A Review of GDPR and CCPA

5 MIN READ

This article is the 2nd in a series. Read the introduction article:
​"Why Data Privacy Matters."

So you know what your data looks like. You know what it is used for. You have a sense of who touches it and who uses it. Now what? Now, you educate yourself on data privacy.
​
If you have data, you need to protect it. I had the opportunity to speak to this on a webinar hosted by FormAssembly on August 21, 2019. I joined Maggie Tharp at FormAssembly to talk about the data privacy landscape in 2019, and evolving regulations and best practices. Check out the Webinar Recap: California Privacy and How It Affects You. On the webinar, Maggie and I discussed The General Data Protection Regulation (GDPR) as well as the California Consumer Privacy Act (CCPA) which will go into effect on January 1, 2020. As FormAssembly’s guest presenter, I spoke to the implications for nonprofit and educational organizations who may not have people or processes in place to specifically track data privacy and how it impacts organizations. In my Webinar Recap, I share some key insights that I shared on the webinar.

​As a follow up to their Data Privacy Deep Dive Webinar Series, FormAssembly recently published their white paper, State of Data Privacy in 2019. In this guide, they talk about the data privacy landscape in the United States, the new data privacy laws in other U.S. states, where businesses stand, and tips on better data stewardship.

Share State of Data Privacy 2019 with Your Operations Leadership

​“Of organizations that the CCPA applied to (55 out of 143), 42% were very prepared, 33% were somewhat prepared, and 25% were not prepared.”

​A realistic next step to prepare for CCPA is to have a discussion with the relevant leaders of your organization and determine your level of preparedness. Review FormAssembly’s white paper, State of Data Privacy in 2019 and give your organization a rating of Very Prepared, Prepared, Somewhat Prepared, or Not Prepared.

Depending on what your team decides, make a plan to move your team to Prepared or Very Prepared.

I’d like to share some highlights from the guide, and weave in some of my own best practices. These tips come from working with small to large, local to virtual organizations across California in developing and implementing data privacy business processes and protocols.

​The CCPA is similar to Europe’s GDPR in many ways, but in contrast, the CCPA allows individuals to opt out of their personal information being sold by businesses. The focus of the CCPA is more narrow than the GDPR because it applies only to businesses in the state of California whose revenue is above $25 million, or to businesses that primarily sell consumers’ personal information.

Because the CCPA allows users to opt out, businesses will need to have systems in place for users to

1. know what data is stored on their behalf, 
2. request a copy of said data, and
3. request the update or deletion of that data.

Talk to your teams and use a data dictionary to document what data is available, what can be requested, and what can be updated and/or deleted.

Determine who is responsible for managing each data element.

​Design a process to send data to users and to delete data if requested.

---

43% of businesses have one or more people dedicated to privacy-focused roles.

With less than half of businesses having a dedicated person to track and manage data privacy, it is important that your organization ensure someone on the team is responsible for this effort.

​In my Webinar Recap, I suggest that the best way to get started is to identify a data governance champion or lead. This person may be involved in data governance already, involved in tracking legislation and writing contracts, and/or responsible for reporting or analyzing data. Once identified, the role, authority, responsibilities, expectations, and timeline should be communicated internally. Charge her/him with defining a way forward, and be clear on how that plan sets the foundation for January 1, 2020 and beyond.

---

49% of respondents have a documented process in place for allowing customers to access, delete, or rectify their information and 54.5% have received requests for this in the past year.

Your organization may not need to follow these requirements because you do not meet the eligibility (e.g. your revenue is below $25M). However, your constituents may still desire to understand how their data is used by your organization, so you should be prepared.

​Have at least one process documented that stipulates who is responsible for reviewing requests, and what are the possible options in responding to inquiries. For example:

• You can use FormAssembly to build a short form (check out the 19 Web Forms by the FormAssembly Team) that requests contact information, gives a short description of data available, and gives a list of possible next steps (e.g. request a copy, delete my data). 
• You can also use Salesforce to set up a web-to-case form to request similar information, and embed that into an appropriate page on your organization’s website.

​Read my next article “How You Can Protect Your Data” (under construction) for more tips and tricks to manage and protect your data.

Want support developing a data governance strategy?
Data governance helps organizations manage their stakeholder data and protect it from being abused, stolen, or lost. AdvancED can help you design an effective data governance strategy that will describe the steps to analyze, secure, store, and manage your organization’s stakeholder data. Schedule your free 20-min consultation now.
​

Related articles

• Article 1: Why Data Privacy Matters
• Article 2: A Review of GDPR and CCPA
• Article 3: How You Can Protect Your Data (stay tuned!)

​

About Author: Meredith "Mer" Curry

Mer has always had a passion for education and helping historically underrepresented groups achieve access and success to higher opportunities. She has consulted nonprofits, educational institutions, and businesses in addition to her volunteerism and mentorship of students.
Learn more about Mer at www.meredithcurry.com.