GDPR’s Chapter 3 is the chapter consumers care about the most – the rights of the data subject. This chapter is where the issues of transparency, the right to be forgotten, the right to object to the way the information is used are detailed.
Similar rights for CCPA are dictated in Section 2 (i) of the new law, and you can be sure the people in California have paid close attention to Chapter 3. It’s one thing to put those rights of the data subject down on paper, but in the year plus that GDPR’s been in effect, has Chapter 3 actually been effective? And what can those preparing for the CCPA learn from Chapter 3 before the CCPA goes live in January 2020?
Challenges in Meeting Chapter 3 Requirements
As ZDNet explained, “The types of data considered personal under the existing legislation include name, address, and photos. The GDPR extends the definition of personal data so that something like an IP address can be personal data. It also includes sensitive personal data such as genetic data and biometric data, which could be processed to uniquely identify an individual.” And with the GDPR, consumers have the right to know how their information is being used and if it is kept private or shared with third parties. These are issues covered in Chapter 3 requirements.
That doesn’t mean it has been easy meeting those requirements, as Thomas Jackson, Partner with Phillips Nizer, said in an email interview. One of the greatest challenges businesses have faced in meeting Chapter 3 requirements, he said, is putting in place the processes to manage the collection and storage of personal information and make it accessible in order to respond in a complete and timely fashion to the requests of data subjects to access, correct and delete their personal data.
To ensure they are meeting those requirements, Jackson said, organizations have to uphold certain responsibilities. “Among the principal responsibilities are complying the obligations of disclosure and transparency when collecting personal data, being able to rely on one or more of the lawful bases enumerated in the GDPR for collecting and processing the data, providing the data subject with that information and complying with requests of data subjects for access, correction and erasure of their personal data,” he explained.
The legal implications of not meeting the requirements are fines of up to 20 million euros or 4 percent of the total annual turnover worldwide of the preceding fiscal year, whichever is higher.
What Companies Have Learned
So, it’s been more than a year since GDPR went into effect. I asked Jackson what he thinks companies might have learned during that time on how to address data privacy and protecting the rights of the data subject in certain areas, including:
Content management: Implementing content management systems to making personal data readily accessible and ensure that the data are collected and used in a lawful manner can be time-consuming and costly.
Servicing data subject access/deletion requests: The importance of setting up and managing systems to ensure these requests are dealt with correctly and in a timely fashion.
Disclosure of collection and use of personal information: The need for transparency, including the importance of making complete and understandable disclosure in obtaining a data subject’s consent.
Comparing GDPR Chapter 3 with CCPA Section 2
Companies that are in compliance with GDPR have a head start on the CCPA. There are similarities and differences between the two, Jackson said. “For example, the GDPR gives data subjects the explicit right to correct inaccurate data and the CCPA does not,” he explained. “The CCPA requires businesses to comply with a consumer’s request to opt-out of the sale of personal data to third parties. Similarly, under the GDPR, data subjects may opt-out of the use of their personal data for marketing purposes and withdraw their consent.”
According to a comparison chart provided by Baker and Hostetler Law, one of the primary differences is how data ownership is defined. The GDPR has data subjects, those who are identified persons connected to the data. The CCPA has California resident consumers, who are employees or consume household goods and services. The scope, then, is much more narrow of who is protected under the CCPA than under the GDPR. Under the CCPA, personal data covers household as well as the consumer, while GDPR protection is for the data subject.
When it comes to the right to be forgotten, the two laws are very similar, but “the CCPA also allows businesses to refuse the request on much broader grounds than the GDPR.” However, this could complicate processes for businesses, as they must then track specifics on consumers and have methods for identifying requests that are able to be refused.
How to Meet Compliance
Whether it is the GDPR or the CCPA your company is seeking compliance with, there are a few tips to ensure you are ensuring data of customers (or data subjects) is used in a transparent way and that you are able to quickly follow the data owner’s wishes. These include:
- Know how data moves within the organization. Data mapping will let you know how data flows throughout the company, where it is stored, where it is used. This can also show you where you may have potential compliance violations.
- Know your vendors. Your vendors and contractors may handle customer data, but you are responsible for it. It’s up to you to make sure they are meeting GDPR and CCPA compliance.
- Provide training. Your employees can’t keep data private if they don’t know what compliance regulations are. Everyone who touches any personal data should be trained on the GDPR and CCPA.
- Have privacy policies in place. Training only takes you so far. Have policies in place so employees know what to do if there is a violation, if they have to meet requests to opt out or honor the right to be forgotten, or if there is a breach where data is compromised.
- Understand this is an ongoing learning process. These laws are evolving, so policies, training and data mapping procedures need to evolve right along.
“The importance of ensuring that the mechanisms are in place,” said Jackson, “gives businesses the capability of promptly and fully responding to data subject’s requests to exercise their rights regarding their personal data.”