First, let’s say this: If you handle any personal information as a part of doing business…there is no question, you need to know about consumer privacy. Two key pieces of legislation you should understand are the General Data Protection Regulations (GDPR) and if you are doing business in California, the California Consumer Privacy Act (CCPA) of 2018 which was signed into law on June 28, 2018.
GDPR is described as the most important legislation concerning data privacy in 20 years. It runs under the assumption that European Union (EU) consumers own their data and that companies, businesses, governments, etc. must handle it with care. Organizations worldwide must adhere to the legislation or risk heavy fines. And by heavy, they can reach as high as 4% of global annual revenue which should motivate anyone and everyone to stay in compliance. To help with your efforts, we have compiled some of the common misconceptions about GDPR. Here is a list of things to watch out for:
Does GDPR apply to you?
Let’s make this simple: GDPR applies to anyone who handles personal data from EU consumers. This means any organization, no matter where they are located, can fall under GDPR compliance. Furthermore, companies that store personal data must be compliant as well as companies who process requests to reach personal data. Just because you are headquartered or operating outside the EU does not mean that you can avoid GDPR. The liability as well as the need for compliance remain the same.
Fraud prevention > GDPR compliance
You may think that following Know Your Customer (KYC) and Anti Money Laundering (AML) procedures supersedes GDPR compliance, but this is not the case. All of these compliance rules now have to work together. It can be easy to ask for large amounts of data for authentication purposes, but storing this data is no longer allowed. Under GDPR, you can collect personal data during the onboarding process for verification purposes, but storing it unnecessarily is no longer allowed. Furthermore, you can’t ask specific questions during access such as a date of birth and a specific address.
Only 72 hours to notify EU citizens about breaches
Many organizations are worried about the turnaround time for informing regulators about breaches. Ideally, if a company finds out about a breach they need to identify the nature of the breach, who has been affected, potential impact of the breach, how it happened and how it will be prevented in the future – all within 72 hours. Many organizations do not have such a breach containment plan in place though. While this may not see like adequate time, it’s important to note that the 72-hour time frame starts after the breach has been discovered, not after it has occurred. This gives organizations a little (but not much) time to implement their containment plan. You can request more time, but it may not be granted so every second should instead be focused on finding a resolution.
GDPR compliance only applies to online channels
False. If you are a company that stores personal data from EU consumers, GDPR applies to you. It doesn’t matter if you interact with these people in person, on the phone, online or some other way. GDPR applies to any entity that stores high amounts of data from EU citizens. One good example is a call center. Call centers store information from consumers such as emails, phone numbers, and addresses; therefore, they need to stay in GDPR compliance. The best way to reduce the risk of noncompliance at a call center is to verify the customer’s identity at the beginning of the call and lower the amount of personal data used during phone calls.
GDPR compliance can be tricky, but you can’t avoid it any longer – it officially went into effect at the end of May. GDPR is setting a new standard for the retention of personal data of EU consumers and is expected to influence how personal data in other countries will be handled as well. In fact, California just inked legislation to protect its own.
The California Consumer Privacy Act (CCPA) of 2018
On June 28, 2018 Governor Brown signed the California Consumer Privacy Act (CCPA) of 2018. It is the toughest consumer privacy controls to be enacted to date in the United States. The act has been hailed as California’s own version of GDPR and it is easy to see why. Although the bills are not exactly the same, this legislation makes it clear that GDPR is having a lasting effect on the global economy.
The bill, AB 375, was the result of a last-minute attempt to circumvent a stricter citizen initiative that was destined for the November ballot. This was done because ballot initiatives are extremely difficult to amend once approved. On the other hand, the legislative process is built to handle comments and improvements for legislation.
The CCPA affects all companies that do business in California and collect data. According to AB 375, consumers will now have the right to request from businesses the types of data being collected about them. Consumers can request that the data not be sold to third parties, the data be given to them in a portable format, and the data be deleted. Consumers can also initiate civil action if they believe an organization has failed to protect their personal data under the new law. All these mandates mirror similar requirements under GDPR.
Key differences between CCPA and GDPR
Despite their similarities, there are key differences between CCPA and GDPR. Businesses will be able to offer financial incentives for the ability to collect consumer data in California, which is not mandated in GDPR. CCPA safeguards consumers—a natural person who is a California resident—while GDPR safeguards persons. GDPR also speaks to Data Controllers and Data Processors while CCPA targets businesses. CCPA forces businesses to add a link to their homepage that says, “Do Not Sell My Personal Information,” and takes them to a page where consumers can opt in or out of the sale of their personal information. GDPR, in contrast, states that subjects must be provided with a clear and understandable explanation about how their data will be used. Regardless of these differences, CCPA, along with GDPR, will need to be addressed by most businesses.
Anticipated effect on California businesses
The CCPA will dramatically change how businesses handle consumer data in California. Big tech companies such as Google and Facebook will have to make major adjustments to how they handle their consumers’ data; otherwise, they risk facing sizable penalties for noncompliance. Many in the tech industry worry that the law will impact their ability to innovate on the behalf of consumers. Others argue that they should be able to do so without collecting massive amounts of consumer data.
Over the next 18 months, many tech companies will have to change their protocols to meet AB 375 requirements. Since some of these requirements are similar to those required by GDPR, many companies will not have to start their compliance measures from scratch. Microsoft, for example, has promised to comply with GDPR everywhere in the world they do business. This means GDPR is already having a global impact on business operations.
Other organizations have responded to GDPR much differently. Some media outlets, for example, blocked European Union consumers from viewing their websites in response to GDPR. This means they will have to either do the same in California or find a suitable response to comply with consumer data privacy laws.
Consumer privacy is here to stay. It is clear with this legislation that governments are taking data privacy very seriously and companies need to do so as well.
Tony Raval brings more than 15 years of leadership in data technology as the Founder and CEO of FrescoData and IDMERIT. He leads an executive team in Carlsbad, CA, including top data tech veterans to execute on his passion of creating a global data universe generating true and trusted intelligence.