California seems a long way away doesn’t it, however, in today’s connected world where data flows freely to almost every corner of the world, foreign laws are starting to catch-up. This really should not come as a surprise given the reach of the GDPR beyond the physical boundaries of the EU.
The CCPA though has an oversized impact given the central role Californian companies play with data and the Internet. I enjoyed reading this article by Andrew Kimble and Peter Given from Womble Bond Dickinson. They set out some of the activities that can cause an entity to be caught by the CCPA as well as a very helpful list of ten things UK businesses need to do to be compliant.
As the authors rightly point out, that although GDPR and CCPA are not direct equivalents, they have a lot in common and businesses who are adequately prepared for GDPR will have less to do to comply with CCPA. Central to all of this is really understanding how a business uses data - not just from a technical perspective but also from a process perspective. Yes you need to know where your data is stored, but knowing how you use it and why is equally important.
Compliance does not simply require a technical solution, it is about people, processes and technology.
Organisations that have already taken steps to comply with the GDPR may find that they have less adjustments to make in their data practices to comply with the CCPA. However, complying with the GDPR does not automatically mean you are complying with the CCPA. For instance, the CCPA and GDPR have different provisions on deadlines, record keeping requirements and definitions. UK businesses may therefore need another layer of compliance procedures in addition to those under GDPR to ensure they are covered.