The General Data Privacy Regulation (GDPR) that became effective in May 2018 brings substantial compliance challenges for every organization that collects, processes, stores, and transfers personal data on citizen in the European Union. Over the last few years, we have helped numerous clients to become and remain compliant with the GDPR and other, increasingly stricter privacy regulations.
To get a broader understanding of the impact data privacy regulations like the GDPR and the new California Consumer Protection Act (CCPA) have on the compliance activities of organizations, we conducted a short survey* at the end of 2019. In this and the coming blogs, I will share the results and draw some careful conclusions.
Of the respondents in our survey, 41% indicate they collect any kind of personal data on citizens in the EU. Of these respondents, only 71% said they are currently compliant with the EU's General Data Protection Regulation. Others indicate they are in the implementation phase, have not yet started to implement a solution or just do not know.
One of the first serious American counterparts of the GDPR is the California Consumer Privacy Act (CCPA) that came into effect this January. The CCPA is designed to give California consumers ownership and control of their personal information, and the right to hold businesses accountable for such information that they collect and handle as part of their operations.
The CCPA is the first of its kind and 17 additional states so far are following its lead.
We asked the respondents if they conduct business with California consumers or businesses and 60 percent said yes and 6 percent indicated they do not know.
When we ask the companies that do conduct business in California if they performed a data protection impact analysis, just a little over half said they did.
For companies that either collect personal data on citizens of the EU or do conduct business with consumers or businesses in California, we highly recommend to do a thorough Data Protection Impact Assessment (DPIA).
To be compliant with privacy regulations, an organization should always be able to identify exactly where data is stored. A thorough assessment identifies potential conflicts that arise from how they use customer data in this age of the strict privacy regulations.
This is an effective process to help you minimize the data protection risks of your business. And an effective impact analysis not only identifies the risks, so you can act to avoid them, but also helps you to demonstrate accountability as well as building trust and engagement with individuals.
The Information Commissioner’s Office in the UK provides a good primer on conducting a DPIA within your organization including a template to get started. You can visit their site to get more information.
This info-graphic shows all stats of our survey. In the next blogs, I will discuss more details on how legal professionals deal with the challenges of privacy regulations.
* The outcome of this survey is provided for informational purposes only, and should not be construed as (legal) advice on any subject matter. ZyLAB expressly disclaims all liability in respect to actions taken or not taken based on any or all the outcomes of this survey.