointed out.