With the advent of the GDPR and the overwhelming attention it received, the layperson may have assumed it was the first privacy law ever to be passed. But there are over 700 hundred data privacy laws and regulations worldwide – some dating back to the ‘80s. The EU GDPR was the first law with global repercussions that required extensive organisational changes – and the fact that non-compliance could result in severe penalties made everyone take notice.
Now that we are facing the ramp up to the CCPA (California Consumer Privacy Act), coming into effect January 1, 2020, organisations are wondering how they can leverage all of the work they put into the GDPR to also comply with the CCPA – in addition to all of the other relevant privacy laws
In part 1 of this blog series, we will discuss, on a theoretical level, how an accountability approach to compliance can help you efficiently manage and scale your program. In part 2, we will cover the practical side. We will examine cases studies in which the Nymity Privacy Accountability Framework™ helped two companies take an accountability approach to the GDPR and prepare to leverage those activities for the CCPA and other new laws to come.
WHAT IS ACCOUNTABILITY?
The concept of accountability now has broad international support and has been adopted in the GDPR as a compliance obligation. As seen in Articles 5 and 24, the GDPR calls for organisations to put in place appropriate technical and organisational measures. Privacy offices dealing with multiple laws at the same time will benefit from having a core data protection program in place which will allow them to map to the requirements of the relevant legislation. This will also ensure they can demonstrate an ongoing capacity to comply and remain accountable.
COMPARING COMPLIANCE APPROACHES
Traditional Compliance Assessment Approach: Assess compliance with each requirement individually
Many organisations take the traditional compliance assessment approach. They identify all the laws that apply to them and determine the activities to put in place to comply with those laws. This works fine if you are in a single or a few jurisdictions and have many resources at your disposal, but it is difficult to sustain over time. With every new law you need to start from the beginning and map requirements to activities, which causes a great deal of duplicate effort.
Rationalised Rules/Requirements Approach: Identify common elements and address outliers
In this approach, historically popular in the financial industry, all relevant new laws are mapped against existing ones and a compliance rule set is created to address all of the common legal compliance elements in those laws. There are many disadvantages to this approach. It takes a great deal of effort to devise a rule set that only addresses the common elements, and then you still need to address the outliers. Plus, the more laws there are the more unwieldy this approach becomes.
Accountability Based Approach: Leverage existing activities to comply with multiple laws
This approach begins with using a privacy framework to embed privacy management activities/technical and organisational measures throughout your organisation (privacy program). The privacy program serves as a strategic framework to help organizations put in place a robust privacy infrastructure which will facilitate compliance with multiple law and the framework is used to guide specific privacy management activities/organisational measures that you embed throughout your organisation. As new laws come into effect, you can leverage the work that you have already done to comply with those laws.
COMPARING GDPR VS. CCPA
You may be surprised (and relieved) to learn that many of the policies and procedures that you have put in place for the GDPR can be used for the CCPA, as well.
Nymity has mapped the CCPA to the Nymity Privacy Management Accountability Framework™. We have identified nine Articles that require evidence of a privacy management activity/technical and organisational measure in order to demonstrate compliance. Of those nine activities/measures, seven are also relevant under GDPR and are thus likely to already be part of your privacy program.
Overlapping Privacy Management Activities Between the GDPR and CCPA
- Maintain a data privacy notice
- Maintain procedures to respond to requests for access to personal data
- Maintain policies/procedures for the collection and use of personal data of children and minors
- Maintain policies/procedures for obtaining valid consent
- Maintain procedures to respond to requests to opt–out of, restrict, or object to processing
- Maintain procedures to respond to requests for data portability
- Maintain procedures to respond to requests to be forgotten or for erasure of data
Privacy Management Activities That Do Not Overlap between the GDPR and CCPA
- Conduct privacy training reflecting job-specific content
- Maintain procedures to respond to requests for information
As you can see above, most of the privacy management activities that you may have in place for the GDPR can be extended or reused for the CCPA if you are taking an accountability approach to compliance. An accountability approach will work both for organisations that have made themselves GDPR ready, and for those that are just getting started with privacy compliance. In all cases, it will prepare you to comply with multiple laws and be ready for new laws coming down the road.
To learn more about how to take an accountability approach to compliance with multiple laws, download our webinar now.
Resources To Help You Operationalise Multi-Jurisdictional Compliance
Nymity Privacy Management Accountability Framework™
Thousands of organisations use the Nymity Framework™ to plan, structure and build an accountability based privacy program. It is an essential tool for leveraging your compliance efforts to meet the requirements of multiple laws.
Nymity CCPA Compliance Toolkit
If you are working on your CCPA compliance program, The Nymity CCPA Compliance Toolkit is now available for download. The toolkit:
- Maps the CCPA to the Nymity Privacy Management Accountability Framework™
- Presents a quick-look overview between the GDPR and the CCPA
- Explains the Accountability Approach to demonstrate CCPA Compliance