The rights for the protection of personal data vary greatly from one jurisdiction to another.
We are often asked about four similar but different regulations and statutes regarding Personal Data Protection: the EU GDPR, the UK GDPR, CCPA, and CPRA.
If you are part of an organization that is seeking GDPR compliance, CCPA compliance, or CPRA compliance, this short introduction that we put together will help you learn the basics and where else to go for further authoritative information.
What we’re talking about are the four most frequently referenced pieces of Personal Data Protection legislation which, while similar, differ greatly in their detail, have changed recently in their content and application with further changes to come. No wonder then that people get confused. Let’s begin with a definition …
'Personal data' are any information relating to an identified or identifiable person.
- An identifiable person is someone who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.
- The ‘data subject’ is the title given to the person whose personal data are collected, held or processed.
- In the EU and throughout the world, the rights of the data subject in relation to the processing, handling and storage of their personal data are codified in law (better in some jurisdictions than in others).
- And must be respected by all public and private sector organizations, as well as individuals in possession and/or control of such data.
EU GDPR (EU and EEA)
The General Data Protection Regulation (EU GDPR) is the toughest privacy and security law in the world. It applies throughout the EU and EEA area.
Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere globally, so long as they target or collect data related to people in the EU.
The regulation was put into effect on May 25, 2018, and levies harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.
With the GDPR, Europe is signalling its firm stance on data privacy and security at a time when more people are entrusting their personal data with cloud services, and breaches are a daily occurrence.
The regulation itself is large, far-reaching, and fairly light on specifics, making GDPR compliance a daunting prospect, particularly for small and medium-sized enterprises (SMEs).
Click on the image on the left to see the table in full size or click on the button on the right to see our GDPR Foundation Course
The six most common applications of GDPR are:
- EU PARENT COMPANY: If your parent company is registered in an EU member state, it is possible that GDPR compliance may be coordinated at that level. If so, you may be able to rely on parent company procedures.
- PERSONAL DATA STORED LOCALLY: It is likely that local data will be held that may not be captured by parent company processes. Examples might include HR/payroll and mobile phone contacts.
- LOCAL SUPPLIERS: You might consider formally advising local suppliers of your potential need to audit their processes for GDPR compliance, particularly where local suppliers are a key part of the supply chain.
- STAFF TRAINING: Training is required for everyone in the company, doesn’t matter the position, from the goods received clerk to the board of directors. Embedding GDPR principles in the company culture will be critical in achieving compliance. Therefore, while training is important, top management support is also critical.
- OFF-SITE STORAGE: When evaluating the results of a data audit, you should consider the status of archive documents which are held off-site. Particular consideration should be paid to documenting the control of such information when it is retrieved from the archive and re-introduced into the main body of company documentation.
- TRADING WITH NON-EU COMPANIES: If you are trading with entities in a 3rd country which does not have an adequate data protection regime, the transfer of personal data may only take place via a legal transfer mechanism.
UK GDPR (United Kingdom)
The United Kingdom General Data Protection Regulation (UK-GDPR) is the UK’s data privacy law that governs the processing of personal data from individuals inside the UK.
The UK-GDPR was drafted as a result of the UK leaving the EU, which resulted in the EU’s GDPR not applying domestically to the UK any longer.
There are very few substantial differences between the UK-GDPR and its EU equivalent.
Essentially, the UK has lifted the entire structure of the EU GDPR and put it in place into UK law. However, the UK-GDPR changes key areas of the law concerning national security, intelligence services and immigration.
As with EU GDPR, any company or organisation that processes personal data from individuals inside the UK is required to comply with the UK-GDPR – even if the organisation isn’t itself located within the UK.
In June 2021, the European Commission (EC) adopted two UK data adequacy decisions. These decisions mean that data flows between the EU and the UK can continue, and no additional safeguards are required.
The UK plans to introduce new legislation regarding data protection before the end of 2023 and to abandon UK-GDPR. Likely consequences will include loss of the EU data adequacy decision benefits and further disruption of UK trade with the EU.
Click on the image on the left to see the table in full size or click on the button on the right to see our GDPR Advanced Course
CCPA (California)
Personal Data Protection is not well developed in the USA. The most stringent relevant law is the California Consumer Privacy Act (CCPA, January 2020), which is a state statute intended to enhance privacy rights and consumer protection for residents of California. The law created an array of consumer privacy rights and business obligations with regard to the collection and sale of personal information.
The intentions of the Act are to provide California residents with the right to:
- Know what personal data is being collected about them.
- Know whether their personal data is sold or disclosed and to whom.
- Say no to the sale of personal data.
- Access their personal data.
- Request a business to delete any personal information about a consumer collected from that consumer.
- Not be discriminated against for exercising their privacy rights.
The difference between GDPR and CCPA is that the CCPA is designed to protect “consumers” who are natural persons and who must be California residents in order to be protected, while the GDPR protects “data subjects,” who are natural persons and do not specify residency or citizenship requirements.
Variants of CCPA have been adopted by other States of the USA, where the individual states decide on data protection matters. A Federal solution would obviously be far more beneficial to American owners and users of personal data.
CPRA (California)
The California Privacy Rights Act (CPRA), also known as Proposition 24, is a ballot measure that was approved by California voters on Nov. 3, 2020. It significantly amends and expands the CCPA, sometimes called CCPA 2.0. Most of the provisions of CPRA won’t become operative until Jan. 1, 2023.
The CPRA creates two additional rights:
- the right to correct inaccurate personal information; and
- the right to limit the use and disclosure of sensitive personal information.
Click the image for a copy of our GDPR Compliance Audit Form
What of personal data protection elsewhere in the world?
By 2023, 65% of the world’s population will have its personal data covered under modern privacy regulations, according to Gartner, the global research organisation.
As more and more social and economic activities take place online, the importance of privacy and data protection is increasingly recognised. Of equal concern is the collection, use and sharing of personal information to third parties without notice or consent of consumers.
Many data protection law initiatives continue to be passed and adopted. 2022 will see more regions in Europe, the Middle East, the United States, and the Asia Pacific introducing or amending data privacy and protection laws.
137 out of 194 countries had put in place legislation to secure the protection of data and privacy.
Africa and Asia show different levels of adoption, with 61% and 57% of countries have adopted such legislation. The share in the least developed countries is only 48%.
For further information
Follow these links to get detailed information and advice…
- Complete guide to GDPR compliance at GDPR.EU
- Guide to the UK General Data Protection Regulation (UK GDPR)
- California Consumer Privacy Act (CCPA)
Related Articles
- GDPR, ISO 27701 and ISO 27001: a natural combination
- Documenting GDPR and ISO 27001: What's the Best Strategy
- Free ISO 27001 Implementation Handbook (100+ pages)
- Navigating the fifty-six ISO 27000 Series of Standards
deGRANDSON Global is an ISO Certified Educational Organization
In
October 2021, we secured certification to three education-related ISO Standards. We now have a university-grade management system in place conforming to the requirements of …
We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which, in our opinion, are commercially compromised), it is based on independent third-party assessment. It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.