The General Data Protection Regulation (“GDPR”) became effective May 25, 2018 and requires businesses to comply with certain requirements when protecting and storing personal information of European Union residents or citizens. The California Consumer Privacy Act (“CCPA”), which introduces substantial amendments to consumer privacy and data protection law in California, was signed into law on June 28, 2018 and became effective January 1, 2020. More importantly, the CCPA became fully enforceable on July 1, 2020.
While GDPR regulations have been around and enforceable for a few years, companies that do not do business in Europe or with European citizens have not had to worry about their data privacy regulations. Now that the CCPA is fully enforceable, any company doing business in or with a resident or household of California must comply with the new regulations. Even companies that are GDPR compliant will need to review their policies and procedures to ensure that they are also fully compliant with the CCPA because, while similar, the CCPA is not a carbon copy of the GDPR.
An important aspect of these regulations is providing individuals (data subjects) various rights to their personal information that is collected by companies. These include access and portability rights, deletion rights, and the right to object or opt out to name a few. Failure to comply with both of these regulations can be costly. The GDPR caps fines at €20 million or 4% of worldwide turnover, whichever is larger. Meanwhile, the CCPA has fines of up to $2,500 per violation ($7,500 per intentional violation), but does not have a cap on the total amount of fines that can be assessed. With the cost of non-compliance so high it would be unwise to ignore these regulations.
On top of all of the rights given to data subjects, companies must determine if they qualify as a processor or controller of personal data, as that classification changes the steps that must be taken to comply with these regulations.
In order to comply, companies need to pay particular attention to three areas: security controls, data management and automation. Companies must implement IT controls in line with best practices in areas such as encryption and access management. For data management, Companies need to ensure that they maintain the transparency requirements of the various regulations. Automation includes streamlining organizational processes to better enable the rights of data subjects, handle breaches and manage audit processes (both internal and external).
As a result of this renewed focus on data privacy, we at eBrevia have released new data privacy fields that can automatically extract information from your documents to help you determine and analyze whether you are in compliance. Utilizing a tool such as eBrevia allows for a faster review of contracts with great accuracy to make sure that nothing is getting left behind. The new data privacy form includes the ability to extract the following data points: Personal Data, Data Subject Rights, Data Retention, Data Breach, and Transfer of Personal Data.
The ability to extract this information from your documents is not only timely, but it is necessary to make sure that you do not run afoul of these regulations and risk getting fined. Given everything that has happened this year, the last thing you want to deal with is having a violation lead to fines, especially when it can be such an easy fix to review your contracts with eBrevia and determine if you are in compliance.
If you are interested in learning more about how eBrevia can assist with your data privacy needs and changing regulations, please see the following resources on our website: Solutions - Audit and Compliance.
You can also contact one of our Project Managers, Jason Sokel, directly at jsokel@dfinsolutions.com for some expert advice and more information.
