The global privacy legislation landscape continues to be a complex sea to navigate. To date we have seen 117 omnibus laws (GDPR) and another 28 sectoral laws (CCPA) come into play. We are expecting more amendments to the CCPA and LGDP, and there seems to be no end in sight to countries and regions bringing their own legislation into effect over the coming months.
So in this sea of regulatory uncertainty, how do you keep your privacy program afloat?
GDPR, LGDP and CCPA: Overlap and outliers
As expected, the GDPR has created a rising wave of privacy regulations sharing a common goal of giving consumers ownership over their data. While GDPR has certainly set the stage for global privacy legislators, it is important to note that not every law is fully comparable, most notably the LGPD and CCPA. As noted, GDPR and LGPD are omnibus laws covering a wide spectrum of privacy concerns including data transfer, data security and data breaches. The CCPA, on the other hand applies only in the State of California and mainly deals with consumer data rights.
Even within the GDPR, there is the potential for differences in obligations as EU member states are able to enact their own national laws to supplement the GDPR.
When looking at the GDPR, CCPA and LGDP, it is clear there is a fair amount of overlap, especially where data subject rights are concerned. When looking at the overlap, the “outliers” also become clear; for example, the elements of the law that are specific to a single jurisdiction such as specific deadlines or time constraints.
An accountability approach: A life raft for privacy compliance
An accountability approach to compliance means organizations implement and embed relevant policies, procedures and other measures throughout the organization, and assign responsibility for these activities to be completed. Ideally, the activities are also reviewed on a regular basis (for example annually). As a result, documentation, such as minutes of meetings, memos preparing decisions, the actual policies and procedures, and log files are produced and can serve as evidence to demonstrate compliance to regulators and other stakeholders.
When we began preparing organizations for the GDPR, Nymity mapped the text of the Regulation to the Nymity Privacy Management Accountability Framework™ and identified 39 Articles requiring evidence of a technical or organizational measure in order to demonstrate compliance. Those 39 Articles mapped to 55 privacy management activities (technical and organizational measures) that if implemented, may produce documentation to demonstrate compliance with the requirements (the remaining 60 provisions do not require evidence of technical or organizational measure to demonstrate compliance).
Taking a similar approach for the CCPA, we have identified nine of the 23 provisions require evidence of a technical or organizational measure in order to demonstrate compliance. These nine provisions have been mapped to nine privacy management activities. For the LGPD, Nymity has identified 43 privacy management activities, linked to 24 provisions of the law.
Getting started with compliance across multiple laws
With clarification from lawmakers on various elements of the CCPA is still pending, and the LGDP has an estimated 133 amendments in process, organizations may not have a sense of urgency when it comes to getting their compliance programs ready. However, we learned from GDPR that the level of effort for developing a compliance program can be a lengthy process, so it is critical to get started as soon as possible. If your organization has put mechanisms in place to become GDPR compliant, you can leverage them to comply with the CCPA, LGDP and other privacy laws. The key is transitioning from a point in time GDPR project to a scalable, regulatory-agnostic, and efficient privacy program.
We recommend a two-step approach to building compliance programs that can address multiple privacy laws:
- First, identify which of the mandatory privacy management activities that apply to the law you have based your privacy program on are embedded in your organization including the policies and procedures you have implemented to ensure compliance. Compare them to the new law you are dealing with and verify that all elements that are embedded in the new laws’ legal provisions are also part of your internal policies and procedures.
- Second, review the privacy management activities that are considered mandatory for the new law you are working on, but are not part of your existing data protection compliance program. It may be that you have mplemented these activities in your organization, for example as part of your security program. If so, you can repeat the check described above. If you have not implemented those activities, then you will likely have to implement new policies and procedures to address the gaps.
Empowering privacy professionals around the world
The GDPR has set the stage for new privacy legislations from jurisdictions around the world. The introductions of a new law, or changing requirements of an existing law, will always require some effort to ensure ongoing compliance. While it may seem increasingly challenging to navigate the sea of privacy regulations, taking an accountability approach to compliance enables organizations to leverage existing accountability mechanisms to meet revised compliance goals.