The GDPR applies to entities or organizations within the EU (European Union) or EEA (European Economic Area) and non-EU/EEA entities or organizations that offer goods or services to data subjects within the EU or EEA. The CCPA applies to any company “doing business in California” which meets certain other requirements [read our other blog post for more details]. It’s a vague statement in regards to where the business is based – many lawyers and journalists are leaning towards it meaning any businesses with California residents as consumers, even those residents who are temporarily outside the state. That means businesses across the United States and the world are have to comply. At the time of writing (early January 2020), the EU has 28 member states plus the EEA’s 3 member states total an estimated 519.2 million residents under the GDPR and California has about 39.5 million residents. That’s more than 558.7 million people world-wide covered under with of these two laws!
It’s a long road for some businesses to get compliant with either or both – thousands of employees to train, new policies to update as amendments are made to the laws, notifying consumers of their rights, and following up with consumer data requests. Other businesses are small enough that they may be able to skirt some of these requirements – at least for now. The GDPR has a bit of a head start with a year and a half of implementation more than the CCPA, having been in effect since May of 2018. As each gets more updates and amendments, lawsuits against it, and legal discussion, more will become clear as to which businesses must comply and what is an infraction of either of these laws.
Penalties can and will be levied for a variety of infractions – conditions for consent, consent for children ages 13-16, the rights of the consumer/data subject, data processing, and disclosing breaches and hacks. Under the CCPA, data breached, hacked, or stolen that is unencrypted or non-redacted may result in monetary penalties but encrypted data lost or exposed in the same way will be considered still in compliance [Cal. Civ. Code § 1798.150.a.1]. Whether or not any notification needs to happen of properly encrypted or redacted information is up for debate. Similarly, Article 33 of the GDPR outlines that breaches mean notifying a supervisory authority “unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons” [GDPR, Article 33] but if the “appropriate technical and organizational protection measures […] render the personal data unintelligible to any person who is not authorized to access it, such as encryption” then the data subject is not required to be notified [GDPR, Article 34].
C.Y.A. in the most basic way. Encrypt your data. Encrypt the consumer’s data. It’s the first step on this long road to compliance under increasingly complex, and yet vague, laws across the globe that filter into every facet of our tech-infused lives.
Active Cypher wants to make it easier for your business. With Active Cypher File Fortress, easily encrypt files on an individual file-level based on Active Directory Security Groups because detection is too late.
*If you aren’t sure what C.Y.A. stands for, Wikipedia can help you.