Click here for the complete white paper: Govern Your Data to Meet CCPA & GDPR Challenges

Both the Letter and Spirit of the Law Should Be Considered to Benefit Your Business
A roundtable was sponsored in Dallas to discuss the European Union’s General Data Protection Regulation (GDPR, implemented in 2018) and the California Consumer Privacy Act (CCPA) of 2018. A group of 11 experts attended, including several Chief Information Officers as well as data privacy, governance, and analytics experts. They represented diverse industries including software, electronics distribution, real estate, hospitality, technology consulting, banking, and payment systems. The CIO for a home products wholesaler and retail company facilitated the discussion and hosted the roundtable.

“I know the acronym GDPR, but that’s about it,” the host joked. “My company just started selling direct-to-consumer; we used to ship only to distribution centers and stores. So, I am eager to learn what GDPR and CCPA mean for my company.” He added, “There are at least ten states with similar laws on the horizon, but they are all different. I want to hear from those of you who’ve dealt with GDPR: how do regulation and litigation guide business practice?”

Key Takeaways

  • Start with a foundation you can build on
  • Follow the letter of the law – to a point
  • The spirit of the law helps your business
  • Governance and security work hand-in-hand

Regulations Vary, So Layer Your Compliance Strategy
“We’re using GDPR as the gold standard,” explained the electronics representative. “It encompasses 85-90% of the laws that followed. When CCPA passed, it wasn’t an unmanageable problem. On the contrary: we took our privacy policy and started adding all the things we wanted to shore up anyway.” He elaborated, “It is all about transparency for us. In the CCPA, the ‘right to be forgotten’ is equivalent to the GDPR language ‘right of erasure.’ So, we added language to cover both. GDPR is our foundational governance guide; then we will add California, Connecticut, Massachusetts, Canada, and so on.”

He then explained how he frames governance for his company leadership. “Our executive team wanted to leave cookie management to the browser companies, thinking that was adequate for GDPR compliance. Now, it is easier for me to say, ‘You can’t do that. Here is a company that just got fined for that.’”

He described another benefit of building on a foundation such as GDPR regulation. “Our data protection node is based in Germany because they have the strictest interpretation of GDPR. If we’re clearing the bar in Germany, we will clear any other country’s bar as well.” The hospitality representative agreed and outlined similarity to CCPA in the United States: “Exactly. If a Federal law takes effect here, it won’t trump any state law. We’ll still need to be compliant with the various state laws, including CCPA and any that follow.”

Click here for the complete white paper: Govern Your Data to Meet CCPA & GDPR Challenges