Some organisations have been treating the GDPR as if it were a one time project with an end date of May 25th. But that was just beginning. The GDPR requires organisations to demonstrate ongoing accountability and compliance. And now that we are facing the ramp up to the CCPA (California Consumer Privacy Act), coming into effect January 1, 2020, organisations are wondering how they can leverage all of the work they put into the GDPR to also comply with the CCPA – as well as all of the other relevant privacy laws.
In part 2 of this 2-part blog series, we will discuss, on a practical level, how an accountability approach to compliance can help you efficiently manage and scale your program. We will examine case studies in which the Nymity Privacy Accountability Framework™ helped companies take an accountability approach to the GDPR and prepare to leverage those activities for the CCPA and other new laws to come.
An accountability approach will work both for organisations that have made themselves GDPR ready, and for those that are just getting started with privacy compliance. In all cases, it will prepare you to comply with multiple laws and be ready for future laws.
What is an Accountability Approach?
An accountability approach to compliance enables you to leverage your existing privacy management activities to comply with many laws and produce appropriate evidence to demonstrate compliance. As was discussed in Part 1, you use a privacy management framework as your starting point to select specific privacy management activities/organisational measures that you embed throughout your organisation. The outcome of this is to ensure ongoing compliance. As new laws come into effect, you can leverage the work that you have already done to comply with those laws
Comparing GDPR vs. CCPA
In part 1 of this blog series, we demonstrated that seven privacy management activities relevant to the GDPR are also relevant to the CCPA. Nymity has mapped both the CCPA and the GDPR to their Privacy Management Accountability Framework™ and found that the following activities overlap:
- Maintain a data privacy notice
- Maintain procedures to respond to requests for access to personal data
- Maintain policies/procedures for the collection and use of personal data of children and minors
- Maintain policies/procedures for obtaining valid consent
- Maintain procedures to respond to requests to opt–out of, restrict, or object to processing
- Maintain procedures to respond to requests for data portability
- Maintain procedures to respond to requests to be forgotten or for erasure of data
As you can see, the majority of the privacy management activities that you may have in place for the GDPR can be extended or reused for the CCPA, if you are taking an accountability approach to compliance.
The Accountability Approach Complying with Multiple Laws
All of the activities required to manage privacy and appropriately process personal data have been identified and grouped into 13 categories in the Nymity Privacy Management Accountability Framework™, a single framework for building and maintaining a privacy program. The following are two business cases where the Nymity Framework™ has helped companies leverage their GDPR compliance initiatives to be ready to comply with multiple laws.
Blue Ocean Enterprises
Blue Ocean provides services to a privately held portfolio of companies. They used Nymity’s Framework™ to implement an agile privacy program that can respond to changes in laws and regulations, emerging threats, and consumer expectations. With a portfolio of both mature companies and startups, they have implemented a 4-step privacy program lifecycle for all:
- Identify requirements
- Assess their program against the Nymity Framework™
- Remediate the gaps
- Operate the program
Using Nymity’s Framework™, Blue Ocean has found that implementing a single technical and organisational measure could help them comply with several laws. And if they find a gap against the Framework, when they fill that gap for one law, it could also fill that gap for other laws at the same time.
Alexys Carleton, Director of Information Assurance & Privacy at Otter Products & Blue Ocean Enterprises, comments, “I’m a one-person Privacy Department. The Nymity Framework™ has really kept me on point during our GDPR readiness project, and I’m confident that we can demonstrate accountability, if required. I highly recommend you base your program on Nymity’s Framework™.”
With offices in over 50 countries around the world, MHE has a broad scope of privacy laws with which to comply. When they set out to centralise the privacy programs from their individual offices, they used the Nymity Framework™ to build all of their documentation for a privacy program that would work for every jurisdiction.
Andy Bloom, Chief Privacy Officer at McGraw-Hill Education, comments, “The Nymity Framework™ helps us baseline what we are required to do, so that we can address those activities first. For example, with the CCPA, instead of doing an exhaustive analysis, we can check it against our baseline GDPR activities and then say, yes, everything is checked off or no, we need to change X, Y and Z.
The Nymity Framework™ helped us set up a program that is jurisdiction-agnostic. We still have to continue to review and stay on top of the laws, but it has helped us streamline and simplify our privacy activities across the board.”
To learn more about how to take an accountability approach to compliance with multiple laws and hear Andy Bloom and Alexys Carleton speak, first-hand, about their experiences, download our webinar now.
Resources To Help You Operationalise Mulit-Jurisdictional Compliance
Nymity Privacy Management Accountability Framework™
Thousands of organisations use the Nymity Privacy Management Accountability Framework™ to plan, structure and build an accountability based privacy program. It is an essential tool for leveraging your compliance efforts to meet the requirements of multiple laws.
Nymity CCPA Compliance Toolkit
If you are working on your CCPA compliance program, The Nymity CCPA Compliance Toolkit is now available for download. The toolkit:
- Maps the CCPA to the Nymity Privacy Management Accountability Framework™
- Presents a quick-look overview between the GDPR and CCPA
- Explains the Accountability Approach to demonstrate CCPA Compliance
Download the indispensable resources found in the Nymity CCPA Compliance Toolkit today.