CCPA and GDPR Compliance Report: New Research Measures Compliance Status and Plans for CCPA and GDPR (Part 3 of 3)

The European Union’s (EU) General Data Protection Regulation (GDPR) has been occupying the minds of privacy professionals for the past two years and now attention is shifting to the California Consumer Privacy Act (CCPA). The CCPA is the toughest US privacy regulation to date and its impact will be felt by almost every organization that does business in California or handles personal information of California citizens.

To understand the readiness and plans for businesses to meet the January 1, 2020 deadline for the CCPA, Dimensional Research conducted this research among 250 US privacy professionals from Feb 15th – 27th, 2019. The online survey was fielded to IT and legal professionals at a fairly-evenly mixed target group of small (500 to 1,000 employees), mid-sized (1,000 to 5,000 employees) and large (over 5,000 employees) companies. Half the companies were subject to both the GDPR and CCPA, and the other half were only subject to the CCPA. A total of 250 executives, team managers and individual team contributors from companies in the financial services, technology, manufacturing, business services, energy and utilities, healthcare and other key industries completed the survey. All respondents were from the US.

Some sample questions we set out to answer with the survey were: Approximately how much of your GDPR program do you expect to leverage for CCPA? What areas will your company be investing in to prepare for CCPA? How much does your company expect to invest in CCPA-related privacy compliance expenses in 2019? How is the need for technology and tools used to manage data privacy changing at your company?

Our previous posts in this series discussed companies current CCPA compliance status and how companies plan to invest in order to achieve and maintain compliance.

Key Takeaway # 3: The top reason for investing in CCPA is to meet customer and partner expectations

As is evident from this survey, data protection management and compliance with the California Consumer Privacy Act (CCPA) will be a challenging task. Most companies are planning to invest in external resources. There are varying reasons for investing in CCPA compliance but the reason that tops the chart is to meet customer / partner requirements (62%). Other popular reason for investing in compliance are meeting internal reporting requirements, supporting company values, and fines or class action lawsuits.

The survey also reveals the fact that 88% of respondents will require help to meet CCPA compliance. 45% of whom need technology and tools to automate and operationalize privacy management.

blank

Download the full report here.

TrustArc has a comprehensive set of privacy management solutions to help you manage your data privacy management program. We have solutions to help you with all phases of CCPA and GDPR compliance. We can help you build a plan and processes; implement controls and tools; and manage and demonstrate ongoing compliance. Solutions include the TrustArc platform and consulting services. To learn more about TrustArc solutions can help your company prepare for the CCPA, request a demo today!

 

CCPA and GDPR Compliance Report: New Research Measures Compliance Status and Plans for CCPA and GDPR (Part 2 of 3)

blank

The European Union’s (EU) General Data Protection Regulation (GDPR) has been occupying the minds of privacy professionals for the past two years and now attention is shifting to the California Consumer Privacy Act (CCPA). The CCPA is the toughest US privacy regulation to date and its impact will be felt by almost every organization that does business in California or handles personal information of California citizens.

To understand the readiness and plans for businesses to meet the January 1, 2020 deadline for the CCPA, Dimensional Research conducted this research among 250 US privacy professionals from Feb 15th – 27th, 2019. The online survey was fielded to IT and legal professionals at a fairly-evenly mixed target group of small (500 to 1,000 employees), mid-sized (1,000 to 5,000 employees) and large (over 5,000 employees) companies. Half the companies were subject to both the GDPR and CCPA, and the other half were only subject to the CCPA. A total of 250 executives, team managers and individual team contributors from companies in the financial services, technology, manufacturing, business services, energy and utilities, healthcare and other key industries completed the survey. All respondents were from the US.

Some sample questions we set out to answer with the survey were: Approximately how much of your GDPR program do you expect to leverage for the California Consumer Privacy Act (CCPA)? What areas will your company be investing in to prepare for CCPA? How much does your company expect to invest in CCPA-related privacy compliance expenses in 2019? How is the need for technology and tools used to manage data privacy changing at your company?

Part 1 of this 3 part blog post series discussed where companies are at in terms of CCPA compliance and how GDPR compliance has provided some companies with a head start. Read part one here.

Key takeaway # 2: 72% of companies plan to invest in technology to help prepare for the CCPA

As is evident from this survey, data protection management and compliance with the California Consumer Privacy Act (CCPA) will be a challenging task. Most companies are planning to invest in external resources including technology solutions and consulting services. Of the 250 respondents, 72% say that they are preparing to invest in Technology and Tools followed by 61% in Consultants, 55% in External legal expertise and 45% in Internal Hiring.

blank

Companies are also expecting significant costs in order to comply with the CCPA: 71% of the respondents expect to spend more than six figures in CCPA-related privacy compliance expenses in 2019 – and 19% expect to spend over $1 million.

blank

Download the full report here.

TrustArc has a comprehensive set of privacy management solutions to help you manage your data privacy management program. We have solutions to help you with all phases of CCPA and GDPR compliance. We can help you build a plan and processes; implement controls and tools; and manage and demonstrate ongoing compliance. Solutions include the TrustArc platform and consulting services. To learn more about how TrustArc solutions can help your company prepare for the CCPA, request a demo today!

Compliance Report: New Research Measures Compliance Status and Plans for CCPA and GDPR (Part 1 of 3)

blank

The European Union’s (EU) General Data Protection Regulation (GDPR) has been occupying the minds of privacy professionals for the past two years and now attention is shifting to the California Consumer Privacy Act (CCPA). The CCPA is the toughest US privacy regulation to date and its impact will be felt by almost every organization that does business in California or handles personal information of California citizens.

To understand the readiness and plans for businesses to meet the January 1, 2020 deadline for the CCPA, Dimensional Research conducted this research among 250 US privacy professionals from Feb 15th – 27th, 2019. The online survey was fielded to IT and legal professionals at a fairly-evenly mixed target group of small (500 to 1,000 employees), mid-sized (1,000 to 5,000 employees) and large (over 5,000 employees) companies. Half the companies were subject to both the GDPR and CCPA, and the other half were only subject to the CCPA. A total of 250 executives, team managers and individual team contributors from companies in the financial services, technology, manufacturing, business services, energy and utilities, healthcare and other key industries completed the survey. All respondents were from the US.

Some sample questions we set out to answer with the survey were: Approximately how much of your GDPR program do you expect to leverage for CCPA? What areas will your company be investing in to prepare for CCPA? How much does your company expect to invest in CCPA-related privacy compliance expenses in 2019? How is the need for technology and tools used to manage data privacy changing at your company?

In part one of this 3 part blog post series, we will share highlights on the current state of CCPA compliance readiness:

blank

Key Takeaway # 1: Only 14% of companies report being CCPA compliant

The CCPA was signed on June 28, 2018, is effective January 1, 2020, and enforcement is slated to begin no later than July 1, 2020. It has many similarities to the GDPR, from its extraterritorial reach to its expansive rights for individuals, and will impact tens of thousands of businesses worldwide that have customers or employees located in California.

Businesses that have prepared to comply with GDPR by creating comprehensive data governance practices, records of processing, and individual rights procedures will have a head start. But, under the CCPA, all companies in scope will need to enhance their data management practices, expand their individual rights processes, and update their privacy policies by the January 1, 2020 effective date.

Of the 250 survey respondents, 50% were impacted by both the GDPR and CCPA, and 50% were impacted by only the CCPA. Results showed that 21% of respondents that have worked on GDPR compliance are ready for CCPA. However, out of the companies that haven’t worked with GDPR, only 6% are ready for CCPA. The overall compliance rate is currently 14%.

blank

Download the full report here.

TrustArc has a comprehensive set of privacy management solutions to help you manage your data privacy management program. We have solutions to help you with all phases of CCPA and GDPR compliance. We can help you build a plan and processes; implement controls and tools; and manage and demonstrate ongoing compliance. Solutions include the TrustArc platform and consulting services. To learn more about TrustArc solutions can help your company prepare for the CCPA, request a demo today!

Upcoming Webinar – Pragmatic Consent Management: Meeting Compliance and Business Needs

blank

TrustArc is proud to present the next Privacy Insight Series webinar “Pragmatic Consent Management: Meeting Compliance and Business Needs” with TrustArc Consulting Program Director Margaret Alston and TrustArc Senior Privacy Consultant Jim Keese. This webinar will take place this Wednesday, March 20th at 9am PT / 12pm ET / 5pm GMT. Don’t miss this opportunity to learn more about managing consent – register today!

As the dust settles on the first wave of GDPR implementation initiatives, businesses are left with a multitude of questions. Is implementing a simple cookie banner enough? How can I manage consents across multiple systems? How can I ensure our policies are being implemented? Do I really need a “Do Not Sell” button to comply with CCPA? Will all this change under the ePrivacy Regulation anyway? What kind of records do I need if a regulator asks?

As a privacy professional or a marketer, you’re responsible for advising the business and working through the realities of balancing compliance with ongoing demand for data-driven insights and growth. Join this webinar for a playbook of key tips and guidance to help you juggle these requirements with ease and understand what’s required and what’s open to interpretation.

This webinar will outline:

  • Consent requirements under key regulations including GDPR and CCPA
  • Key considerations and decisions for the business to take
  • Tools to support universal consent management

Can’t make it? Register anyway – we’ll automatically send you an email with both the slides and recording after the webinar! Click here for answers to the most commonly asked webinar related questions.

The TrustArc Privacy Insight Series is a set of live webinars featuring renowned speakers presenting cutting edge research, tips, and tools. Events are free and feature informative discussions, case studies and practical solutions to today’s tough privacy challenges. Over 20,000 privacy professionals registered for our events in 2018!

The Path of Privacy – 2019 Privacy Predictions by TrustArc CEO Chris Babel

blank

Privacy was ubiquitous in 2018. The General Data Protection Regulation (GDPR) deadline on May 25, 2018 came and went as companies scrambled to meet and maintain compliance under the new regulation.  Data protection had a strong presence in the media as large companies’ handling of user data was widely discussed and reviewed.  New privacy regulations were introduced – such as the California Consumer Privacy Act (CCPA) and Brazil’s General Data Protection Law (LGPD) – meaning more and more companies will fall under the scope of at least one enforceable privacy regulation. So what’s in store for privacy in 2019? TrustArc CEO Chris Babel breaks down next year’s predictions for the path of privacy.

1) Managing privacy will be the new normal, like securing data or paying taxes  

Privacy will continue on a similar path as the evolution of cybersecurity. The number of breaches and privacy-related incidents will continue to rise, up and to the right. This rise will be comprised of peaks and valleys. Like with security, a standard of constant privacy will become the new normal. For example, while many organizations treated GDPR as a project, with a finite end, compliance is a continuous exercise that requires the same focus and vigilance as security or taxes.

Automating aspects of this continuous process using Assessment Manager will save your company time. Assessment Manager is built on powerful technology that identifies where and why your practices don’t align with regulations, and defines the path to remediation. The workflow tools and Intelligence Engine detect the need for, and then streamline assessments.

2) Ethics will become increasingly important to data-driven innovation

Once a focus only in health care, research, and highly regulated organizations, GDPR and similar laws are driving businesses across sectors to consider ethics by showing that the benefits they claim that new tech and other innovations will bring do not outweigh the potential for data misuse and other risks.  While companies may start with a check-the-box compliance exercise, in 2019 the more innovative players will look to differentiate themselves from their competition by setting up ethical review committees, ethics teams and data ethics officers to formally consider the implications of algorithms and machine learning on customer trust and business outcomes.

Determining whether processing is ethical can be done at scale by automating manual processes. TrustArc offers the expertise and technology to complete these assessments, build a sustainable DPIA & PIA program if needed, automate the process using the TrustArc Platform, and produce reporting needed to show accountability on demand.

3) Consumers will exercise their right to privacy

In 2019, consumers will become more aware of and better understand the rights and mechanisms that regulations like the GDPR have made available to them to manage and protect their data. As a result, we will see consumers become more engaged and active in controlling their privacy settings, sharing less information, unsubscribing from marketing communications and requesting copies of their data or that companies delete their data entirely from marketing databases.

Individual Rights Manager helps with the requirements of the GDPR and CCPA, which require that organizations provide data subjects and individuals with a variety of rights, including: right of access by the data subject; rectification or erasure; restriction of processing; data portability.

4) To be or not to be – 2019 privacy laws at a glance

A U.S. federal privacy law will be much discussed but not passed. The trade deal replacing NAFTA – USMCA – will drive new discussions around cross-border data sharing between the U.S., Canada and Mexico. A handful more states in the U.S. will seek to adopt state privacy laws such as the California Consumer Privacy Act, and 2-3 states will pass one. The EU will agree upon and issue standards for GDPR certification, creating another rush to comply with the standard. The multitude of country-specific privacy laws in Asia will continue to increase and splinter across the region.

While we await the GDPR certification standards, your company can benchmark and report its compliance practices with GDPR Validation. The GDPR Validation enables companies to demonstrate their GDPR compliance efforts and status, using intelligent technology-powered assessments, TrustArc managed services and an independent TRUSTe GDPR compliance validation.

5) GDPR enforcement could slow sales and close down businesses

Most people associate GDPR enforcement with heavy fines levied against organizations. However, enforcement can be much worse than onerous financial penalties. An advertiser was recently forced to cease operations in an entire European market as a result of a GDPR violation. In 2019, we will continue to observe that failure to comply with privacy regulations will have devastating impact on a company’s operations as much as its checkbook. Companies that don’t meet GDPR and other privacy and security requirements will lose business to competitors who do.

Companies can keep consumer trust with the Cloud Privacy Compliance Package, which streamlines the compliance process enabling companies to more easily develop a plan, implement controls, and demonstrate ongoing compliance with GDPR.

6) Privacy regulations will drive innovation and differentiation

Privacy regulations, as the new realities of the world, will force companies to reexamine their approaches to developing innovative and differentiated products and services. As an example, regulations like GDPR are forcing marketers and advertisers to reevaluate how they use customer data. The organizations that embed compliance into their entire product development processes – aka privacy by design – will be able to clearly differentiate against their competitors by offering compelling value to their customers.

Our team of privacy experts, our consultants, can help your teams ensure that your programs incorporate privacy by design principles, among other best privacy practices.

7) Privacy technologies available at any price point

As more privacy regulations are adopted, both GDPR and local laws, we will see a rapid expansion of the number of privacy technology vendors in the market. With the increased sophistication of privacy technologies, a small company located anywhere globally will now have access to solutions at a price point that fits them and makes it worth their while to comply with a law such as the California Consumer Privacy Act to reach even more customers.

The TrustArc Privacy Platform offers a range of modules to help manage privacy for the GDPR, CCPA and other privacy laws. You select the modules you need and can add more at any time.

8) The CCPA is the second chance for the CPO and DPO to become strategic company executives

There is significant overlap between the California Consumer Privacy Act (CCPA), which applies to any company conducting business in California, and GDPR. Companies that took the important steps to comply with GDPR are already ahead of the game, and will have a relatively clear path to meet the requirements of CCPA, while the companies that did not, will be under the gun to comply by the July 2, 2020 deadline. This is a second chance for Chief Privacy Officers (CPO) and Data Protection Officers (DPO) at companies that missed the opportunity with GDPR to position data privacy as a strategic function within the organization.

Build a sustainable plan, implement controls, and manage ongoing compliance with the TrustArc CCPA Platform and Consulting Services.

One thing is certain – privacy regulations, enforcements, and fines will continue to exist and expand in 2019 and beyond. Above all else, implementing and maintaining a strong privacy program will put companies in a good position to handle the requirements of current and upcoming privacy regulations. From all of the privacy experts at TrustArc, we wish you a happy and a compliant new year!


TrustArc, the leader in privacy compliance and data protection for over two decades, offers an unmatched combination of innovative technology, expert consulting and TRUSTe certification solutions that address the GDPR, CCPA and other global privacy regulations. The TrustArc Privacy Platform, which powers all TrustArc solutions, includes modules for managing data maps, risk assessments, cookie consent, individual rights, and ongoing compliance reporting. Headquartered in San Francisco, and backed by a global team across the Americas, Europe, and Asia, TrustArc helps customers worldwide demonstrate compliance, minimize risk and build trust.

div>