In my last post we looked at one implication arising from the definition of personal information by the California Consumer Privacy Act (CCPA) of 2018. We explored two things:
- The differences between the CCPA and the GDPR definitions of personal information.
- The implication of the inclusion of inferences in the CCPA definition.
In this post, I'll suggest that these are not two separate issues. They are, instead, two sides of the same “data governance implication coin" that need further consideration.
The complexities of implementing compliance for data privacy regulations
To get to the point: It's not necessarily the details associated with the specifics of one regulation versus another that we need to focus on. Rather, it's the ability to strategically implement the methods of compliance when different regulations affect data assets in different ways. In my last post, I gave an example of linked data that exposed information about an individual’s professional or employment-related data – which is data that needs to be protected under CCPA. But that same piece of inferred information is not necessarily protected under GDPR, due to the GDPR definition of personal data.
Recognize that we're not living in a “binary world” of privacy regulations – so we're not limited to complying with just GDPR and CCPA. Compliance applies to different individuals in different contexts. For example, CCPA applies to California residents, but not to data that's collected when every aspect of the data collection process takes place outside the state of California. This means that the prerequisites for complying with consumer requests have to be fielded within the contexts of what data assets and data instances are or are not covered.
It's also important to realize that CCPA is just the tip of the iceberg – other US states, as well as other countries, are considering laws to safeguard personal data. And there are already many subtle differences among the dozens of existing country-based data protection laws.
A naïve approach will throw the blanket over all data assets – but this may be quite restrictive. This means that data governance practices must evolve to effectively manage core data privacy characteristics of each data asset, as well as the specific determination of what facets of information are covered by which regulation. Until now, this aspect of information risk management has not been completely aligned with conventional data governance wisdom – which concentrates on org charts, data governance councils, hiring chief data officers (CDOs) and defining policies. The implications of data privacy laws for data governance may heighten the importance of assessing, understanding and managing information risk in a more holistic manner than has been considered so far.
I'll cover more on the concept of information risk in upcoming posts.Find out how SAS can help with personal data protection