The rights to protect personal data vary significantly from one jurisdiction to another.
We are often asked about four similar but different regulations and statutes regarding Personal Data Protection: the EU GDPR, the UK GDPR, the CCPA, and the CPRA.
Suppose you are part of an organization seeking GDPR compliance, CCPA compliance, or CPRA compliance. In that case, this short introduction that we put together will help you learn the basics and where else to go for additional information.
What we’re talking about are the four most frequently referenced pieces of Personal Data Protection legislation, which, while similar, differ significantly in their detail. They have recently changed their content and application with further changes. No wonder then that people get confused. Let’s begin with a definition …
'Personal data' is any information about an identifiable person.
The General Data Protection Regulation (EU GDPR) is the world's toughest privacy and security law. It applies throughout the EU and EEA area.
Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere globally, so long as they target or collect data related to people in the EU.
The regulation was put into effect on May 25, 2018, and levies harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.
With the GDPR, Europe is signaling its firm stance on data privacy and security at a time when more people are entrusting their personal data with cloud services, and breaches are a daily occurrence.
The regulation itself is significant, far-reaching, and relatively light on specifics, making GDPR compliance a daunting prospect, particularly for small and medium-sized enterprises (SMEs).
Click on the image on the left to see the table in full size, or click on the button on the right to see our GDPR Foundation Course.
The six most common applications of GDPR are:
The United Kingdom General Data Protection Regulation (UK-GDPR) is the UK’s data privacy law that governs the processing of personal data from individuals inside the UK.
The UK-GDPR was drafted due to the UK leaving the EU, which resulted in the EU’s GDPR not applying domestically to the UK any longer.
There are very few substantial differences between the UK-GDPR and its EU equivalent.
Essentially, the UK has lifted the entire structure of the EU GDPR and put it into UK law. However, the UK-GDPR changes key areas of the law concerning national security, intelligence services, and immigration.
As with EU GDPR, any company or organization that processes personal data from individuals inside the UK must comply with the UK-GDPR – even if the organization isn’t itself located within the UK.
In June 2021, the European Commission (EC) adopted two UK data adequacy decisions. These decisions mean data flows between the EU and the UK can continue, and no additional safeguards are required.
The UK plans to introduce new legislation regarding data protection before the end of 2023 and abandon the UK-GDPR. Likely consequences will include loss of the EU data adequacy decision benefits and further disruption of UK trade with the EU.
Personal Data Protection needs to be better developed in the USA. The most stringent relevant law is the California Consumer Privacy Act (CCPA, January 2020), a state statute intended to enhance privacy rights and consumer protection for residents of California. The law created an array of consumer privacy rights and business obligations about collecting and selling personal information.
The Act intends to provide California residents with the right to:
The difference between GDPR and CCPA is that the CCPA is designed to protect “consumers” who are natural persons and who must be California residents to be protected. In contrast, the GDPR protects “data subjects,” who are natural persons and does not specify residency or citizenship requirements.
Variants of CCPA have been adopted by other States of the USA, where the individual states decide on data protection matters. A Federal solution would obviously be far more beneficial to American owners and users of personal data.
The California Privacy Rights Act (CPRA), also known as Proposition 24, is a ballot measure approved by California voters on Nov. 3, 2020. It significantly amends and expands the CCPA, sometimes called CCPA 2.0. Most of the provisions of CPRA won’t become operative until Jan. 1, 2023.
The CPRA creates two additional rights:
Click the image for a copy of our GDPR Compliance Audit Form
By 2023, 65% of the world’s population will have its personal data covered under modern privacy regulations, according to Gartner, the global research organization.
As more and more social and economic activities occur online, the importance of privacy and data protection is increasingly recognized. Collecting, using, and sharing personal information with third parties without consumers' notice or consent is of equal concern.
Many data protection law initiatives continue to be passed and adopted. 2022 will see more European regions, the Middle East, the United States, and the Asia Pacific introducing or amending data privacy and protection laws.
137 out of 194 countries had put in place legislation to secure data and privacy protection.
Africa and Asia show different levels of adoption, with 61% and 57% of countries have adopted such legislation. The share in the least developed countries is only 48%.
Follow these links to get detailed information and advice…
In
We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which, in our opinion, are commercially compromised), it is based on independent third-party assessment. It is a ‘university grade’ standard globally by schools, colleges, and universities to demonstrate competence.