If you are extremely concerned about data privacy, you have to agree that this topic has become increasingly complex. In the 21st Century, tools and technologies capture data about every facet of our lives. Many consumers now believe that they no longer have control of information about themselves. And are starting to pay closer attention to the collection of information about them.
Such customer concerns are impacting every industry. In light of such concerns, regulators around the world are taking an interest in data privacy and have begun to establish new rules.
GDPR compliance in the EU is arguably the most notable of these regulations. But recently other countries and states have taken similar measures. The California Consumer Privacy Act (CCPA) is one such similar measure.
Most organizations find certain questions about data privacy laws confusing such as what GDPR and CCPA compliance are. Or how they should be prepared to manage collected customers' interaction data with digital assets and website.
So I have compiled what any business needs to know about data privacy laws such as GDPR and CCPA, along with advice for meeting its requirements. So let's take a deep dive!
What Is GDPR Compliance?
The General Data Protection Regulation (GDPR), mandated by the European Parliament and Council in April 2016, replaced the Data Protection Directive 95/46/ec in Spring 2018 as the primary data privacy law regulating how companies protect EU citizens' data.
GDPR compliances apply to each member state of the European Union. And it aims to create more consistent protection of consumer's data across EU nations. Some of the critical data privacy and protection requirements of the GDPR include:
- Requiring the consent of consumers for data processing
- Anonymizing data collection to protect privacy
- Providing instant data breach notifications
- Safe handling of data transfer across borders
- Mandating individual companies to appoint a data protection officer to oversee GDPR compliance
- A mechanism to regulate data subject right
Simply put, the GDPR requires a baseline set of standards for organizations that manage EU citizens' data. To secure the processing and movement of citizens' data. Companies will be subject to stiff penalties and fines if found guilty of non-compliance.
Who Is Subject To GDPR Compliance?
The purpose of data privacy laws such as GDPR is to impose a uniform data security law on all EU members. So that each member state no longer needs to write its data privacy laws, and these laws are consistent across the entire EU.
In addition to EU members, it is essential to note that any company that markets goods or services to EU residents. Regardless of its location, is subject to the regulation. The data privacy law, therefore, applies to any organization that manages data, whether they are EU-based organizations or not, known as "extra-territorial effect."
As a result, GDPR compliance has had an impact on data protection requirements globally.
However, there are exceptions to these data privacy laws firstly; GDPR compliances is not applicable to "purely personal or household activity." So if you've collected email addresses of friends from work to organize a picnic, rest assured you will not have to encrypt their information for GDPR compliance (though you might want to anyway!). The GDPR only applies to companies involved in "professional or commercial activity." So, if you're collecting email addresses from friends to fundraise a side business project, then the GDPR may apply to you.
The second exception is for organizations with fewer than 250 employees. Small- and medium-sized enterprises (SMEs) are not exempt from the GDPR. But the regulation does free them from record-keeping obligations in most cases.
What Can Be Considered Personal Data Under GDPR?
At the heart of GDPR, compliance is personal data. Broadly speaking, this is the information that allows a living person to be directly or indirectly identified from data that is available. Such data can be something as obvious, as a person's name, location data, or a clear online username, or it can be less apparent: such as IP addresses and cookie identifiers.
Under GDPR, there are also a few select categories of sensitive personal data that require greater protection. This personal data includes information about the racial or ethnic origin, religious beliefs, political opinions, membership of trade unions, health information, genetic and biometric data, and data around a person's sexual orientation or life.
The crucial thing about personal data is that it allows the identification of a person – pseudonymized data can still fall under the definition of personal data.
"Controllers are the main decision-makers – they exercise overall control over the purposes and means of the processing of personal data," said the UK's data protection regulator, the Information Commissioner's Office (ICO). It is also possible that there are joint controllers of personal data, where two or more groups determine the handling of data.
What Do Industry Players Think About GDPR?
Tim Cook CEO of Apple tweeted “GDPR has shown us all that good policy and political will can come together to protect the rights of everyone.”
Microsoft Cloud tweeted: “The #GDPR is an important change in privacy rights.”
"My own point of view on GDPR is it's a fantastic start on really treating privacy as a human right," Nadella said in an interview at the World Economic Forum in Davos.
How Does GDPR Influence Businesses?
The EU's General Data Protection Regulation (GDPR) has attracted the interests of many businesses because of its influence and the increased administrative fines for non-compliance.
There are basically two types of administrative fines that companies face for non-compliance:
- Up to €10 million, or 2% annual global turnover – whichever is higher.
- Up to €20 million, or 4% annual global turnover – whichever is higher.
The penalties are based on particular specific articles of the regulation that the organization has breached. Infringements of the organization's obligations, including data security breaches, will be subject to the lower level, whereas infringements of an individual's privacy rights will be subject to the higher level.
Data controllers and processors face administrative fines of the higher of €10 million or 2% of annual global turnover for infringements of articles:
- 8 (conditions for children's consent),
- 11 (processing that doesn't require identification),
- 25-39 (general obligations of processors and controllers),
- 42 (certification), and
- 43 (certification bodies)
The higher of €20 million or 4% of annual global turnover for infringements of articles:
- 5 (data processing principles),
- 6 (lawful bases for processing),
- 7 (conditions for consent),
- 9 (processing of special categories of data),
- 12-22 (data subjects' rights), and
- 44-49 (data transfers to third countries).
What Is Required For GDPR Compliance? A GDPR Compliance Checklist
At the core of GDPR are seven fundamental principles – laid out in Article 5 of the legislation – which guides on the handling of people's data. These are not hard rules but instead, act as an overarching framework that lays out the broad purposes of this data privacy law. The principles are primarily the same as those that existed under previous data protection laws. GDPR's seven principles are:
- fairness and transparency;
- purpose limitation;
- data minimization;
- storage limitation;
- integrity and confidentiality (security);
- and accountability
In reality, only one of these stated principles (accountability) is new to data protection rules. In the UK, all the other principles are similar to those that existed before under the 1998 Data Protection Act.
Companies that wish to comply with these seven principles and comply with GDPR need to have a five-step checklist which includes:
- Appointing a GDPR lead or team within their marketing department and review their data-handling procedures
- Provide precise consent wording, include a cookie consent notice, and create an age-verification process.
- Actively manage existing leads and contacts in a database
- Design a data breach plan
Data Privacy Laws Similar To GDPR
While GDPR reshaped how data privacy looked, it is by no means the only data privacy law. Several countries and states are enforcing similar data privacy laws. One such law- as mentioned earlier- is the California Consumer Privacy Act (CCPA), which went into effect on January 1st, 2020.
What Is CCPA Compliance?
The California Consumer Privacy Act (CCPA) is a state-wide data privacy law that monitors how businesses all over the world handle the personal information (PI) of California residents.
CCPA applies to any for-profit businesses in the world that sells the personal information of more than 50,000 California residents annually. Or have annual gross revenue exceeding $25 million, or gains more than half of the organization's annual revenue from selling the personal information of California residents.
How Will CCPA Impact Businesses?
The CCPA is having a significant impact on corporate privacy initiatives across all sectors of the technology, media and entertainment, and telecommunications industries. Some companies that process compliance deployment for the European Union's (EU) GDPR have some advantages addressing the new requirements. But brands with a primary focus on the United States and markets in the Americas mostly avoided GDPR's scope. Regardless, the rising tide of data privacy concerns among consumers and legislatures globally has driven data privacy mobilization across industries.
Regarded as one of the strictest data privacy laws in the United States. CCPA provides the residents of California with the ability to control how businesses manage and process their personal information (PI). Now, businesses will have to honor requests from California residents to access, delete, and opt-out of sharing or selling their personal information.
Additionally, businesses will have to consider several CCPA-specific requirements when updating their privacy programs. Such as the CCPA's prescriptive opt-out measures, and the need to stop selling consumer data upon an individual's request.
How Is CCPA Different From GDPR?
Primarily, the GDPR creates a "privacy by default" legal framework for the EU, whereas the CCPA creates transparency in California's colossal data economy and provides rights to its consumers.
GDPR creates a door for the EU residents to lock data before any data processing. The CCPA creates a window for the Californian consumers to open, to find out which of their data an organization owns or sells to a third party.
This metaphor spells out the primary difference between the CCPA vs. GDPR – namely that of prior consent versus opt-out.
The right to opt-out (CCPA) and the right of prior consent (GDPR) are not comparable since the right to opt-out (CCPA) is similar to the right to withdraw consent present in GDPR. Whereas the right of prior consent (GDPR) has no equivalent in the CCPA.
Where the GDPR requires companies, websites, and businesses to have a legal basis for processing personal data in the EU (under which the fundamental legal basis is consent), the CCPA does not provide any framework as such.
In fact, as per the CCPA, a business does not need prior consent from a user before processing the user's data, nor does a website need prior consent from a user before selling their data to third parties.
The central rights of the GDPR and CCPA include the right to information, access, and the right to portability. Furthermore, they also include the right to deletion (CCPA) and the right to erasure (GDPR), with minor differences between the two data privacy laws.
Another point of difference is that the CCPA defines personal data as any information that identifies, describes, relates to, in association with, or could reasonably be linking to, directly or indirectly, with a particular consumer or household.
Whereas for GDPR, personal information is any information relating to an identifiable or identified natural person (data subject), directly or indirectly, specifically about an identifier.
The point of separation between GDPR and CCPA is that the CCPA's definition is extra-personal, meaning that it includes data that is not only specific to an individual but also includes household data. Whereas the GDPR definition is exclusively individual.
How Does VIDIZMO Help With GDPR Compliance And CCPA Compliance?
VIDIZMO provides live and on-demand video streaming and management solutions, digital asset media solution (DAM), and digital evidence management solution (DEM). For a diverse set of use-cases of video streaming and content management.
From conducting live events such as town halls, all-hands meetings, live virtual training, for corporate communication, training, and learning, knowledge sharing and collaboration, sales and marketing. To helping public safety and law enforcement agencies to catalog, retrieve, share video, and digital evidence stored in CJIS compliant Azure Government Cloud.
We understand that each of our customers has not only a unique use-case but also has diverse data privacy requirement and therefore offer the broadest range of tools
Organizations need to use clear, a non-legalese language that allows the person to provide unambiguous consent for GDRP or opt-out in the case of CCPA. If your company collects personal data through a web form, they have to post clearly on the utilization of the information.
VIDIZMO empowers organizations to switch on GDPR and CCPA compliance within their account and sub-portals. Every user (anonymous or logged-in) will be required to agree to the system's Data Processing Agreement (DPA) as soon as they land onto the web application.
According to PwC, the general chatter among privacy professionals at industry events and networking groups suggested fewer than 10% would be launching a do-not-sell (DNS) link, and instead would declare in their privacy policies that they didn't sell Californians' data.
Data privacy laws such as GDPR make it compulsory for organizations to gain control over where their data sits.
VIDIZMO understands the challenges faced by businesses and therefore allows the storage of some behind a firewall and some in the cloud in another location of customer's choice. Enabling a flexible storage solution that also provides support to on-demand burst-out processing in which data moves in and out of the cloud as it changes. Organizations can utilize the cloud for offsite disaster recovery without downtime or data loss. Giving an organization more control over where their data resides.
Businesses can place any component of the solution in any location of their choice either on the cloud or on-premises. And host some videos on any number of on-premises locations while utilizing the cloud for others, and intelligently branch users to the appropriate location.
Data Subject Requests
The GDPR gives EU residences specific rights to their data; these rights include obtaining copies of personal information, restricting the processing of it, requesting corrections to it, deleting it, or receiving it in an electronic format forwarding it to another controller. A formal request by a customer to a controller to take action on their data is a Data Subject Request (DSR).
Similarly, the California Consumer Privacy Act (CCPA) provides data privacy rights and obligations to California consumers, including rights that are similar to GDPR, such as the right to delete, access, and receive (portability) their personal data. The CCPA also has provisions for certain disclosures, protections against discrimination when electing exercise rights, and "opt-out/ opt-in" requirements for specific data transfers classified as "sales." Sales are defined to include the sharing of data for valuable consideration.
VIDIZMO understands the challenges faced by organizations and therefore helps our customers to find and act on personal information to respond to Data Subject Requests (DSRs). This includes how to find, access, search, and act on personal data within VIDIZMO's platform.
Discover: Using VIDIZMO powerful search and discovery tools for platform and inside video search to more easily find customer data such as videos that may be the subject of a DSR.
Access: Retrieve personal data that resides in VIDIZMO's platform, and if requested, make available a copy of it to the data subject.
Rectify: Make changes such as redacting digital assets of personal information and perform other actions such as clipping portions of videos where an individual appears.
Restrict: Restrict the processing of personal data, by removing digital assets from the VIDIZMO's cloud storage and retain it on-premises or at another geographic location.
Delete: Permanently remove personal information that resided in VIDIZMO's platform and storage provider of your choice.
Export/Share: Provide an electronic copy by sharing digital assets that contain personal data or personal information to the data subject. VIDIZMO provides a straightforward content sharing with internal and external (third party) users by generating a link and password protecting evidence. These features enable the secure sharing of digital assets with specific viewers (internally or externally) or groups.
Customers can avail local content encoding and caching/ streaming servers (as both hard and virtual/ soft appliances) which integrate with VIDIZMO in the cloud, so that your content never leaves your premises during the digital assets lifecycle from uploading to transcoding, caching, streaming and archival.
You can encode your files on-premises using a local software/hardware encoder before uploading to the cloud-based application in a region of customer's choice.
One of the most critical developments in the regulation of data privacy was the adoption of GDPR, which subjected many businesses with strict compliance with data privacy. GDPR protects the personal data of EU residents while stipulating companies must notify EU citizens of data breaches and obtain the consent of their data or risk paying steep fines.
A similar data privacy law in the US is California Consumer Protection Act (CCPA), which has similar compliances like GDPR with subtle differences.
We at VIDIZMO serve customers all over the world for video streaming and management solutions, digital asset media solution (DAM), and digital evidence management solution (DEM) and understand the requirements our customers have to follow to comply with data privacy laws. Therefore, we offer solutions that give organizations complete control of all their sensitive data and valuable intellectual property and provides them with flexible deployment, storage, hosting, and encoding gives organizations the flexibility to meet these laws, regulations, and compliance.
To know how VIDIZMO can help you manage digital assets such as videos while maintaining compliances such as GDPR and CCPA/