Leveraging Data Inventories for CCPA and GDPR Compliance – Part 1

Data inventories are directories for managing sensitive data throughout the enterprise.  This article shows how to leverage those inventories for compliance with the CCPA, GDPR, and similar laws and regulations.

Data Inventories and Personal Data

I’ve discussed data inventories in a previous post.  To recap, they are living directories or systems for managing sensitive data across the enterprise.  Sensitive data isn’t just personal data; it also includes trade secrets, attorney-client privileged information, and export-controlled data.  Data inventories are the core of any data protection program.  They provide leaders with a “single source of truth” for making decisions while exerting command and control over their programs.

During the run-up to the GDPR compliance deadline, I worked with many data protection leaders.  They typically expressed being overwhelmed with the litany of mandates the Regulation dictated.  The same is now true with the CCPA and likely will be so with upcoming data protection laws.  The good news is that several of those mandates are common to the CCPA.  As such, you can leverage your data inventory to meet them.

Defining “Personal Data”

The CCPA’s and GDPR’s base definitions of personal data/personal information are similar:

  • GDPR.  ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’)[.]
  • CCPA.  [I]nformation that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

In practice, however, there are some noteworthy differences.  Personal data under the GDPR falls into one of roughly three categories:

  1. “Regular” personal data.  Social security, drivers’ license, and phone numbers; street addresses; dates of birth
  2. Machine-readable data.  IP and MAC addresses, IMEI/IMSI/ESN, geo-location/GPS, log files, cookies
  3. “Special” personal data.  EU special data (healthcare, political/religious, trade union, sexual, etc.)

This significantly contrasts with the CCPA’s approach.  The Act features many categories of personal information.  Some of them are a grab bag of items, others a duplication of earlier categories:

  1. Regular and machine-readable data
  2. Education, employment, employment history
  3. Protected classifications (e.g., Title VII)
  4. Commercial records of consumer purchases
  5. Biometric information
  6. Internet search and browsing; interaction with online advertisements
  7. Geolocation information
  8. Audio, electronic, visual, thermal, olfactory, or similar information
  9. Professional or employment-related information
  10. Education information as defined under federal law
  11. Inferences drawn from any of the above

The upshot of this is that just about anything can be personal data under CCPA.  This applies to seemingly innocuous information like GPS coordinates that, if compiled, can infer a surprising amount of data about someone.

Meeting Mandates Common to the CCPA and GDPR

The CCPA has been described as “California’s version of the GDPR.”  While this is a bit of an oversimplification, there are at least a half-dozen compliance areas that are common to both laws.  In these instances, data inventories will act as a “feeder,” advancing compliance by providing crucial information.

Data Subject/Consumer Rights

Data subject rights under GDPR and consumer rights under CCPA center on the generally accepted privacy principles (GAPP) of notice, choice & consent, and access.  Chapter III of the GDPR, for example, encompasses well-known rights such as transparency of privacy practices, access to personal data, and the right to erasure (popularly known as the “Right to be Forgotten”).  Sections 110(b) and 105(c) of the CCPA mandate the disclosure of personal information and deletion upon request, respectively.  Data inventories advance the fulfilling of these requirements by identifying:

  1. What personal data is being collected in the course of business;
  2. Specific information collected about a particular individual; and
  3. Where personal data is located across the enterprise.

This chart summarizes data subject/consumer rights under the respective laws:

In part 2 of this series, I will describe how to leverage data inventories for conducting risk assessments and managing the sharing of personal data with business partners under the GDPR and CCPA.

Data inventories are directories for managing sensitive data throughout the enterprise.  This article shows how to leverage those inventories for compliance with the CCPA, GDPR, and similar laws and regulations.

See how Spirion can help you meet your compliance obligations with data protection. Download the CCPA whitepaper, How Spirion Advances Compliance with the California Consumer Privacy Act of 2018 (CCPA).