Privacy Regulations: GDPR & CCPA

Privacy Policies Overview

This document is intended to cover the changes necessary to support privacy policy requirements including  EU’s General Data Protection Regulation (GDPR) which went into effect in 2018 and  the California Consumer Privacy Act (CCPA) which goes into effect in 2020.

Policies like GDPR and CCPA were passed to strengthen citizens’ fundamental rights in the digital age and allow individuals to object to certain processing and have their personal data corrected, deleted and its use restricted. The UK government has stated that the GDPR applies within the UK after Brexit and, in any case, it will continue to cover all processing of Europeans’ personal data. GDPR applies to entities with no physical EU presence if they control or process covered personal information of EU residents. However, it does not apply to EU residents residing in the US. The CCPA only applies to companies doing business in California, which annually satisfy one or more of the following: (1) have a gross revenue of more than $25 million, (2) derive 50% or more of its annual revenue from the sale of consumer personal information, or (3) buys, sells, or shares the personal information of more than 50,000 consumers.

CCPA is the first comprehensive privacy law in the United States. Businesses regulated by the CCPA will have several obligations to those consumers, including disclosures, General Data Protection Regulation (GDPR)-like rights for consumers, an “opt-out” for certain data transfers and an “opt-in” requirement for minors.

The biggest change is that institutions will be held far more accountable for the data they hold. In addition to documentation of what personal data exist within your organization, these policies require a documented understanding of why information is held, how it is collected, when it will be deleted or anonymized, who may gain access to it, the ability to opt-in or out of the “sale” of the consumer’s data and ensure that consumers are not discriminated against for exercising their rights under these policies.

Personal information of all-natural persons — i.e. people, but not legal entities like corporations or nonprofits — physically within the EU ("EU data subjects") are covered by the GDPR. The regulation makes no distinctions based on individuals' permanent places of residence or nationality. Personal information is any information relating to an identified or identifiable person. There is no distinction between a person’s private, public, or work roles. CCPA’s term “personal information” roughly lines up with “personal data” under GDPR. These include not only such obvious information as education, financial, employment-related and health data but also photographs, personal phone number, and IP addresses. CCPA also includes family and household data.

GDPR applies to all commercial and professional transactions of "controllers" and "processors" of data. Controllers are the principal entities and the main counterparties to transactions with individuals. They are the entities that govern the purposes, uses, and methods related to the "processing" of personally identifiable information. "Processors" are organizations — typically IT firms — that actually carry out the processing activities. In the context of CCPA, Businesses are individuals or entities that determine the purposes and means of the processing of consumer’s personal data, and Service Providers are individuals or entities that process the information on behalf of a business. These are broadly synonymous with the terms Controllers and Processors used in GDPR.

CI Features Overview

The goal of these features is to allow clients to easily manage the requirements of privacy policies such as GDPR and CCPA.

Under these policies, individuals’ rights have been enhanced. These include rights to:

• Subject access
• Have inaccuracies corrected
• Have information erased
• Prevent direct marketing
• Prevent the sale of data

To help our clients comply with policies like GDPR and CCPA, we have added the following features to the SSB Central Intelligence (CI) product:

• Addition of a DimCustomerPrivacy table for tracking GDPR and CCPA Requests and Compliance (we are using _privacy so that these tables may be used globally as laws in other countries and states evolve)
• Standardization and deployment of a customer lookup report to all CI clients
• A set of reports that allow clients to easily see GDPR and CCPA requests and compliance.
• Data Deletion process

Subject Access

Under these policies, individuals will have the right to obtain:

• confirmation that their data is being processed
• access to their personal data
• the purposes of the processing
• categories of data being processed
• logic on any automated processing decisions made based on the personal data
• data retention periods
• any 3rd parties that the data is shared with

The business or controller must respond within 30 days, free of charge (unless the request is excessive), and provide the information in a commonly used electronic format.

The GDPR includes a best practice recommendation that, where possible, organizations should be able to provide remote access to a secure self-service system that would provide the individual with direct access to his or her information (Recital 63).

For the CI product to help clients meet this requirement, we have added the following:

• Storage of data access requests (date and timestamp) in the DimCustomerPrivacy table
• An internal customer lookup report which returns all data about a customer (searchable by name, address, email, phone)

Data Erasure (Right to be Forgotten)

Under these policies, individuals have the right to have their data erased (to be forgotten).

The right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in specific circumstances:

• Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
• When the individual withdraws consent.
• When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
• The personal data was unlawfully processed (i.e. otherwise in breach of the GDPR).
• The personal data needs to be erased in order to comply with a legal obligation.
• The personal data is processed in relation to the offer of information society services to a child

In addition, if you have disclosed the personal data in question to third parties, you must inform them about the erasure of the personal data, unless it is impossible or involves a disproportionate effort to do so.

In order to support clients, we have implemented the following to help meet the requirements of these privacy policies:

• An endpoint in CI’s data uploader tool for submission of data deletion requests.
• Storage of data deletion requests (date and timestamp) in the DimCustomerPrivacy table.
• A data deletion process that is triggered by the data deletion request. The data deletion process should:
  • Anonymize any PII information about the customer UNLESS the customer meets client business rules for data retention (i.e. A purchase for a future event, an application in process, etc).
  • Record date of data deletion in the DimCustomerPrivacy table.
• SSB's deletion process will remove the appropriate data from the SSB data warehouse, the client's data warehouse and CRM, but cannot update external source systems such as Tikcetmaster, Paciolan, etc. Clients must contact external source systems and request deletion directly as well.
• The addition of a client “data retention” business rules to the business rules table. These rules will govern whether customer data can be deleted (anonymized). The data deletion will follow this process:

Privacy Policy Portal Components

Privacy & Compliance Report

Customer Lookup Tool

The customer lookup will be deployed to all clients and can serve as the Subject Access report. All customer records incorporated into DimCustomer will be searchable by name, address, email, phone.

Data Uploader Tool

SSB’s Data Uploader tool allows clients to import .csv or .txt files into Central Intelligence tables via the CI web portal.

The ability to load data related to privacy and compliance has been added. The following fields can be loaded via the data uploader or any standard data load to the DimCustomerPrivacy table:

• Verified_Consent_TS - date/time verified consent for marketing was obtained
• Verified_Consent_Source - how/where consent was obtained
• Data_Deletion_Request_TS - date/time request to be forgotten was received
• Data_Deletion_Request_Source - how/where the request was received
• Data_Deletion_Request_Reason - reason for request
• Subject_Access_Request_TS - date/time request was received
• Subject_Access_Request_Source - how/where the request was received
• Direct_Marketing_Optout_TS - date/time of direct marketing opt-out
• Direct_Marketing_Optout_Reason - the reason for the opt-out
• Direct_Marketing_Optout_Source - how/where opt-out was received

Most fields are for tracking purposes. Data_Deletion_Request_TS will trigger the Privacy Data Deletion process. It must be populated for data deletion to occur. Subject Access Requests and Data Deletion Requests will appear on the Privacy and Compliance Report in the client portal. SSB's deletion process will remove the appropriate data from the SSB data warehouse, the client's data warehouse, and CRM (if an outbound integration exists), but cannot update external source systems such as Ticketmaster, Paciolan, Peoplesoft, Advance, etc. Clients must contact external source systems and request deletion directly from the source as well.

Data Uploader Privacy Request Template .csv: 

Resources

• GDPR Information
• Microsoft CCPA Information
• ICO Guide to Data Protection
• ICO Direct Marketing Checklist
• ICO Documentation