Privacy Regulation: Next Stop, California

Published on Thursday, October 3, 2019 - 14:49 by Peter Galdies

The GDPR is now over a year old but this isn’t the end for data protection regulation. Companies are now being urged to prepare for another set of wide-ranging new rules emerging from the US state of California; the Californian Consumer Protection Act (CCPA).

Due to California’s economic significance, the state has always been significant in navigating the international regulatory agenda. In the months ahead, it looks set to affirm this role again.

Signed into law on 28th June 2018, from 1st January 2020 the CCPA will affect companies based in, or conducting business with, firms or individual in California.

Will the CCPA apply to your organisation?

The CCPA is applicable to three distinctive business categories.

  1. It applies to a wide range of “for profit” businesses – this includes any organisation “doing business” with Californian residents and turning over more than $25m per year. 
  2. It also applies to smaller organisations that buy, sell or share the details of more than 50,000 records of individuals per year (this includes data from the smart devices they use). So, if you have the sales records of 50,000 smart appliances you’ve sold (e.g cars, fridges, phones etc), the CCPA will apply to your organisation.
  3. Finally, the CCPA applies to any organisations that make more than 50% of their revenue from data sales.

It’s fair to say that most global businesses will fall into one of these categories, and these organisations should be concerned as the penalties for non-compliance can be severe.

Both the civil penalties and individual damage claims are supported within the CCPA, and the individual damage claims can be up to $750 per individual affected. So, if your organisation suffers a data breach which leaks a million individual records, you could be looking to pay out $750,000,000.

Plus, it’s important to consider the global damage to trust an organisation will suffer should they indicate non-compliance. Many other US States and national legislatures are implementing new data privacy laws, which are leading to a complex worldwide set of regulations that global organisations must manage effectively. The CCPA is just another example. Navigating this complex and differing set of privacy rules is likely to be a significant and ongoing challenge for organisations.

How to mitigate the risks

The CCPA presents businesses with a series of conditions, and under these conditions they must seek and manage consent from individuals. Meanwhile, it also provides those individuals with a range of rights - this includes the right to erasure, the right to access and the right to information.

To manage the risk, the organisation must firstly identify and understand the personal data it processes, and could have processed in the preceding 12 months.

It must then examine the controls it has in place to ensure it meets the conditions required. This includes security systems, lifecycle management and third-party relationships. 

We often find that businesses fall at this “first hurdle” by failing to have a robust and in-depth process for the on-going documentation and management of the organisation’s personal data assets. Frankly - they are often unaware of the data that they are responsible for.

GDPR vs CCPA – what have we learnt from the enforcement of the EU privacy laws?

The GDPR was a wake-up call for organisations in Europe.

Penalties have a different structure to the repercussions in the CCPA, and are only just starting to be applied. However, in some cases, the proposed penalties that have been issued to date are severe; British Airways and Marriot International have both been proposed penalties of over £100m for breaches under GDPR.

Yet even with these eye-watering fines, we’ve still seen evidence that many organisations have treated the implementation of the GDPR as a one-off, tick-box activity. They have not built business processes in a way that ensures they stay consistently compliant and on top of the ever-evolving regulatory landscape. Certainly, they have not implemented the “Privacy by Design and Default” approach which the GDPR stipulates.  

This is evident in DQM GRC’s 2019 research report “Privacy, Value and Ethics: Coping with the cautious consumer”, which examined the current attitudes to the GDPR one year on from both businesses and consumers.

Over 60% of the organisations interviewed felt that they were compliant with the GDPR. However, only 1.8% had actually completed a Data Protection Impact Assessment.

This contradicts the core principle of “Privacy by Design and Default”, and suggests that, in reality, there still a fair way to go – especially given the complex and ever-changing ways organisations use and manage data over time. It’s likely that now, over a year from implementing the GDPR changes, many organisations will have become uncompliant.

Further regulatory advances in data protection are expected

Data science is continuing to advance and technologies such as machine-learning and AI can give businesses a huge competitive advantage. As the demand grows and usage evolves, we expect regulation to also advance so it can continue to provide the adequate and necessary protection for individuals.

Individuals will also start to recognise the value in their data, in fact – according the DQM GRC research report - the rise in awareness of data protection laws has been remarkable. 45% of consumers have said they now know all about the GDPR, while nearly one quarter (22.7%) are reasonably aware but have yet to absorb the detail.

This will result in a new consumer mindset of “how can I make my data work for me?”, and their data value exchange with organisations will become more overt. Legislation will also need to evolve to include this.

Eventually, we could start to see a global alignment of privacy rules and practices (GDPR is now being used as the basis for many new data laws). However, until that happens global businesses will have a complex job of managing privacy across their customer domains.

How can DQM GRC help?

If you are concerned about the CCPA, our consultants can help you navigate this complex set of legislation and work with you to reduce your risk.

Our unique privacy-by-design experiential training workshop can also help your wider teams understand how embracing both the CCPA and the GDPR can make your organisation operate more effectively.

Ensuring every function across a project develops an understanding of the importance of privacy - ahead of introducing new technologies - will inspire proactive, long-term change that will produce real results; not only in reducing business risk, but also improving products for customers.

To find out more about how we can help your organisation, call us now on 01494 442900 or complete our enquiry form:

Data protection: California bound

Find out more?

Leave your contact details below and one of our expert team will be in touch

We will only use the contact details you supply on the basis of our legitimate interest to respond to your query and contact you about DQM GRC. You will always be given the opportunity to opt-out from future communications. Please read our privacy policy for more details.

 

Find out more..

If you are interested in any of our services then please either use the contact form or contact us via of the methods below:

  •   Telephone
  •   E-mail

  •   +44 (0)1494 442900
  •   sales@dqmgrc.com