Back in 2016, when the European Union passed the General Data Protection Regulation (GDPR), relatively few American companies took notice. For many of these businesses, reality hit hard when the GDPR enforcement date loomed in 2018 and they realized (1) it really did apply to them, and (2) getting caught up would require a lot of work. Other countries followed suit with similar initiatives, and one month after GDPR was enforced, the state of California passed the California Consumer Privacy Act (CCPA), giving data privacy a permanent place in the U.S. regulatory landscape.
Recently I had the pleasure of leading BrightTALK’s “ask the expert” session on how data privacy will impact data management strategies in 2019. Here are a few of the answers our attendees submitted and the answers we discussed:
“Since algorithms are now covered under CCPA, how does that affect our use of machine learning and artificial intelligence (AI)?”
As inferences are considered personal data under CCPA, and inferences are typically drawn through algorithms, you need to consider that in your business plan for implementation of machine learning and AI technologies. It should be a conversation around what you see as trade secrets and whether they will still be protected in this new regulatory landscape.
“For CCPA, are organizations required to demonstrate compliance, and if so, how?”
The GDPR requires companies to maintain a record of processing activities (ROPA). CCPA does not have this specific requirement; however, you need to be able to show how your organization is using personal data. For this reason, we recommend that companies affected by CCPA also maintain a ROPA so that they have documentation to show regulators or potential business partners if called upon to do so.
“Under CCPA, what are the privacy requirements for what are known under GDPR as ‘data processors?'”
CCPA talks about third-party service providers, which are similar to data processors under GDPR. You have to think about your third-party contracts and make sure you’re governing which data processing activities your service providers can execute.
GDPR holds processors and controllers jointly and severally liable, so if a processor violates the regulation, the controller could also be held liable. CCPA is softer on this point, so if your processor makes a mistake, you as the controller would not necessarily be penalized or exposed to liabilities. You do want to make sure that (1) your contracts with third-party service providers clearly state what they can do with personal data, and (2) in the interest of transparency, you’re also disclosing to your data subjects how your third-party service providers use their personal data.
“Are there periodic audits or reporting expectations under these regulations?”
As of now, we are not aware of any plans among regulatory officials to conduct periodic audits, but that doesn’t mean they won’t be implemented in the future. It’s also important to be aware that you could be audited or reviewed at any time if, say, a customer or business partner were to file a complaint regarding your use of their personal data. So, while there has been no formal announcement of periodic audits, it would be wise to assume that an audit is in your future and to act accordingly.
Like what you see?
Executive Team member Jill Reber is a nationally recognized expert on data privacy — particularly GDPR, CCPA, and other data protection laws — and has spoken on the topic at conferences sponsored by American Banker, International In-House Counsel Journal, and other national and international organizations.