Scribd Logo
Upload

Welcome to Scribd!

  • GDPR Vs Ccpa Vs Cpra 1

    Uploaded by

    gopalprajapatimovie
    4 views2 pages
    The document compares the regulatory obligations and scope of the GDPR, CCPA, and CPRA. It provides a high-level overview of transparency requirements, individual rights, and governance around privacy notices, business use limitations, consent for data processing, and contractual obligations for each regulation. The GDPR, CCPA, and CPRA each address transparency, individual rights like access and deletion, and restrictions around processing sensitive data such as biometric and health information.

    Original Description:

    Be Computer Engineering Ai,Ds,Ml Third Year Te Semester 5 6 Rev 2019 c Scheme

    Original Title

    Gdpr vs Ccpa vs Cpra 1

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document compares the regulatory obligations and scope of the GDPR, CCPA, and CPRA. It provides a high-level overview of transparency requirements, individual rights, and governance around privacy notices, business use limitations, consent for data processing, and contractual obligations for each regulation. The GDPR, CCPA, and CPRA each address transparency, individual rights like access and deletion, and restrictions around processing sensitive data such as biometric and health information.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    4 views2 pages

    GDPR Vs Ccpa Vs Cpra 1

    Uploaded by

    gopalprajapatimovie
    The document compares the regulatory obligations and scope of the GDPR, CCPA, and CPRA. It provides a high-level overview of transparency requirements, individual rights, and governance around privacy notices, business use limitations, consent for data processing, and contractual obligations for each regulation. The GDPR, CCPA, and CPRA each address transparency, individual rights like access and deletion, and restrictions around processing sensitive data such as biometric and health information.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2

    Comparing Business Obligations: GDPR vs. CCPA vs. CPRA Comparing Scope and Requirements: GDPR vs.

    Comparing Scope and Requirements: GDPR vs. CCPA vs. CPRA

    A comparison of the regulatory obligations under the A comparison of the scope, individual rights and
    EU’s General Data Protection Regulation (GDPR), enforcement under the EU’s General Data Protection
    California Consumer Privacy Act (CCPA) and the California Regulation (GDPR), California Consumer Privacy Act
    Privacy Rights Act (CPRA) provide. Table below are high (CCPA) and the California Privacy Rights Act (CPRA)
    level obligations for each regulation when an provide. Table below are high level categories for each
    organization collects and processes personal regulation when an organization collects and processes
    data/information. personal data/information.

    Regulatory Obligation GDPR CCPA CPRA Category GDPR CCPA CPRA


    Controllers and Business, Service Business, Service
    Prior to collection of Prior to collection of Prior to collection of Scope - responsibilities, individual terms, data Processors, Data Providers, Personal Providers, Personal
    Transparency - Privacy Notice/Policy
    Personal Data Personal Data Personal Data classification Subjects, Personal Data, Information, Sensitive Information, Sensitive
    Sensitive Data Data Data
    Employee data, sensitive Employee data, sale of Employee data, sale of
    Align use and collection Align use and collection Align use and collection
    Scope - employment, restrictions, processing basis, data processing, lawful data (opted out), N/A, data (opted out), N/A,
    Transparency - Business Use or Limitation as defined in the Privacy as defined in the Privacy as defined in the Privacy
    exemptions basis, public interest, public interest, public interest,
    Notice Notice Notice
    healthcare, healthcare, healthcare,
    Under 16, data protection Under 16, data protection Under 16, data protection
    Prior to collection of Prior to collection of Prior to collection of
    Transparency - Just in Time Notice Scope - children, data protection based on sensitive of the based on sensitive of the based on sensitive of the
    Personal Data Personal Data Personal Data
    data data data

    Privacy notice shall be Privacy notice shall be Privacy notice shall be


    provided prior to provided prior to provided prior to
    collection of data, collection of data, collection of data,
    All new and material All new and material Individual Rights - notice, choice, access, restrict
    Governance - Privacy by Design N/A automated or manual automated or manual automated or manual
    changes to data use changes to data use processing
    access to data, access to data, access to data,
    affirmative opt-in, cease affirmative opt-in, no affirmative opt-in, cease
    processing processing restriction sensitive data processing

    Inclusion of contractual Inclusion of contractual Inclusion of contractual Deletion if warranted


    Deletion if warranted Deletion if warranted
    obligations (regulatory obligations (regulatory obligations (regulatory with validation, opt in for
    Governance - Contractual obligations (processors, Service Individual Rights - deletion, opt out of sale, limit sensitive with validation, N/A, opt with validation, N/A, opt
    compliance) for compliance) for compliance) for sale, opt in for
    Providers/ Sub-processors) data, retaliation in for processing, can not in for processing, can not
    processing and data processing and data processing and data processing, can not
    discriminate discriminate
    sharing activities sharing activities sharing activities discriminate

    Document data collection Document data collection Data files provided if Data files provided if Data files provided if
    use, processing, data use, processing, data warranted with warranted with warranted with
    Governance - Data Processing Activities N/A Individual Rights - portability and automated processing
    protection and disclosure protection and disclosure validation, opt out for validation, no opt out for validation, opt out for
    purposes purposes processing processing processing

    Required when Required when


    Data Controller - 72 hours Business - Immediate to Business - Immediate to
    confidential or sensitive confidential or sensitive
    Governance - DPIA or PIA N/A Governance - breach notification to DPA, Data Processor - AG, Service Provider - AG, Service Provider -
    personal data is personal data is
    72 hours to controller Immediate to Business Immediate to Business
    processed processed
    Acknowledgement - 10
    Functionality to allow Functionality to allow Functionality to allow
    days, two methods to
    Individual Rights - Access individual to access (with individual to access (with individual to access (with Governance - responding to individual rights requests 30 days to complete 45 days to complete
    request, 45 days to
    verification) verification) verification)
    complete
    Functionality to allow Functionality to allow Functionality to allow
    Sensitive data and cross
    Individual Rights - Portability individual to export (with individual to export (with individual to export (with Governance - data protection impact analysis N/A N/A
    boarder transfer
    verification) verification) verification)

    Privacy International, LLP All rights reserved. This document does not constitute legal advice and if you require legal advice you should consult with an attorney.
    Comparing Business Obligations: GDPR vs. CCPA vs. CPRA Comparing Scope and Requirements: GDPR vs. CCPA vs. CPRA

    A comparison of the regulatory obligations under the A comparison of the scope, individual rights and
    EU’s General Data Protection Regulation (GDPR), enforcement under the EU’s General Data Protection
    California Consumer Privacy Act (CCPA) and the California Regulation (GDPR), California Consumer Privacy Act
    Privacy Rights Act (CPRA) provide. Table below are high (CCPA) and the California Privacy Rights Act (CPRA)
    level obligations for each regulation when an provide. Table below are high level categories for each
    organization collects and processes personal regulation when an organization collects and processes
    data/information. personal data/information.

    Functionality to allow Functionality to allow Functionality to allow


    Security measures based Security measures based
    individual to individual to individual to Security measures based
    Individual Rights - Correction Governance - data protection on data sensitivity - on data sensitivity -
    update/correct (with update/correct (with update/correct (with on data sensitivity
    reference to 1798.xx reference to 1798.xx
    verification) verification) verification)
    Functionality to allow Functionality to allow Functionality to allow
    individual to make of individual to make of individual to make of
    Individual Rights - Choice Enforcement - supervisory authority Yes, DPA Yes, AG Yes, CPPA
    change choice (with change choice (with change choice (with
    verification) verification) verification)
    Functionality to allow Functionality to allow Functionality to allow
    individual to delete data individual to delete data individual to delete data
    when not in conflict with when not in conflict with when not in conflict with Yes, up to 4% annual turn Yes, $100-$750 per record
    Individual Rights - Deletion Enforcement - civil fines Yes, $100-$750 per record
    legal or regulatory legal or regulatory legal or regulatory over or $7,500 per action
    obligation (with obligation (with obligation (with
    verification) verification) verification)

    Individual Rights - Liability, right to action Allows legal action Allows legal action Allows legal action Enforcement - private right of action Allows legal action Allows legal action Allows legal action

    Implementation of
    Implementation of Implementation of
    security measures based
    Security for Privacy - Data Protection Measures security measures based security measures based Privacy & Information Governance Program - Top 10 Actions
    on data classification
    on data classification on data classification
    (refer addition CA regs)
    i. Privacy Assessment - GAAP approach, bench for global privacy compliance levels and requirements;
    Implementation and Implementation and
    testing of data breach testing of data breach ii. Risk Assessment - Validate data is processed in-line with privacy notice and measure fundamental rights capabilities;
    procedure(1798.29 notify procedure(1798.29 notify iii. Data Classification - Organize data by sensitivity and category to limit use and protect more efficiently;
    Implementation and individual of any breach individual of any breach
    testing of data of the security of the data of the security of the data iv. Governance - Implement a governance structure based on the data’s value, uses, users, and locations;
    Security for Privacy - Notification, Data Breach breach/incident immediately following immediately following v. Inventory - discover, reduce and document, by application, purpose/function or business process;
    procedure (72 hour discovery, if the personal discovery, if the personal
    vi. Retention - Define retention periods to meet legal requirements, business needs, and contractual obligation. Implementation
    notification window) information was, or is information was, or is
    reasonably believed to reasonably believed to priority; highest risk data (sensitive), geographic and on-line vs. off-line;
    have been, acquired by an have been, acquired by an
    vii. Awareness - Create and roll-out role base training, frequently release snippets (widgets) and use "branding" to enhance
    unauthorized person) unauthorized person)
    compliance;
    Administrative - Accountability Roles (DPO, etc.) Required N/A N/A viii. Third-party program - Complete a comprehensive inventory of third-party relationships, data collected, stored, or shared to

    Data Processing address individual rights, data quality, use, retention and security;
    Agreements to obligate ix. Measure and Report - Regularly measure privacy control effectveness, communicate results and challenges to senior leaders and
    3rd parties and corporate
    Administrative - Cross Border Transfers N/A N/A audit committee; and
    entities outside the EU,
    may include SCCs or BCRs x. Data Security - Implement and maintain reasonable security procedures and practices, document and test ability to respond
    or both
    effectively to data breaches.

    Privacy International, LLP All rights reserved. This document does not constitute legal advice and if you require legal advice you should consult with an attorney.

    You might also like