Privacy Compliance
Map your route to privacy compliance
We help you find your way to compliance solutions no matter where you’re at.
We help you find your way to compliance solutions no matter where you’re at.
Compliance means a lot of things to different people, but to your customers, it means you take their privacy seriously. Strong data privacy compliance programs let you serve your customers better by giving them transparent privacy notices, resources to control their personal information and enhance their security and privacy.
When you take compliance seriously, you do more than protect your customers. You put your business in the best possible position to utilize consumer data. You protect your interests against loss. You safeguard your reputation.
Red Clover Advisors’ focus is making compliance practices effective and manageable for clients. We assess, develop, implement, and maintain strategies for all major compliance regulations, delivering results without the substantial expense of hiring in-house.
Whether you need to get in line with the California Consumer Privacy Act (CCPA), Europe’s General Data Protection Regulation (GDPR), or are wanting to maximize your legal and compliance practices, we bring a business-forward approach to the table. Our process distills years of industry experience into operational analysis that makes sense for your business now – and in the future.
In plain English, the GDPR set guidelines that businesses, organizations, non-profits, essentially anyone who touches someone’s personal information in connection with goods and/or services to EU residents.
We help companies find their way to compliance from start to finish. Our full range of services includes:
CCPA is the most expansive data privacy law to date in the United States. While there are other state-level privacy regulations, both on the books and in development, CCPA is the most impactful by far, with a regulatory reach going well beyond California’s borders.
CCPA shares similarities with GDPR, but it ultimately has its own unique set of regulatory requirements. We help clients:
We stay on top of what you need to do so you can focus on what you know best: your business and your customers.
Quick, give me a refresher on GDPR and CCPA!
Happily! Unless you eat, sleep, and breathe data privacy as we do, it’s hard to keep the nuances of these two game-changing privacy regulations separate in your head. Here’s the skinny on what distinguishes GDPR and CCPA.
Note: GDPR and CCPA aren’t the only games in town, they’re just two of the biggest. There’s a whole other world of privacy acts like HIPAA, PCI, TCPA, CASL, CAN-SPAM, the Gramm Leach Bliley Act, and more.
The GDPR was the first major international privacy act and it changed the data landscape entirely. GDPR went into effect in March of 2018 and businesses have been running down GDPR compliance ever since.
GDPR affects businesses of all sizes around the world. Whether you’re a multinational corporation, a nonprofit educational institution, or running a small online business, if you collect personal information from an EU resident, GDPR rules apply to you.
One of the major accomplishments of GDPR was to provide a thorough definition of individual rights over personal data. GDPR gives EU residents significant controls over their information, including:
GDPR also takes the step of defining special categories of sensitive data. This private information includes:
In short, these rights key EU residents in on how their personal data is being collected, stored, and used by companies. It gives them the right to consent, object, and delete their information.
And if organizations don’t comply? They risk massive fines, legal action, and reputational damage.
Want to learn more about GDPR, its scope, and how it impacts organizations across the globe? We’ve got a white paper for that.
CCPA, as noted above, is the largest state-level privacy regulation in the United States. It’s only been enforceable since July 1, 2020, but businesses have been busy getting their compliance ducks in a row since the legislation rolled out in 2018:
The CCPA applies to your business if:
Under CCPA, consumers have a new set of individual rights. These include:
Want a closer look at individual rights? We’ve got an article for that, too.
Under CCPA, your team has to be prepared to support these individual rights via consumer requests. You’ve got to provide up-to-date privacy notices. You’ve got to meet deadlines for responses and appropriately verify their information. CCPA provides individuals with the right to legal action if a company violates their rights, although the right is admittedly not well defined.
Learn more about the nuances of CCPA here.
Does complying with GDPR mean I’m complying with CCPA? (Or vice versa?)
Wouldn’t it be nice and straightforward if it did mean that?! Lots of companies assume that GDPR compliance automatically grants them CCPA compliance. Now, those data privacy processes and controls that they’re putting in place for GDPR or CCPA compliance are helpful. There’s definitely crossover between these compliance frameworks. But there are nuances in the definition, goals, and requirements behind them that need to be observed. (And carefully!)
Before starting off on a compliance journey, it’s good to focus on why you need to comply in the first place. You start by thinking about your customer. What controls do you need to protect them? What are the risks to their data? How do your information systems handle that data? Starting with these questions helps you think specifically about the needs of compliance frameworks.
What does compliance mean for my business?
On a financial level, non-compliance can be devastating. Not taking compliance seriously can bring legal action, significant fines and fees, and damage your reputation and relationship with your clients and colleagues.
Compliance is often framed in a negative light: it’s a lot of work, it’s hard to keep up with, and so forth. It’s true that compliance is a big undertaking. But it offers your organization valuable opportunities. When you prioritize compliance, you give your business the chance to build internal structures and controls that help you streamline and manage your data collection processes. You learn where your weak points are and how to reinforce protections.
And it’s huge for your customers. Offering them transparency and security shows that you take their trust seriously. (And trust is what long-term relationships thrive on, isn’t it?)
What type of data do we need to protect?
Not all data is created equal. While you should work to minimize data collection in general, it’s especially important to build security around personal data.
What information do you need to be locking down, though? You should provide protection for personal data, which is any piece of information that can be used to identify an individual, whether on its own or combined with other information. This includes, but isn’t limited to dates of birth, passport numbers, drivers’ licenses, social security numbers, and more.
How should companies try to minimize the amount of data they collect?
Data minimization is a major principle behind security and privacy, but it’s common for companies to collect way more personal data than they actually need or use.
This usually isn’t born out of ill intentions, but at the same time, it’s important to evaluate why you really need data. Know what you need, what you’re going to do with it, and then collect the minimum amount and types of data required to achieve these goals
For example, while it might make sense for a company selling health remedies to collect information on the types and quantities of vitamins an individual consumes, an athletic-clothing manufacturer should think twice (even if it is related to an ad campaign) before collecting that sort of data.
What role does training play in data privacy risk management?
We’re huge proponents of training. According to a study by CompTIA, your biggest security threat isn’t a mysterious hacker but rather your very own employees. Human error causes 52% of recorded security breaches.
Error! Simple human error! It’s preventable. When you give your employees the right data privacy training, you can make a huge dent in that number. What do we mean by the “right training”? It needs to be more than your run-of-the-mill confidential information training. The “right training” takes a deep dive into:
It’s also important that you build privacy and security into your workplace culture. This should be part of your employee training, helping them better understand your approach to and policies behind them.
What should companies do to better organize the data they collect?
One of the best things that you can do to stay ahead of the curve is to have a solid data inventory. Your data inventory should map out what data you store, where it’s kept, who has access to it, and where it comes from and goes to. If you have data that is considered sensitive by data privacy laws (such as GDPR), you should also include this in your data inventory and document the security measures that protect it against data breaches.
Data inventories are mission-critical for your privacy program. They simply can’t be ignored. But by working with experienced privacy professionals, you can be sure you’re doing them right.
Take your company beyond compliance. Reach out to our team at Red Clover Advisors today to start with your free consultation.