GDPR and CCPA: Everything You Should Know

You are currently viewing GDPR and CCPA: Everything You Should Know

Due to recent changes, data privacy is evolving across the globe.  The General Data Protection Regulation (GDPR) has transformed data legislation in Europe, while similar processes are taking place in California.

So what does this mean for businesses? In this article, we will outline everything you need to know about GDPR and CCPA. We’ll also show you how it could affect your company and the steps you need to take in order to stay compliant.

GDPR in a Nutshell

Our lives revolve around data. In fact, 93% of people regularly share their information digitally (Kaspersky). But is this safe? And what’s the alternative?

Most people recognize the importance of data privacy. Pew Research found that 74% of Americans considered it very important to control who can access their information (Time Magazine). Yet we continue to give our information away to anyone who asks.

What is GDPR?

Governments, in addition to consumers, are beginning to acknowledge the dilemma surrounding data privacy. In January 2012, the European Commission created a digital protection reform for the European Union (EU). A key component of this reform is the General Data Protection Regulation (GDPR).

GDPR gives EU citizens more control over their personal data. Under GDPR, businesses are required to follow certain regulations to protect the data and privacy of European consumers.

In 2016, GDPR was approved by the European Parliament, and it came into force across the EU in May of 2018 (Zdnet).

GDPR Compliance

GDPR applies to any organization operating within the EU. It also applies to organizations who serve customers or businesses within the EU. Organizations must ensure that they gather personal data legally. Otherwise, they can face penalties for failing to protect and carefully handle user information. Current legislation defines personal data as the following: 
  • Name 
  • Address 
  • Photos 
  • IP address 
  • Any other sensitive data that could be used to uniquely identify an individual (ie: genetic or biometric data) 
Additionally, GDPR includes a “right to be forgotten,” which allows individuals to request that their personal data be erased. After making this request, the organization has up to one month to respond to the individual.

What does this mean for businesses and individuals?

By having a single set of rules in place for the EU, it will be easier and cheaper for businesses to operate within Europe. Consumers will also have easier access to their data.

GDPR requires all businesses to report certain types of data breaches. This includes breaches that involve data loss or unauthorized access to personal data. Basically, anytime a customer’s personal information has been compromised, the organization is required to report it within 72 hours of becoming aware of the breach.

Failure to comply with GDPR can result in a fine, depending on the severity of the breach and the state of the company’s compliance. The largest GDPR fine issued so far is 50 million euros, when France fined Google in January of 2019.

GDPR and Email Phishing

GDPR has emerged as hundreds of malicious attackers seek to use customer data in order to craft phishing scams.

In early 2018, hackers took advantage of new privacy laws by sending phishing emails to Airbnb customers. The emails posed as an updated privacy policy. They encouraged users to follow a malicious link in order to view the full terms. Redscan uncovered the scam in May of 2018. They urge individuals to use caution when opening suspicious emails.

Obviously, GDPR cannot eliminate security breaches. Yet as businesses face greater penalties for data loss, they will require stronger security to combat these attacks.

The Road to Becoming GDPR Compliant

So, what should you do to become compliant? How can you make sure your business is operating legally under GDPR?

The following steps will help you evaluate your business’s current standing. You can then ensure that you are properly managing your data and create a process for responding to data breaches.

Review Data Handling Procedures

Thoroughly review all your data collection and handling procedures. Review current mailing lists to check for contacts in the EU countries for records of consent.

In addition to email, document all channels through which you receive data. Ensure that every employee is aware of the seriousness of GDPR compliance and understands the regulations for your company.

Ensure Compliance When Collecting Personal Data

When collecting data on websites, use clear language that allows the individual to provide explicit consent. If using a web form, clearly outline how the information will be used. As a best practice, include a cookie consent form on your website. 

Additionally, you should use an age verification notice when collecting personal information. GDPR requires parental consent before you can collect the data of any person under age 16.

If collecting data at an event or meeting, ask for verbal consent and include a checkbox or signature line to ensure that the individual has agreed to be emailed or contacted by your company.

Adding a “Country of Residence” field will allow you to validate which of your customers reside within EU countries.

Actively Manage Contacts Within the Database

Consider sending all active EU contacts a reverification email. This will renew their consent to receive emails from you and ensure that you are protected as a company under GDPR.

You might also consider adding a preference center on your website. This will give individuals the ability to manage their communication preferences directly. To remain GDPR compliant, the preference center should include clearly written descriptions as to what each subscription entails. For example, how often will you contact the individual, and how will their information will be used?

Update Your Privacy Policy Regularly and Notify Customers of Any Changes

Your privacy policy should clearly outline what information is being collected and stored. You should also provide a way for consumers to contact your organization.

Regularly notify customers of updates to your privacy policy. If necessary, you can ask individuals to opt in again.

Create a Data Breach Plan

GDPR requires organizations to report all data breaches within 72 hours of becoming aware of the breach. As an organization, you must be ready to respond to breaches in a timely manner. 

Start by providing employee training on responding to security breaches. Run campaigns to ensure that all employees know how to respond. 

As soon as the breach has been discovered, publish as much information as possible to the company website. Include details about how the company is working to resolve the breach. 

Additionally, you should notify any affected parties immediately. Again, communicate the measures your company is taking in order to mitigate any damage caused. You should also provide clear instruction on how to file complaints and receive assistance as necessary.

Continue to assist any affected customers throughout the process, and publish a plan that outlines how you will prevent future breaches.

Understanding CCPA

Like GDPR, the California Consumer Privacy Act (CCPA) protects individuals living in a designated area. The law gives California citizens more control over their personal data.

Right to Access Information

Under CCPA, California citizens have the right to know which information is being collected and how their personal data is being used. 

Specifically, they can request access to the following: 

  • Which categories of information are being collected and sold?
  • From whom was this information collected?
  • With whom is the information being shared and sold?
  • Why was the information collected?

Right to Deletion

In addition, California citizens have the “right to deletion,” which allows them to request that any personal information be erased from a company’s database.

Right to Opt Out

Finally, California consumers have the right to opt out of any subscription. They further have the right to request their information not be sold to third parties.

Connection with GDPR

Although the CCPA has been nicknamed “California’s Mini-GDPR,” the two regulations remain separate. 

One major difference between the two laws is their definition of “personal information.” According to CCPA, personal information is “anything that identifies, relates to, describes, or is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” 

Under this definition, virtually every digital interaction falls under CCPA. This makes it more important than ever for businesses to understand CCPA and learn how to become compliant.

How to Become CCPA Compliant

CCPA affects every company who interacts with California businesses or consumers. Knowing which of your customers reside in California will help you to maintain compliance and establish appropriate policies.

Establish Processes for Streamlining Consumer Requests

Companies must be able to respond to consumer requests regarding personal information. Having a policy in place will make it easier for companies to comply with these requests quickly and effectively.

Update Your Website and Privacy Policy

Like GDPR, CCPA requires customer consent before you can collect and sell data. On the homepage of your website, provide a clearly visible link that makes it easy for consumers to opt out of selling their data.

What’s Next for GDPR and CCPA?

The future of data privacy seeks to give individuals greater power in choosing how their personal information is used. For businesses, this makes compliance more important than ever. 

Determining what these new regulations mean for your business can be overwhelming. We can help you take the necessary steps to become compliant and create a process that works for your business. 

Here at CR-T, we take pride in providing enterprise-level IT services at prices that work for small businesses. Our team of experts can become your IT support department, responding to issues quickly, often before you even know about them. Covering everything from your servers and network infrastructure, to your computers, workstations and mobile devices, we provide end-to-end solutions for all your technology needs.

Time and experience have helped us develop best practices and workflow procedures designed to keep your focus on your business, not your technology.

Blog & Media

Cloud Services

Managed IT Support

Cyber Security

Project Services





Microsoft Products/Cloud

Amazon Web Services

Leave a Reply