Professional Documents
Culture Documents
A comparison of the regulatory obligations under the A comparison of the scope, individual rights and
EU’s General Data Protection Regulation (GDPR), enforcement under the EU’s General Data Protection
California Consumer Privacy Act (CCPA) and the California Regulation (GDPR), California Consumer Privacy Act
Privacy Rights Act (CPRA) provide. Table below are high (CCPA) and the California Privacy Rights Act (CPRA)
level obligations for each regulation when an provide. Table below are high level categories for each
organization collects and processes personal regulation when an organization collects and processes
data/information. personal data/information.
Document data collection Document data collection Data files provided if Data files provided if Data files provided if
use, processing, data use, processing, data warranted with warranted with warranted with
Governance - Data Processing Activities N/A Individual Rights - portability and automated processing
protection and disclosure protection and disclosure validation, opt out for validation, no opt out for validation, opt out for
purposes purposes processing processing processing
Privacy International, LLP All rights reserved. This document does not constitute legal advice and if you require legal advice you should consult with an attorney.
Comparing Business Obligations: GDPR vs. CCPA vs. CPRA Comparing Scope and Requirements: GDPR vs. CCPA vs. CPRA
A comparison of the regulatory obligations under the A comparison of the scope, individual rights and
EU’s General Data Protection Regulation (GDPR), enforcement under the EU’s General Data Protection
California Consumer Privacy Act (CCPA) and the California Regulation (GDPR), California Consumer Privacy Act
Privacy Rights Act (CPRA) provide. Table below are high (CCPA) and the California Privacy Rights Act (CPRA)
level obligations for each regulation when an provide. Table below are high level categories for each
organization collects and processes personal regulation when an organization collects and processes
data/information. personal data/information.
Individual Rights - Liability, right to action Allows legal action Allows legal action Allows legal action Enforcement - private right of action Allows legal action Allows legal action Allows legal action
Implementation of
Implementation of Implementation of
security measures based
Security for Privacy - Data Protection Measures security measures based security measures based Privacy & Information Governance Program - Top 10 Actions
on data classification
on data classification on data classification
(refer addition CA regs)
i. Privacy Assessment - GAAP approach, bench for global privacy compliance levels and requirements;
Implementation and Implementation and
testing of data breach testing of data breach ii. Risk Assessment - Validate data is processed in-line with privacy notice and measure fundamental rights capabilities;
procedure(1798.29 notify procedure(1798.29 notify iii. Data Classification - Organize data by sensitivity and category to limit use and protect more efficiently;
Implementation and individual of any breach individual of any breach
testing of data of the security of the data of the security of the data iv. Governance - Implement a governance structure based on the data’s value, uses, users, and locations;
Security for Privacy - Notification, Data Breach breach/incident immediately following immediately following v. Inventory - discover, reduce and document, by application, purpose/function or business process;
procedure (72 hour discovery, if the personal discovery, if the personal
vi. Retention - Define retention periods to meet legal requirements, business needs, and contractual obligation. Implementation
notification window) information was, or is information was, or is
reasonably believed to reasonably believed to priority; highest risk data (sensitive), geographic and on-line vs. off-line;
have been, acquired by an have been, acquired by an
vii. Awareness - Create and roll-out role base training, frequently release snippets (widgets) and use "branding" to enhance
unauthorized person) unauthorized person)
compliance;
Administrative - Accountability Roles (DPO, etc.) Required N/A N/A viii. Third-party program - Complete a comprehensive inventory of third-party relationships, data collected, stored, or shared to
Data Processing address individual rights, data quality, use, retention and security;
Agreements to obligate ix. Measure and Report - Regularly measure privacy control effectveness, communicate results and challenges to senior leaders and
3rd parties and corporate
Administrative - Cross Border Transfers N/A N/A audit committee; and
entities outside the EU,
may include SCCs or BCRs x. Data Security - Implement and maintain reasonable security procedures and practices, document and test ability to respond
or both
effectively to data breaches.
Privacy International, LLP All rights reserved. This document does not constitute legal advice and if you require legal advice you should consult with an attorney.