We have recently released our CCPA version and have realized from feedback that there is a demand for a single solution covering both GDPR (EU and UK) and CCPA, predominantly for larger clients who are transcontinental.
We are now offering a GDPR / CCPA solution as one package to clients who need to comply with both regulations.
Let’s unpack the two regulations and then discuss how we combined them for easily managed ongoing compliance with the combination of regulations.
What is GDPR?
The EU General Data Protection Regulation came into effect on the 25 May 2018. The UK GDPR applies to UK data subjects and came into effect on the 1st January 2021 due to Brexit.
In essence the GDPR does the following:
1. It applies to personal data of individuals.
2. It controls what can be done with any personal data.
3. It requires people to know what is being done with their information and requires consent or other lawful basis to process personal data
4. People have a right to know what information is held about them, they can request that it be deleted or corrected.
5. The information must be properly protected and only used in an appropriate manner.
6. If the information is lost or stolen, or accessed without authority, the Data Privacy authorities must be notified and potentially the people affected as well.
7. Very importantly, there are limitations on the information being used for purposes other than the original purpose for collection.
8. Once the information is no longer required for the purpose, it must be deleted.
Fines can be imposed on companies breaching the regulation, these can be up to €20 million or 4% of the business’s turnover, whichever is the higher.
What is the CCPA?
The California Consumer Protection Act (CCPA) came into effect on the 1st January 2020. The act gives Californian resident consumers rights with regards to the collection of their personal information and requires companies to comply with those rights. A company outside of California may need to comply with the CCPA depending on how they interact with Californian consumers.
Rights and obligations are:
1. Businesses must notify consumers of their data collection practices. The categories of data collected, the source of the information, how they use it, and who they share it with.
2. Businesses must disclose information about consumer’s CCPA rights.
3. Consumers have a right to know what is held about them and to request deletion of information.
4. Consumers have a right to request that their information is not sold to any third parties.
The CCPA is due to be replaced by the CPRA (California Privacy Rights Act) in January 2023 and we will provide a seamless upgrade for our clients.
How we have bundled the GDPR and CCPA.
As the GDPR is by far the more comprehensive regulation, we suggest that companies go through the full initial compliance and ongoing compliance using our GDPR service.
This includes:
1. Organizational Compliance workflow – HR, IT and Security and Marketing.
2. Data Mapping.
3. Privacy Notices and Governance Policies.
4. Employee policy communication and acknowledgment.
5. Processor and Data Sharing Agreements.
6. Data Protection Impact Assessments.
7. Data Subject Access Requests.
8. Breach logs.
9. Records of Processing Activities.
Elements of data mapping can be used in CCPA to develop/generate the CCPA privacy policy. In addition, certain processors may be CCPA service providers. These are then copied to the CCPA area, amended as required and then in the CCPA section there are specific areas that need to be created and managed.
These are:
1. Compliance audits of the following areas – Governance, Incentives, Do not Sell, Consumer Access and Security Controls.
2. Data Mapping – specific to CCPA.
3. Governance policies and policy communication and acceptance.
4. Request to know and Request to delete workflow and management.
5. Full “Do not sell my personal information” (DNSMPI) consent management.
We have consolidated management dashboards that show all of the compliance statuses across regulations and companies in the group.
We provide a comprehensive and thorough solution for collaborative data privacy compliance across multiple regulations. We can build a package to suit the needs of the company where there are group structures with subsidiaries across multiple regulations.
Conclusion.
Currently we offer data privacy compliance covering the regulations of GDPR, UK GDPR, CCPA, Turkish KVKK, Brazilian LGPD, Thailand PDPA, South Africa POPIA and Nigeria NDPR.
A company trading in any combination of these can use our service for multi regulation, multi company compliance.
Contact us to assist you in structuring a package to suit your company’s needs.