What is GDPR?
On May 25, 2018, the European Union’s (EU) General Data Protection Regulation (GDPR) will take effect throughout all European Union member states. GDPR is a new regulation by which the European Commission intends to strengthen and unify data protection for individuals whose data is managed by organizations within the EU and for EU resident data worldwide.
In short, every country that does business in the EU must conform to GDPR standards. The GDPR applies to anyone that is doing business in the EU, so anyone selling into it or has employees is subject to GDPR. Many companies, particularly in the EU, are already well on their way to compliance. Most Small to Medium size businesses in the United States are unaware of GDPR. Other larger entities are only beginning to consider the consequences of GDPR; they face months of hurried efforts to align with GDPR requirements.
At its most basic level, the GDPR requires organizations to understand what information they have, who has access to the information and where the information resides. Organizations then need to take the necessary steps to protect privacy-related user information.
What are the Penalties for Non-Compliance?
The GDPR, once in effect, is not a paper tiger, penalties may potentially bankrupt some businesses for non-compliance of the GDPR. Businesses will face penalties of greater than $20 million or up to 4 percent global “turnover”—gross revenue whichever is greater—for non-compliance. For U.S. companies, the kind that are likely to be data controllers rather than mere data processors; these fines could be substantial. EU Data protection authorities will also be able to enforce penalties against the local representative of a non-EU data processor or controller, effectively giving those authorities indirect jurisdiction over non-EU data processors.
GDPR implementation is a complex undertaking that demands a step-by-step approach based on a shared vision among an organization’s IT department, legal department, line-of-business owners, and board-level executives. A lack of preparation for GDPR may bring significant, expensive and highly unwelcome repercussions.
The following sanctions can be imposed for non-compliance:
• For first time violators and non-intentional compliance, a written warning;
• Mandatory periodic data protection audits;
• A fine up to 10,000,000 EUR or up to 2% of the annual worldwide turnover of the preceding financial year in the case of an enterprise, whichever is greater;
• A fine up to 20,000,000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is greater.
• Full scope of administrative penalties in addition to civil remedies from injured parties.
On April 26, 2016, the European Union (“EU”) adopted the General Data Protection Regulation (“GDPR”) to enhance data protection rights for all individuals and unify regulation within the EU. GDPR will be implemented on May 25, 2018 after a two-year transition period.
GDPR extends EU data protection authority to all foreign companies processing data of EU residents. Data protection and privacy requirements will now be mandatory for businesses dealing with data of EU citizens.
California Consumer Privacy Act (CCPA)
The first state-level comprehensive privacy law in the U.S. The CCPA, which comes into force in 2020, will apply broadly to businesses that collect personal information from California consumers, imposing extensive transparency and disclosure obligations. It also creates consumers’ rights to access their personal data and to request its deletion; to opt-out of the sale of their personal data; and to nondiscrimination on the basis of their exercising any of their CCPA rights.
The California Consumer Privacy Act of 2018 was conceived and born in record time — two days — resulting in a comprehensive consumer privacy law that occasionally suffers from redundancy, drafting errors, and lack of clarity.
What sanctions and remedies do companies face under the CCPA?
According to the new Cal. Civ. Code §1798.155, companies can be ordered in a civil action brought by the California Attorney General’s Office to pay penalties of up to $7,500 per intentional violation of any provision of the California Consumer Privacy Act, or, for unintentional violations, if the company fails to cure the unintentional violation within 30 days of notice, $2,500 per violation under Section 17206 of the California Business and Professions Code. Twenty percent of such penalties collected by the State of California shall be allocated to a new “Consumer Privacy Fund” to fund enforcement.
According to the new Cal. Civ. Code §1798.150, companies that become victims of data theft or other data security breaches can be ordered in civil class action lawsuits to pay statutory damages between $100 to $750 per California resident and incident, or actual damages, whichever is greater, and any other relief a court deems proper, subject to an option of the California Attorney General’s Office to prosecute the company instead of allowing civil suits to be brought against it.
California Consumer Privacy Act and EU GDPR compared
Companies around the world have been working feverishly on taking steps to comply with the EU General Data Protection Regulation, the first significant update of data protection laws in Europe for more than 20 years. The GDPR took effect on May 25, 2018, and required significant changes to documentation and data handling practices.
Some companies implemented many of their new privacy protection measures worldwide in the hopes of being able to avoid having to make further jurisdiction-specific updates for a while. The passage of the California Consumer Privacy Act has now raised the question as to whether these measures will be sufficient to the extent they reach California residents with their GDPR-related compliance measures. Unfortunately, the answer is largely, “No.”
QUICK Reference Guide-
Highlights of Differences between GDPR & CCPA.
CYBERDYNAMICX is a growing privacy management consulting practice using industry best practices and tools to help your business comply with data privacy regulations across sectors and jurisdictions, including California Consumer Privacy Act (CCPA) & the European Union General Data Protection Regulation (GDPR) and Privacy Shield.
We focus on working with emerging private sector SMB’s.
Telephone +1 805 666 2519