GDPR, CCPA, LGDP and More: Staying Afloat in the Sea of Global Privacy Regulations

Staying Afloat in the Sea of Global Privacy Regulations

This article first appeared in CPO Magazine April 17, 2019

The global privacy legislation landscape continues to be a complex sea to navigate. To date we have seen 117 omnibus laws (GDPR) and another 28 sectoral laws (CCPA) come into play. We are expecting more amendments to the CCPA and LGDP, and there seems to be no end in sight to countries and regions bringing their own legislation into effect over the coming months.

So in this sea of regulatory uncertainty, how do you keep your privacy program afloat?

GDPR, LGDP and CCPA: Overlap and outliers

As expected, the GDPR has created a rising wave of privacy regulations sharing a common goal of giving consumers ownership over their data. While GDPR has certainly set the stage for global privacy legislators, it is important to note that not every law is fully comparable, most notably the LGPD and CCPA. As noted, GDPR and LGPD are omnibus laws covering a wide spectrum of privacy concerns including data transfer, data security and data breaches. The CCPA, on the other hand applies only in the State of California and mainly deals with consumer data rights.

Even within the GDPR, there is the potential for differences in obligations as EU member states are able to enact their own national laws to supplement the GDPR.

When looking at the GDPR, CCPA and LGDP, it is clear there is a fair amount of overlap, especially where data subject rights are concerned. When looking at the overlap, the “outliers” also become clear; for example, the elements of the law that are specific to a single jurisdiction such as specific deadlines or time constraints.

An accountability approach: A life raft for privacy compliance

An accountability approach to compliance means organizations implement and embed relevant policies, procedures and other measures throughout the organization, and assign responsibility for these activities to be completed. Ideally, the activities are also reviewed on a regular basis (for example annually). As a result, documentation, such as minutes of meetings, memos preparing decisions, the actual policies and procedures, and log files are produced and can serve as evidence to demonstrate compliance to regulators and other stakeholders.

When we began preparing organizations for the GDPR, Nymity mapped the text of the Regulation to the Nymity Privacy Management Accountability Framework? and identified 39 Articles requiring evidence of a technical or organizational measure in order to demonstrate compliance. Those 39 Articles mapped to 55 privacy management activities (technical and organizational measures) that if implemented, may produce documentation to demonstrate compliance with the requirements (the remaining 60 provisions do not require evidence of technical or organizational measure to demonstrate compliance).

Taking a similar approach for the CCPA, we have identified nine of the 23 provisions require evidence of a technical or organizational measure in order to demonstrate compliance. These nine provisions have been mapped to nine privacy management activities. For the LGPD, Nymity has identified 43 privacy management activities, linked to 24 provisions of the law.