Training for GDPR vs CCPA - What you should know

Travis Good
September 3, 2020

GDPR and CCPA are both new data privacy regulations. How do their training requirements compare?

GDPR vs CCPA Primer

GDPR and CCPA are similar regulations created to protect personal data. Both are new, having gone into effect in the last few years. GDPR provides protection for EU citizens while CCPA provides protections for California residents. Companies, whether they have operations in the EU or California, need to comply with GDPR and CCPA, respectively.

GDPR was created and implemented first. As such, CCPA heavily resembles GDPR, though there are key differences. CCPA is still a moving target as there is a proposed expansion to CCPA called CPRA — California Privacy Rights Act, which will likely be on the ballot in California in the fall of 2020.

The most significant similarity is the individual, or data subject, rights created by each regulation. Both GDPR and CCPA create individual data rights. While the intent is the same, the specific rights granted vary slightly from regulation to regulation.

At the highest level, CCPA and GDPR agree that organizations need to be transparent about the data they collect and how they use that data. And both CCPA and GDPR grant individuals rights that require companies to perform certain actions when consumer requests are made.

Data rights granted by GDPR and CCPA

One of the goals of both GDPR and CCPA was to empower individuals to be able to make informed decisions about the data companies collect and how that data is used. The penalties are high for companies that do not respect data rights, both from the regulations themselves as well as from reputational harm. GDPR has more significant penalties.

Data rights and privacy are increasingly considered a human right. GDPR and CCPA have formalized these rights. It is now an expectation that organizations respect and enforce these data rights for their users.

The following table highlights the requirements of both CCPA and GDPR in terms of data rights.

GDPR CCPA
Right to Access
Yes
Yes
Right to Delete
Yes to all data held by an organization
Yes only to data collected from an individual, not data collected on individuals from 3rd parties*
Right to Opt-Out
No, not explicitly, but can be achieved through Right to be Forgotten
Yes
Right to Data Use Transparency
Yes
Yes


* New California regulation that will likely be on the ballot in the fall of 2020, called CPRA, extends this right to include all personal data, whether collected directly or through 3rd parties.

What training is required by GDPR and CCPA?

In order to comply with both CCPA and GDPR, organizations must conduct privacy training. 

GDPR [defines](http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf) explicit training requirements:

  1. Article 39 - one of the defined tasks of a data protection officer is awareness-raising and training of staff involved in processing operation; and
  2. Article 47 - the appropriate data protection training to personnel having permanent or regular access to personal data.

CCPA also [defines](https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375) explicit training requirements:

  • Section 1778.130 and 1978.135 of CCPA essentially say the same thing about training - Ensure that all individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with this title are informed of all requirements in Sections 1798.110, 1798.115, 1798.125, and this section, and how to direct consumers to exercise their rights under those sections.

With both CCPA and GDPR, individuals that are consumer-facing should receive special training. Employees handling data subject requests from individuals need to understand the subject rights created by the regulations in order for the organization to be in compliance.

Both GDPR and CCPA training should be conducted at onboarding for new employees when changes are made to compliance policies and procedures, and on a regular cadence, with annual being the longest acceptable interval.

Are GDPR and CCPA training the same?

While similar, the training required by GDPR and CCPA is not the same.

In addition to the above training requirements, Article 25 GDPR defines the principle of Data protection by design and by default. It states - The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.

Article 25 goes on to state that this requirement can be met with a certification, which is still yet to be defined. In the experience of Haekka, having led or been involved in 1,000s of audits and security assessments, we have not seen a security certification that does not require training of all staff. In order to implement security by design, privacy needs to be a part of the culture of an organization. Training the entire workforce is an essential component of this. CCPA does not have an equivalent requirement for this.

Additionally, GDPR requires special training for the data protection officer. CCPA does not require this training.

Using one compliance program to meet both CCPA and GDPR

Technologies cross borders. This has made it possible, and increasingly likely, that technology companies need to comply with both GDPR and CCPA. By designing and implementing a proper compliance training program, organizations can ensure compliance with both GDPR and CCPA training requirements.

The key first step to integrating multiple data regulations into one compliance program, a program that is manageable, starts with policies. The policies need to be mapped to controls and requirements across both regulations. It is a one to many relationships of policies to regulatory controls.

These policies then waterfall into procedures and implementations. As long as the mappings from policies address all of the requirements of both CCPA and GDPR, or whatever regulations to which your organizations must comply, then procedures and implementations should be complete to address those regulations.

The caveat to this automatic cascading of mappings are 1) data protection officers and 2) employee training. For small to medium size organizations, the data protection officer issue is resolved by having one data protection officer for all regulations. Sometimes larger entities will assign unique individuals to each regulation.

When it comes to training, security awareness training is the same regardless of data regulation but privacy training, or training specific to the data regulation, is unique. To solve this challenge, privacy training needs to be developed or purchased that applies to both GDPR and CCPA. In the case of GDPR and CCPA, the training needs to be given to the right groups, namely groups that process data subject requests for EU citizens and California citizens. respectively.

Haekka offers training that ensures all of the above. Our customers hire us to solve compliance training, both privacy and security awareness, in totality. Onboarding is a breeze and audit-proof is automatic.

Resources for GDPR and CCPA

Below are some links to learn more about CCPA and GDPR training.