From GDPR to CCPA: The importance of timely privacy compliance


The European Union’s General Data Protection Regulation (GDPR) has played a major role in influencing existing and new privacy regulations around the world. The majority of these legislations share a common goal, that of enabling people to have more control and ownership of their personal data.


While the one-year anniversary of the GDPR recently passed, much attention is now focused on the California Consumer Privacy Act (CCPA), which will enter into application on 1 January 2020. The legislation is still pending clarification from lawmakers on various elements, but if there’s a lesson companies doing business in California can take from the GDPR and apply to the CCPA, it’s that failing to adequately prepare for compliance puts you at risk of serious financial consequences.


GDPR and CCPA: The similarities


The CCPA legislation is not an omnibus style law like the GDPR but it has been inspired by it, predominantly around data subject rights. The main focus of the CCPA relates to individual consumer rights; the right to request information, the right to opt-out of data being sold, the right of deletion, and obligations on businesses to inform consumers of what personal data will be collected and for what purpose – at or before the collection takes place.


Companies that have successfully undergone compliance for the GDPR can replicate some of the steps taken to work toward ensuring compliance with the CCPA. For example, the mechanisms put in place to address data subject requests can be enhanced to address California’s consumer rights provisions.


Additionally, Article 30 of the GDPR contains several obligations relating to the ‘records of processing activities’. These require organisations to retain a record of, among other things, how and why they have processed customer data. This can be enhanced to document processing activities related to California residents’ information in order to comply with requirements with the CCPA.


Minimising time to compliance


Reporting on the status of your data privacy compliance might not have become a priority or focus for your business yet, but awareness on the issues of data protection is undoubtedly on the rise. More than three quarters (78%) of respondents to the latest Privacy Governance Report from the International Association of Privacy Professionals and Ernst & Young said the Board wants to hear about privacy. What’s more, progress on compliance (83%), data breaches (68%) and progress on privacy initiatives (61%) feature high on the boardroom agenda, according to the report.


What is clear is that you cannot afford to adopt a ‘wait and see’ approach when faced with preparing for compliance with legislation such as the GDPR, CCPA or any of the other multitude of privacy regulations coming into effect around the world today.


Acting now to put foundational procedures and processes in place to address consumer rights requests and creating a record of processing inventory will enable you to address many of the standard compliance obligations. It will also enable you to put a framework in place for a comprehensive privacy programme to mitigate risk and minimise the overall journey to compliance both now and in the longer term. Armed with this knowledge, what is really standing in the way of accelerating time to compliance in your organisation?



By Teresa Troester-Falk, Chief Global Privacy Strategist at Nymity


Teresa has over 20 years’ experience in law, including 14+ years as a global privacy professional. Prior to joining Nymity, Teresa served as Associate General Counsel (Privacy) for Nielsen, where she expanded the company’s global privacy programme as well as initiated and led key global and regional privacy and data protection programmes and strategies to advance the company’s privacy agenda.


Share your thoughts with our community of game changers