Introduction to GDPR, CCPA & ISO 27701: The Only Guide You’ll Ever Need

Satya Moutairou

24 May 2022

In the modern era of cybersecurity, consent and trust are paramount.

Over time, customers have become increasingly averse to someone making money off of their information by selling it. Regional, national and international law regulators had to figure out ways to protect their citizens’ data. This is how guidelines and regulations like GDPR, CCPA, and ISO came into place.

Every time you are browsing a site and information pops up telling you the site wants to collect your information, know that there is a reason. These regulations require that any type of information organizations gather about you should be consensual, informed, and safe.

Did you know that non-compliance with GDPR (General Data Protection Regulation) can cost 20 million euros (or 4 percent of annual revenue), in addition to customers having the right to sue the business as well?

GDPR, CCPA, and ISO 27701 at a glance

What is GDPR?

TL;DR If you do business with European citizens, you have to comply with GDPR. Any type of information you collect about someone is considered private information. GDPR is an extensive guideline, and if you fail to comply with it, a huge fine is waiting for you.

GDPR or the General Data Protection Regulation is known to be the toughest privacy and security law. Approved in 2016, and enforced in May 2018 by the EU, it made the already strict European legal environment even more challenging for businesses. It imposes uniform data security on organizations that deal with the private information of EU citizens.

Under GDPR terms, companies are now obliged to keep the data safe, have it ready to be disposed of if need be, inform customers within 72 hours if a breach has been discovered, find out the extent of the data leak, investigate and resolve it with customers always in the loop, etc.

The GDPR rules apply to almost every piece of data that an organization would collect, even if it’s not used to identify a person. It also includes information that websites often ask for, such as your IP address, email address, and physical device information.

Under GDPR, below is a subset of data that can’t be shared:

  • “Basic identity information” like name and where you live (including name, address, email address, etc.)
  • Web data, such as your location, IP address, cookie data, and RFID tags that can be used to find you on the web
  • Political views
  • Data about health and genes
  • Race or ethnicity

Understandably, “basic identity information” is a big concept. It includes user-generated data, such as social media posts, personal images that people upload to websites, medical records, and other unique information that people often share online. Basically, any information that leads to the identification of an individual. Yep, that means that organizations must keep your tweets and Facebook posts safe as well.

GDPR is very detailed, so much so that when it comes to the process of personal information data security, GDPR requires you to take “appropriate technological and organizational measures” to mitigate risks. It then goes on to detail some of the standard measures:

  1. Personal data pseudonymization and encryption — so that even if stolen, it cannot be abused
  2. Ensure your systems and services adhere to the “confidentiality, integrity, availability, and resiliency” principles of information security
  3. Data restoration: technologies and methods intended to restore personal data following a security breach (systems backup would be part of this)
  4. Regularly test and analyze your security measures to verify they are effective

If you’d like to have the flexibility to customize controls to meet your privacy and data handling practices, check out TrustCloud’s Privacy Essentials in TrustOps.

What is CCPA?

TL;DR If your company is targeting California residents as your customers, then look into this one. CCPA is there to protect the personal data of California residents no matter where they currently are. All information except what you can learn from publicly available sources is considered private information.

CCPA (California Consumer Data Privacy Act) is a statewide data privacy law, effective from January 1, 2020, that reinforced individuals’ rights by strengthening company laws around the use of personal information. CCPA is said to be a model of GDPR and is sometimes called the “GDPR light”. However, some don’t agree with this, for they can be different in terms of who it applies to and how they define certain terms.

Consumers have rights under the CCPA, including a right to information about data collection, a right to be forgotten, and the ability to opt out of having their data sold (opt-in for minors). The list of rights seems to be almost similar to the list of rights granted to EU data subjects under GDPR.

However, there are some important distinctions, one of which is that the CCPA is designed as an opt-out method, in contrast to the GDPR’s opt-in process. It means that personal data collection must have a legal basis (e.g. consent) under GDPR. The CCPA requires that consumers be allowed to opt-out of data-gathering operations.

Under the terms of CCPA any information that relates to, or can be linked to, a specific person or family, except for public government records — is considered personal information. Public documents from the federal, state, or municipal government, such as professional licenses and public real estate data that are for anyone to see, are NOT considered as personal information. Basically, in terms of the scope of information it applies to, it makes it easier to understand why it was nicknamed “GDPR light.”

Another reason for its reputation for “lightness” is that CCPA protections apply to consumers only, whereas GDPR applies to all “data subjects,” who are defined as any “identifiable natural people” resident in the European Union. Which means they do not distinguish between B2B and B2C (business-to-consumer) contacts.

What is ISO 27701?

TL;DR In order to get this certification, you need to first get ISO 27001. This ties into GDPR, CCPA in many ways, so companies pursue this compliance.

ISO 27701 is a management standard that was published in 2019 in response to the growing need for a global data privacy framework. ISO (the International Organization for Standardization) and the IEC (the International Electrotechnical Commission) developed ISO 27701 as an addition to the popular ISO 27000 family of information security standards to provide much-needed guidance on how to comply with global privacy standards such as the California Consumer Privacy Act (CCPA), the EU GDPR (General Data Protection Regulation), and the New York SHIELD Act.

The ISO 27701 rules apply to both controllers and processors of PII (Personally Identifiable Information). Many privacy laws and regulations, including the GDPR, include phrases controllers and processors. A “controller” is the entity that dictates why PII is gathered and processed in the first place, and a “processor” is a different legal entity (i.e., not an employee) that processes such data on behalf of that controller. Laying out the rules for every entity involved in PIMS (Private Information Security Management), GDPR, and ISO 27701 tie in together.

In fact, ISO 27001 and GDPR bridge each other in terms of their security of personal data processing. ISO 27701 requires extensive risk assessments to evaluate your organization’s hazards. This is required to determine the appropriate security measures required by GDPR as well. It specifies when and how to use data encryption, as well as how to assure data confidentiality and availability. ISO 27701 also covers the GDPR duty to establish steps on data preservation and availability!

So, this means that if you fulfill and maintain ISO 27001 certification standards, you effectively satisfy and maintain GDPR data processing security requirements. However, note that the GDPR has 99 articles, and only one addresses technological and organizational data security. ISO 27701 certificate should not be seen as an automatic coverage to GDPR compliance since it addresses a particular aspect of data security that GDPR does.

Which privacy regulations apply to my business?

Who needs to comply with GDPR

As of May 25, 2018, the GDPR will apply to any organization that collects and stores personal data on European Union users on its website, regardless of where it is based.
The questions below may help you decide whether you are subject to the GDPR:

  • Do you have clients or subjects in the European Union?
  • Do you collect or handle personally identifiable information about such users or subjects?
  • Are you targeting EU citizens or are they a segment of your desired market?

If you replied yes to any of these questions, you should comply with the GDPR to the fullest extent possible.

Note that if you handle data that another organization has obtained from its EU consumers, you remain subject to the GDPR’s jurisdiction as well.

Who needs to comply with CCPA

This law only applies to for-profit businesses that gather or conduct business in California and collect personal information from California individuals.

CCPA may apply to you if your company is based outside of California but engages in financial transactions with California residents.

Any firm that fits one or more of the following criteria is subject to the CCPA:

  • Has a gross revenue of over $25 million every year
  • Purchase, sell, receive, or share the personal information of 50,000 or more California residents for commercial purposes
  • Personal information sales account for 50% or more of annual revenue

The CCPA is likely to apply to you if you collect any information from California residents. The CCPA does not apply to business activity that takes place entirely outside of California. Today, however, it is uncommon for all commercial activity to take place wholly outside of the country’s most populous state.

Who needs ISO 27701

If you already hold an ISO 27001 certificate, then you probably should consider this. Since ISO 27701 is essentially a framework and management system that enables you to include other management systems or other requirements into it; nevertheless, you are not required to incorporate all of those requirements. So, with GDPR, CCPA, and other regional and world organizations constantly working to improve personal data protection systems, this would be a good place to start.

Or perhaps, you are not ready to take on GDPR but still want to demonstrate that your organization takes privacy seriously, ISO 27701 can be a good fit for you.

What to do for GDPR

In general, you should take the following actions to be better aligned with GDPR:

GDPR steps

Steps to achieve CCPA

If you want to do business in California, the home base for Silicon Valley companies such as Apple and Alphabet, you can start with these steps:

CCPA steps

ISO 27701: Steps to take

Organizations that have achieved ISO 27001 certification and want to apply ISO 27701 criteria should consider the following steps:

ISO27701 steps

Trust Issues: Your Trusted Source for GRC & Security News. Subscribe Now!

Moving forward

Even though GDPR concerns EU citizens’ personal data, and CCPA is there to protect the rights of Californians to have their personal information safe from abuse, the impact is global. For businesses, it is like crossing a bomb field if they decide to take their chance and not consider these regulations when operating.

One data breach can cost you thousands or even millions of dollars. Either you will lose millions of customers, or you will lose millions of dollars and you get a reputation for letting a data breach occur. Either way, it’s not worth the risk.

Our advice to you is: don’t gamble! Start looking into the matter now. You’ll thank us later for letting you know.

If we are talking about complexity, the most complex of the three is the GDPR. Due to its scope of application, the nature and extent of collection limitations, and rules concerning accountability — it is the top headache for companies. So much so that some companies choose to refuse service for EU residents. The UK’s Information Commissioner’s Office (ICO) has developed self-assessment toolkits to ease the pain. It consists of several tools to help you assess your current status.

When doing business with Californians, the personal data rights of its residents are protected by CCPA — and soon CPRA (The California Privacy Rights and Enforcement Act) as well. CPRA also known as the CCPA 2.0, has been enacted and will go into effect in January 2023. Because the CPRA draws heavily on its predecessor, now is an excellent moment to begin complying with the CCPA if you have not already done so.

The ISO 27701 data privacy extension to ISO 27001 is generating a lot of buzz, particularly among firms considering ISO 27001 certification (or are already ISO 27001 certified). If your organization is considering ISO 27001 certification and you recognize the importance of privacy and data security, it may make financial and strategic sense to expand the scope of your original ISO 27001 implementation to include the ISO 27701 controls by getting certified for both standards in a single audit.

How TrustCloud can help

At the end of the day, we’re enabling you to meet the fundamental requirements for GDPR, CCPA, and ISO 27701 simultaneously. Our Trust Assurance Platform makes it effortless for you to build your security and privacy program, manage your risk and track your customer obligations.

Looking to build trust with your customers and fulfill your privacy obligations? Schedule a demo with us.