Security Measures
The clauses on data encryption requirements on part of the businesses in both laws constitute a rather grey area. GDPR calls for access to data encryption, making this an essential part of the privacy protection component for businesses. The main reason for this is to add an extra layer of protection for consumers’ data. However, CCPA does not explicitly lay down any duty on businesses to undertake encryption.
While encryption is one procedure to secure data and avoid data abuse, GDPR requires controllers and processors to take into consideration a list of factors while choosing any appropriate technical or organizational measure for the purposes of data security under its Article 32. These factors include the state of the art, the costs of implementation and the nature, scope, context and purposes of processing and the risks of varying likelihood and severity for the rights and freedoms of natural persons.
Encryption reduces a company’s liability arising out of a data breach. Under both CCPA and GDPR, if a company suffers from a breach but their data has been encrypted, some or all of the company’s obligations can be reduced. This might be because if breached data was encrypted, companies have another level of protection against unauthorized access, and therefore have some reduction in liability by default. Under both GDPR and CCPA, businesses are not responsible to notify any data breach if they have implemented protection measures such as encryption. Encryption is considered to be a strong data protection measure that also provides much flexibility to controllers and processors to meet data security needs. “Encryption provides the best defense against any fines that might be levied for violations or data breaches under CCPA”, according to ESG and Fortanix.
Conclusion
With the regulations such as the CCPA and GDPR affecting companies worldwide, organizations need to start looking towards solutions that can easily keep track of all the regulations under each law, which regulations apply to your organization and provide a swift compliance framework that an organization can follow.