No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

GDPR to CCPA and Beyond: Overcoming Challenges to Timely Privacy Compliance

Solutions to Mitigate Risk and Minimize Time to Compliance

by Teresa Troester-Falk
July 12, 2019
in Data Privacy, Featured
gold lock on blue background

The new California Consumer Privacy Act (CCPA) is shaping up to be the toughest privacy law in the U.S. Nymity’s Chief Global Privacy Strategist, Teresa Troester-Falk, discusses what organizations need to do to adapt to the changing U.S. privacy law landscape.

Would you find it surprising that almost half of privacy officers consider building a privacy program as their top priority? Perhaps one would expect that privacy programs would have been built in the run-up to the GDPR compliance deadline (May 25, 2018). In our view, this is an indication that companies may be treating compliance as a tactical “checklist” project and are now struggling with how to handle the multitude of privacy laws that just keep coming.

The Need for Timely Compliance

If reporting on the status of your data privacy compliance has not yet become a focus or priority for your board, it soon will be. Corporations and, in particular, corporate directors have a number of responsibilities and liabilities as part of their compliance and oversight obligations. Privacy is becoming an increasingly important topic at the board table and shareholders are also holding their boards accountable. Just last year, a shareholder suit was launched against a U.S. public company and some of its officers and directors for allegedly making false and misleading statements to investors about the impact of privacy regulations and the third-party business partners’ privacy policies on the company’s revenue and earnings. While we expect GDPR compliance to remain high on the radar of corporate boards, focus will expand as organizations turn their attention to the United States with the passing of state-level privacy legislation in California and Nevada, as well as numerous other states with legislation in flight.

Challenges to Timely Compliance and Practical Solutions

What is standing in the way of accelerating time to compliance in your organization? The challenges privacy officers face typically fall into three categories: staying current on legislation, engaging the business and taking a “wait and see” attitude to upcoming legislation.

Challenge #1: Staying Current on Privacy Regulations/Legislation Across Multiple Jurisdictions

While a lot of attention has been on new legislation coming from across the U.S. and around the world, it is important to note that regulatory bodies are also updating existing laws on an ongoing basis.

Solution: This is one area where a software tool can be a big help in keeping up to date on laws and regulations in relevant jurisdictions. A research tool that pushes knowledge to you on relevant cases, legislation, regulatory activity and customized priority topics should be able to easily alert you to areas where your current program or compliance activities need adjustment as well as provide insight into potential areas of future risk to your business. This can save countless hours of research time from internal resources and, more importantly, it can save the cost of paying outside counsel to determine compliance activities.

Challenge #2: Embedding Privacy Responsibility into the Business

While privacy has become a more integral part of business planning and strategy, more than half of privacy professionals rated their business’ privacy knowledge at moderate to very low. Employees outside of the privacy charter may not only lack general awareness of internal policies and procedures, but also of the privacy landscape generally, and thus the impact and risks a lack of privacy compliance can pose to the business.

Solution: Using business-friendly language (not technical privacy “legalese”), articulate the roles and responsibilities of each business, priorities for compliance, the rationale and the impacts to the business if they get it wrong. Leveraging tools and methodologies that use the language of the business is an effective solution for clearly outlining privacy management activities that need to be implemented and documented. It also highlights any cross-functional dependencies to be considered in executing their privacy compliance tasks on an ongoing basis.

Challenge #3: Taking a “Wait and See” Approach to Compliance

The evolving privacy landscape from a regulatory perspective is murky and unpredictable to say the least. While overall, we are seeing an increased sense of urgency from organizations, particularly as it relates to upcoming California Consumer Protection Act (CCPA) compliance, there are those that are opting for a “wait and see” approach and delaying compliance efforts until ambiguities in the law are clarified and the amendment process is completed. If the GDPR taught us anything, preparation is critical and the longer organizations wait, the harder it will be to meet compliance timelines, creating risk to your business.

Solution: The U.S. is not unique in introducing consumer data privacy rights. Approximately 113 countries and regions have data subject rights requirements as part of their laws. Many rights are common around the world and figure in well over 100 laws. These include transparency rights, correction requests, the right of access and right of deletion. Although there will be nuances from state to state (and even country to country), the core consumer rights around access and deletion will be the common denominator in the CCPA and other state and global laws – and the perfect place to get started.

Getting Started: Lessons from GDPR

If your company is required to be GDPR compliant, you likely already have key foundational elements that can be leveraged in CCPA compliance and other state laws dealing with data subject requests. For example, under Article 30 of the GDPR, you would have had to complete a record of processing activities (ROPA). Capturing the purposes of processing, categories of individuals and categories of personal data for GDPR can also be repeated for compliance with the CCPA, even though a full inventory is not required by law. You can easily extend your ROPA established under the GDPR to cover CCPA-specific elements, such as whether the data is sold to third parties.

Even if you have not completed this exercise for the GDPR, this is another great place to start preparing for state legislation, as it gives you the ability to communicate to the business in a language they will understand, simplifying the process of identifying the data, the purpose and what data they need for the purpose of processing (for example, payroll and benefits).

In preparing for CCPA and other state or global privacy regulations, corporations should not adopt a “wait and see” approach. Leveraging research tools to stay on top of legislative developments in near real time, engaging with the business in a conversation about risk in a language they can understand and taking advantage of the work you have done to address common denominators in data subject rights can go a long way in mitigating risk for your organization and, ultimately, minimizing your time to compliance.


Tags: California Consumer Privacy Act (CCPA)GDPR
Previous Post

Risky Women Radio

Next Post

Entering Greece: Mitigating FCPA Risk and Maximizing Opportunities in a Global Economy

Teresa Troester-Falk

Teresa Troester-Falk

Teresa Troester-Falk is Chief Global Privacy Strategist at Nymity and a thought-leader in the privacy industry, helping identify the future needs of privacy professionals by engaging with customers, privacy and data protection regulators, key policy groups/thinktanks and other privacy thought leaders. Teresa leads some of Nymity’s key accountability research initiatives and collaborates with other internal leaders to help innovate privacy accountability and compliance solutions and ensure organizational success. Teresa is co-responsible for Nymity’s external thought leadership; she authors Nymity whitepapers and other publications and regularly speak at conferences, advanced privacy forums and on webinars. Teresa has over 20 years of experience in law, including 14+ years as a global privacy professional. Prior to joining Nymity, she served as Associate General Counsel (Privacy) for Nielsen, where Teresa expanded the global privacy program as well as initiating and leading key global and regional privacy and data protection programs and strategies and driving the relationships across internal and external stakeholders to advance the company’s privacy agenda.

Related Posts

todd snyder runway show scarf

Lessons Learned: Todd Snyder CCPA Enforcement Action

by Richart Ruddie
May 29, 2025

Third-party risk, overcollection of data and lax training all cited by California data privacy enforcer

federal trade commission building

[Q&A] Big Tech & Free Speech Under the Microscope: FTC’s New Direction

by FTI Consulting
April 28, 2025

What compliance teams need to know about the changing approach to consumer protection and data privacy

data governance concept

The US Still Lacks Its Own GDPR, But That Doesn’t Mean Data Privacy Enforcement Isn’t Happening

by Brian McGinnis and Maddie San Jose
April 16, 2025

Despite the absence of comprehensive federal privacy legislation, American businesses face mounting regulatory pressure from multiple directions. Brian McGinnis and...

origami tiger

Paper Tigers Won’t Protect You: The Reality of Effective NIS2 Compliance

by Hans Kayaert
March 24, 2025

Why Belgium's early adoption model could prevent another round of ‘compliance theater’ across Europe

Next Post
greek flag flying over santorini

Entering Greece: Mitigating FCPA Risk and Maximizing Opportunities in a Global Economy

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights