How GDPR & The California Consumer Privacy Act (CCPA) Differ

April 11, 2019

By now, you’ve probably heard the phrase GDPR in some way, shape, or form. The General Data Protection Regulation (GDPR) has been in place in Europe since May 25, 2018, and aims to protect the personal data and privacy of EU citizens. GDPR also put into place strict rules and compliance measures for any organization that collects, stores, or processes data and information on this protected group.

The state of GDPR fines

As of March 2019, there have been around 90 compliance fines related to GDPR throughout Europe. While high-profile names like Google have been hit with multi-million dollar fines, smaller organizations are just as at-risk. In this digital age, protecting consumer data has become incredibly important, but it’s also become increasingly harder to stay compliant.

As more traditional industries take the leap to digitize operations, meeting GDPR compliance standards isn’t always easy. A hospital in Portugal was fined hundreds of thousands of Euros for multiple GDPR violations, which, when looked at alongside other fines and violations, showcases the limitations of GDP compliance preparation.

Protecting data outside of compliance

While many organizations are strategically bolstering compliance efforts and dedicating significant resources to mitigating this risk, there is no substantial evidence that these compliance measures are actually effective in reducing the risk of a data breach. In an ideal world, having strong GDPR measures in place should strengthen digital security measures across an organization. Half-baked strategies, however, or hastily patched-together solutions meant to meet the compliance deadline can actually allow data breaches to slip through the cracks.

Simply meeting compliance standards isn’t enough for many organizations. As organizations continue to become more digitally-focused and consumers share more private data with companies, protecting this data is more critical than ever. This has created a unique opportunity for innovative organizations and Information Security teams to turn to cloud technology, AI, and automation to help plug the gaps in the process. Additionally, even if one entity is compliant and protected, the rapid pace at which consumer data is shared with other companies (whether intentionally or subconsciously) makes it difficult to properly vet partners and vendors before opening up a digital connection.

Looking forward to new regulations.

While U.S.-based organizations that deal heavily with European data have started to jump on these compliance measures, other governing bodies are taking cues from GDPR that could impact more U.S. companies. GDPR, regardless of the issues or drawbacks, was put into effect to protect customer information and data, which is a good thing in the long run for information security efforts.

Recently, the State of California introduced the California Consumer Privacy Act (CCPA), the first U.S. state to pass a privacy law of this nature. Unfortunately, many companies are not adequately prepared for CCPA, even those who are compliant with GDPR. As of March 2019, here are some of the biggest differences between GDPR and CCPA:

  • CCPA protects ‘household’ identifying data as well as personal identifying data.
  • CCPA includes language designed to prevent discrimination or inequality of consumer data.
  • CCPA is limited to protecting the data and privacy of for-profit organizations only.

Because of the differences in the two regulations, mapping out the correct compliance strategy is becoming difficult for InfoSec teams. And, as more states and governments issue similar security regulations, companies must be able to easily add on to and change existing compliance strategy.

Even if your team isn’t directly involved with GDPR or CCPA at the current moment, it’s never too early to start thinking about and planning your long-term compliance strategy. With the right tools and partners in your corner, building a scalable, long-term compliance strategy is possible. You can learn more here.

information security cybersecurity privacy gdpr cloud services

About the author


The latest insights and updates on information security and third party risk management.