From redefining personal data to legislating responsibility for it, recent data protection regulations have transformed the way multinational companies manage and process data. GDPR may have been the first sweeping regulation, but it is certainly not the final word, as additional countries and jurisdictions continue to introduce new laws to protect the security of their citizens.
The progressing rollout of similar-but-different regulations presents a challenge — and opportunity — to businesses of all sizes, particularly those operating across international borders. Business functions that regularly process personal data, such as global payroll and human resources, must adapt procedures and, indeed, their whole approach to compliance in order to stay on top of requirements.
Here, we’ll review two key regulations coming into effect in 2020, California’s CCPA and Brazil’s LGPD, to see what global payroll and HR professionals need to know to maintain statutory compliance in the new decade.
In effect from January 1, the California Consumer Privacy Act (CCPA) is widely expected to set a new standard for data protection in the United States, much like how GDPR effectively defined data security across Europe. In some respects, CCPA is more relaxed than GDPR, such as with the window for reporting breaches. However, other aspects of CCPA go further than the EU law, which has many companies on edge about compliance.
All qualifying companies that do business with California residents are subject to CCPA, regardless of where in the world they are located. The regulation applies to companies that earn a gross revenue greater than $25 million; process personal data of at least 50,000 consumers, households, or devices (which do not all have to be from California); or derive 50% of annual revenue from selling personal information.
CCPA expands the rights of citizens to be informed of data collection and processing, notably giving California residents the right to know precisely what information is being collected about them by companies — including those based outside of California, or even outside of the US. Another distinction from GDPR is that CCPA expressly enables Californians whose data has been breached to sue organizations if they cannot show that “reasonable” security measures were implemented.
After years of debate, the Brazilian president sanctioned the Brazilian General Data Protection Law in 2018. Known as LGPD, short for Lei Geral de Proteção de Dados, the law comes into effect in August 2020, extended from the original implementation deadline of February. While LGPD overlaps much of the protections of both GDPR and CCPA, there are important distinctions that set the regulation apart.
One key difference is that while GDPR outlines six legal bases for processing a data subject’s information, LGPD allows for ten, including data processing for the purpose of protection of credit and for the protection of health.
In the case of information requests, data controllers must comply within 15 days, as opposed to 30 under GDPR. And while the potential fines under LGPD are substantial — either 2% of gross sales or a maximum of R$50 million per infringement (approximately US$12.9 million) — they are well below the penalties of GDPR.
LGPD unifies more than 40 different statues that previously regulated personal data in Brazil, whether online or off. And like both GDPR and CCPA, it applies to any organization that processes the personal information of Brazil’s residents, regardless of where the company is located.
The Impact on Payroll
For payroll and HR organizations that have taken steps to comply with GDPR, not much needs to change to comply with either CCPA or LGPD. And that’s the good news as countries continue to debate, draft, and implement their own data protection regulations: it’s highly likely that definitions, use cases, requirements, and even penalties will increasingly coincide across jurisdictions.
However, once CCPA and LGPD take effect, approximately 250 million more individuals will have express protection of their data, including the right to information, the right to withdraw consent, and the right to erasure. As protections expand, it follows that instances of breach, penalty, and now litigation will increase as well. All of which means that companies around the world will need to be increasingly diligent.
Because payroll teams regularly process sensitive personal details, steps to properly manage that data will guide future process improvements or system changes — putting payroll operations on the front lines of compliance activity. Given the pressure and challenges involved in the battle for data security, it’s important for payroll leaders to remember that in this fight, everyone wins.