GDPR and CCPA are both new data privacy regulations. How do their training requirements compare?
GDPR and CCPA are similar regulations created to protect personal data. Both are new, having gone into effect in the last few years. GDPR provides protection for EU citizens while CCPA provides protections for California residents. Companies, whether they have operations in the EU or California, need to comply with GDPR and CCPA, respectively.
GDPR was created and implemented first. As such, CCPA heavily resembles GDPR, though there are key differences. CCPA is still a moving target as there is a proposed expansion to CCPA called CPRA — California Privacy Rights Act, which will likely be on the ballot in California in the fall of 2020.
The most significant similarity is the individual, or data subject, rights created by each regulation. Both GDPR and CCPA create individual data rights. While the intent is the same, the specific rights granted vary slightly from regulation to regulation.
At the highest level, CCPA and GDPR agree that organizations need to be transparent about the data they collect and how they use that data. And both CCPA and GDPR grant individuals rights that require companies to perform certain actions when consumer requests are made.
One of the goals of both GDPR and CCPA was to empower individuals to be able to make informed decisions about the data companies collect and how that data is used. The penalties are high for companies that do not respect data rights, both from the regulations themselves as well as from reputational harm. GDPR has more significant penalties.
Data rights and privacy are increasingly considered a human right. GDPR and CCPA have formalized these rights. It is now an expectation that organizations respect and enforce these data rights for their users.
The following table highlights the requirements of both CCPA and GDPR in terms of data rights.
* New California regulation that will likely be on the ballot in the fall of 2020, called CPRA, extends this right to include all personal data, whether collected directly or through 3rd parties.
In order to comply with both CCPA and GDPR, organizations must conduct privacy training.
GDPR [defines](http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf) explicit training requirements:
CCPA also [defines](https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375) explicit training requirements:
With both CCPA and GDPR, individuals that are consumer-facing should receive special training. Employees handling data subject requests from individuals need to understand the subject rights created by the regulations in order for the organization to be in compliance.
Both GDPR and CCPA training should be conducted at onboarding for new employees when changes are made to compliance policies and procedures, and on a regular cadence, with annual being the longest acceptable interval.
While similar, the training required by GDPR and CCPA is not the same.
In addition to the above training requirements, Article 25 GDPR defines the principle of Data protection by design and by default. It states - The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.
Article 25 goes on to state that this requirement can be met with a certification, which is still yet to be defined. In the experience of Haekka, having led or been involved in 1,000s of audits and security assessments, we have not seen a security certification that does not require training of all staff. In order to implement security by design, privacy needs to be a part of the culture of an organization. Training the entire workforce is an essential component of this. CCPA does not have an equivalent requirement for this.
Additionally, GDPR requires special training for the data protection officer. CCPA does not require this training.
Technologies cross borders. This has made it possible, and increasingly likely, that technology companies need to comply with both GDPR and CCPA. By designing and implementing a proper compliance training program, organizations can ensure compliance with both GDPR and CCPA training requirements.
The key first step to integrating multiple data regulations into one compliance program, a program that is manageable, starts with policies. The policies need to be mapped to controls and requirements across both regulations. It is a one to many relationships of policies to regulatory controls.
These policies then waterfall into procedures and implementations. As long as the mappings from policies address all of the requirements of both CCPA and GDPR, or whatever regulations to which your organizations must comply, then procedures and implementations should be complete to address those regulations.
The caveat to this automatic cascading of mappings are 1) data protection officers and 2) employee training. For small to medium size organizations, the data protection officer issue is resolved by having one data protection officer for all regulations. Sometimes larger entities will assign unique individuals to each regulation.
When it comes to training, security awareness training is the same regardless of data regulation but privacy training, or training specific to the data regulation, is unique. To solve this challenge, privacy training needs to be developed or purchased that applies to both GDPR and CCPA. In the case of GDPR and CCPA, the training needs to be given to the right groups, namely groups that process data subject requests for EU citizens and California citizens. respectively.
Haekka offers training that ensures all of the above. Our customers hire us to solve compliance training, both privacy and security awareness, in totality. Onboarding is a breeze and audit-proof is automatic.
Below are some links to learn more about CCPA and GDPR training.