Skip navigation

Lessons Learned from GDPR to Prepare for CCPA Compliance & Future Regulations

Boris Khazin

Senior Account Manager, EPAM US
  • Business Information & Media

In May 2018, a monumental regulation came into effect that is setting a precedent for future data privacy standards. To protect consumers, the General Data Protection Regulation (GDPR) outlined a new set of rules for data collection, storage and usage for companies that operate in Europe. Following GDPR, the California Consumer Privacy Act (CCPA) was signed into law in June, helping consumers understand how companies are using their data and requesting that companies delete their data. With the countdown to CCPA in full effect, companies must start preparing for compliance by January 2020 if they haven’t already begun.

Preparing for a new regulation and implementing compliance processes into a company’s ecosystem now enables companies to ultimately save time and money in the future, but there are many challenges to consider. Through our governance, risk and compliance experience and helping businesses prepare for GDPR, there are several lessons we learned that can help your company ease the transition into CCPA compliance:

Understand how it affects your entire company. When we examined how data protected by these regulations is stored and moves throughout a company, we saw two important characteristics: Data access was not significantly controlled within a company and some units had legacy access to data that no one knew about.

While certain departments believed that they did not have access to any private data, we determined that they did have access – they just weren’t using it because they didn’t need to. You should perform a full enterprise analysis to see if there are any access points to data that should be eliminated. C-level support is essential for this, and each internal team must work together to ensure data flow and usage is properly documented and tracked. Processes and procedures must be uniform across the enterprise to make sure that only authorized individuals have access to personal information. Departments must monitor and comply with the applicable regulations, and the enterprise as a whole should also be monitoring data usage and access across departments to ensure compliance. To adhere to regulatory requirements, you can implement well-designed data processing platforms and solutions to manage data access requests, as well as to gain a view of enterprise consent management.

Budget appropriate funds as soon as possible. When it comes to regulatory compliance, there are many factors that play a role in budgeting, so it’s important to start planning as soon as possible. New regulations make a huge impact on any organization’s digital ecosystem, and process and solution implementation can take months. The complexity of the solutions necessary for every company’s unique requirements is proportional to the complexity of the company. This means that the larger and more complex the company is, the more work needs to be done to ensure compliance. As new data flows in or lack of data control needs to be addressed in overall development, you will have to adjust their plan and budget accordingly. Also, when new legal opinions on any given regulation emerges, the regulatory requirements may change and, in turn, change the scope of work that is necessary to achieve and manage compliance. Given the variables that come along with planning for compliance, organizations should account for a significant buffer in their budget. 

Understand How Non-Compliance Will Impact Your Company. Privacy rules are becoming increasingly complex, especially in the US, and while their origins may be at a state level, their impact is global. It’s clear that CCPA is more complex than GDPR. Other regulations, such as SOX, Dodd Frank and HIPPA, have introduced more stringent rules than past regulations as well. For example, unlike GDPR, CCPA has rules for companies that track device and household information. Also, CCPA enables consumers to opt-out from companies selling their personal information, while GDPR does not directly let people opt-out. With unlimited penalties that are associated with CCPA, mistakes can be extremely costly. The penalties for CCPA non-compliance can reach up to $7,500 per customer, so the cost of penalties for non-compliance will likely be much higher than the cost of ensuring compliance for each customer in the long run. Working closely with a technology services partner who understand the details of each regulation will enable you to implement processes and solutions that are flexible and more cost effective for your specific business requirements.

For Companies that Need to Comply with CCPA, the Clock is Ticking. In order to prepare for and manage compliance effectively, companies must implement future-proof, end-to-end solutions that are agile enough to respond to changes in requirements and new regulations. As more and more states in the US gear up for similar regulations in the pipeline, including Hawaii (SB 418), Maryland (SB0613), Massachusetts (SD 341), Mississippi (HB 2153), New Mexico (SB 176), New York (S00224), North Dakota (HB 1485) and Rhode Island (S0234), companies need to act fast and avoid last minute work on preparing for regulations of this magnitude. If not, they risk many sleepless nights and potential heavy penalties that come along with not being ready for compliance.

Hello. How Can We Help You?

Our Offices

  • Canada

    • Ottawa

      343 Preston Street,
      ON K1S 1N4, Ottawa

    • Toronto

      5 Park Home Avenue,
      Suite 400,
      ON M2N 6L4, North York,

      F: +1-416-595-1551
  • Mexico

    • Guadalajara

      Periférico Sur #8110,
      Col. El Mante
      45609 Tlaquepaque, Jalisco

  • United States

    • Newtown, PA

      41 University Drive,
      Suite 202,
      Newtown, PA 18940

      F: +1-267-759-8989
    • Bellevue, WA

      110 110th Ave. NE,
      Suite 310
      Bellevue, WA 98004

    • Boston, MA

      21 Drydock Avenue,
      Suite 410 W,
      Boston, MA 02210

    • Conshohocken, PA

      101 East 8th Ave,
      Suite 201,
      Conshohocken, PA 19428

    • Los Angeles, CA

      11601 Wilshire Blvd,
      Suite 350,
      Los Angeles, CA 90025

    • New York, NY

      24 West 25th Street,
      5th Floor,
      New York, NY 10010

      F: +1-267-759-8989
    • Philadelphia, PA

      30 South 15th Street,
      9th Floor,
      Philadelphia, PA 19102

    • San Francisco, CA

      222 Kearny Street,
      Suite 308,
      San Francisco, CA 94108

    • Washington D.C.

      7901 Jones Branch Drive,
      Suite 400,
      McLean, VA 22102

  • Australia

  • China

    • Guangzhou

      Unit B01, 23/F,
      Yuexiuxinduhui Building,
      No. 236, 6th Zhongshan Road,
      Yuexiu District, Guangzhou,
      China 510180

    • 广州

      越秀新都会大厦中座 23楼 B01室

    • Shanghai

      Room B509, 5th Floor,
      48 Weihai Road,
      Huangpu District, Shanghai,
      China 200000

    • 上海


    • Shenzhen

      3/F, Block 5, Vision Shenzhen Business Park,
      9th Gaoxin South Road, 
      Shenzhen Hi-tech Industrial Park,
      Nanshan District, Shenzhen,
      Guangdong, China 518057

    • 深圳


    • Suzhou

      Building 12, Creative Industrial Park,
      328 Xinghu Street,
      Suzhou Industrial Park,
      Suzhou, China 215123

    • 苏州


  • Hong Kong

    • Hong Kong

      26F&17F, The Wellington Tower,
      198 Wellington Street,
      Central, HK

  • India

    • Bangalore

      Global Technology Park,
      Block C, Outer Ring Rd,
      Adarsh Palm Retreat, Bellandur,
      Bengaluru, Karnataka 560103

    • Hyderabad

      10, 11 & 12th Floors,
      Salarpuria Sattva Knowledge City,
      Plot No. 2, Phase - 1,
      Survey No. 83/1,
      Raidurgam Village,
      Serilingampally Mandal,
      Hyderabad, Telangana - 500081

    • Pune

      SmartWork Business Center Pvt Ltd,
      Suite 8, Level 1,
      West Wing, Nyati Unitree,
      Samrat Ashok Road,
      Yerwada, Pune - 411006,

  • Japan

    • Tokyo

      Floor 1-10-11
      Shibadaimon Centre Building 10th
      Shibadaimon Minato-ku
      Tokyo 105-0012

      F: +81-03-6880-9201
  • Singapore

    • Singapore

      5 Shenton Way
      UIC Building, #10-01,
      Singapore (068808)

  • United Arab Emirates

    • Dubai

      EPAM Systems FZ-LLC Dubai Branch
      2307 Arenco Tower, Dubai Media City
      PO Box 501929 Dubai
      United Arab Emirates