GDPR came into effect in May 2018. Beginning in January 2020, California takes a major step in putting protection and control into consumers’ hands. Now, businesses must prepare for GDPR, CCPA, and FISMA compliance.

Understanding DSAR [Data Subject Access Request]

web of locked privacy dataHere in the US, businesses must prepare for incoming DSARs starting in January 2020. A data subject access request can be placed by an individual who wishes to learn what data a business or organization is storing about them. These requests can also allow them to learn why this data is being stored and what other businesses or individuals have access to the data. When a business receives a DSAR, it’s crucial for them to respond in a timely fashion. Not only is this critical to remain compliant with regulations, but it also helps to build trust with consumers.

Searching individual data within structured and unstructured data sources is an enormous task and is time-consuming. Ardent automates that process to help your business respond to DSARs in a timely fashion.

GDPR and CCPA Compliance

Known as the California Consumer Privacy Act, or CCPA, this new law addresses growing privacy concerns. Specifically, leading tech companies sell and give access to personal information. This often occurs without consumer knowledge of what happens when their personal information gets collected online.

Ultimately, CCPA compliance will result in strict controls around consumer data usage by businesses. Additionally, tech companies will face major fines for not complying.

GDPR can also apply to the companies within the United States which handle EU citizens’ data and US companies that have a presence in Europe.

Other states that have data privacy laws in place along with California include:

  • Nevada
  • Vermont
  • Delaware
  • Arizona
  • Missouri
  • Connecticut
  • Oregon

Financial Penalties for Failing to Comply

Failing to meet GDPR compliance comes with financial penalties. For instance, GDPR mandates either 20 million Euros or up to 4% of annual global profits for noncompliance. A data breach comes with the same penalty rates.

Fines for not meeting CCPA compliance cost up to $7,500 per violation. Critics point out that businesses are in violation at the point of breach. Alternately, sanctions for not following GDPR compliance occur sooner. A business gets fined for just being at risk of suffering a breach.

Currently, no sanctions apply for not complying with CCPA. However, CCPA does allow consumers to sue a business for violation.

Consumer Rights Under GDPR and CCPA Compliance

In addition to suing a business for violating CCPA compliance, consumers have other rights. For example, they have the right to opt-out of selling personal data.

Both CCPA and GDPR allow consumers to request the deletion of personal information. However, some legal exceptions apply.

Furthermore, CCPA grants consumers’ rights such as:

  • Knowing data collection practices of businesses including personal information categories, source of information, and which entities receive the collected information
  • Receiving copies of personal information collected 12 months before their request
  • Having personal information deleted
  • Knowing data sales practices and requesting not to sell their personal information
  • Not experiencing discrimination for exercising their right

GDPR compliance focuses primarily on all data related to identifying a person. With CCPA compliance, both the consumer and household are identifiable entities. This means protection for any information directly or indirectly linked to a person residing in California.

In either situation, businesses must test their processes for handling consumer data. Differences do not lessen their obligation to accommodate consumer rights. As a result, businesses must prepare to locate and disclose how they choose to use personal data.

Compliance with FISMA Privacy Controls

In 2002, the Federal Information Security Management Act for all federal agencies to implement a program or process to protect the privacy and security of the information they gather. This regulation is part of the larger E-Government Act in 2002 to help organizations and agencies manage processes electronically. FISMA included an additional privacy control family some time back. It is important for government agencies to automate those privacy controls. The ardent data privacy platform provides the means to comply with those controls and automates the process.

Requirements of FISMA include the following:

  • Privacy Impact and Risk Assesment
  • Privacy Requirements for Contractors and Service Providers
  • Privacy Monitoring and Auditing
  • Privacy-Enhanced System Design and Development
  • Data Minimization and Retention
  • Minimization of Personally Identifiable In Information
  • Data Retention and Disposal

Get Help with GDPR and CCPA Compliance with Ardent

With Ardent solutions, we help automate these processes to help your business remain in compliance with GDPR, CCPA, FISMA, and DSARs. Our data privacy platform helps us provide the following solutions for businesses:

  • GDPR, CCPA & FISMA Privacy Compliance
  • Secure Test & Research Data
  • Privacy and Security Impact Assessment
  • Supply Chain Security

Increasing data breaches mean consumers are more aware of how their data gets used. As a result, businesses must know how to handle breaches or avoid them altogether. Team Ardent can help you strengthen trust between consumers and your data collection practices.

Ardent data privacy platform helps your business to be ready for regulatory compliance in ways such as:

  • Locating personal data assets using machine learning
  • Minimizing excess and unwanted data
  • Deleting excess data securely
  • Quickly responding to consumer DSAR requests
  • Define and automate secure data lifecycle

Regulatory Mandates

GDPR1

Article 17: Right to be forgotten.
Article 5: Personal Data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’); Thecontroller shall be responsible for, and be able to demonstrate compliance.
Article 15: Right of access by data subject. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed.

CCPA2

Cal. Civ. Code § 1798.110: A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer.
Cal. Civ. Code § 1798.105: Right to deletion. A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.

FISMA PRIVACY CONTROLS3

DM-1. Minimization of personally identifiable information collection. Locate, remove, redact, anonymize PII.
DM-1. c. Conducts an initial evaluation of PII holdings and establishes and follows a schedule for regularly reviewing those holdings.
DM-2. Data retention and disposal schedule.
DM-3. Minimization of PII used in testing, training, and research.

Ardent Capabilities

  • Discovery & Identification
  • PII mapping
  • Minimization
  • Secure non-recoverable deletion
  • SDLC and data protection in testing environments
    • On-Going Monitoring
    • Secure Data Life Cycle Management
  • Discovery & Identification
  • PII mapping
  • Minimization
  • Secure non-recoverable deletion
    • SDLC and data protection in testing environments
    • On-Going Monitoring
    • Secure Data Life Cycle Management
  • Discovery & Identification
  • PII mapping
  • Minimization
  • Secure non-recoverable deletion
  • SDLC and data protection in testing environments
  • On-Going Monitoring
  • Secure Data Life Cycle Management

Be in the best position to follow GDPR, CCPA, and FISMA compliance regulations today and in the future. Contact Ardent today at 202.630.5028 to discuss how our solutions can help you comply.