Digital Transformation was one of the media’s favorite topics in the 2010 decade. Right at that time, with the massive increase in cross-border online data transfer, many countries around the globe started focusing on protecting the personal data of their citizens.
Organizations and countries have stepped up and formulated various data protection regulations and acts that serve to protect firms and individuals’ rights. The past decade has seen a rise in the number of regulations, such as the European Unions’ General Data Protection Regulation (GDPR), Singapore’s own Private Data Protection Act (PDPA), and the most recent California Consumer Privacy Act (CCPA).
Although all regulations have the mutual goal to protect personal data, you will notice by reading this post that GDPR is human rights-centric, whereas CCPA and PDPA are very commercial.
GDPR vs PDPA vs CCPA
In this blog, we will present a comparative analysis of these 3 data protection regulations to highlight their differences and similarities.
| GDPR | PDPA | CCPA | |
|---|---|---|---|
| Formulated by | European Union | Singapore | California |
| Date of enforcement | 25th May, 2018 | 2nd July, 2014 | 1st Jan, 2020 |
| Who is protected? | Applies to any person, regardless of their nationality and place of residence, whose data is processed by an EU organisation. | Extends protection to all parties, including consumers, employees and company directors in Singapore. | CCPA has a very commercial nature and it protects consumers, employees and B2B transactions. |
| Who is regulated? | Applies to any organisation operating within the EU, as well as any organisations outside of the EU which offer goods or services to customers or businesses in the EU. Extends to non-profit organisations. | Applies to any and all Private organisations that handles private/personal data. Also extends to non-profit organisations. | Applies to for-profit businesses that do business in California and meet any of the following: Have a gross annual revenue of over $25 million; Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or Derive 50% or more of their annual revenue from selling California residents’ personal information. |
| Applicability | GDPR follows a principle of accountability, meaning it states that the controller shall be responsible for and be able to demonstrate compliance with GDPR principles. | PDPA follows the principle of reasonableness by mandating an organization to consider what a reasonable person would consider appropriate in the circumstances. | CCPA is applicable to businesses or for-profit entities in California that process personal data excluding public agencies, NGOs, and companies governed by other laws. |
| Data Protection Rules | GDPR states that data controllers while processing data, must follow fair and lawful processing, purpose limitation, proportionality, accuracy, storage limitation, integrity and confidentiality, and accountability of their business data. | PDPA provides nine obligations on data protection: consent, purpose limitation, notification, access and correction, accuracy, protection, retention limitation, transfer limitation and openness. | CCPA has a principle-based approach wherein it creates an obligation of fairness and accountability, transparency, purpose specification, and data minimization. |
| Accountability | GDPR follows a principle of accountability, meaning it states that the controller shall be responsible for and be able to demonstrate compliance with GDPR principles. | PDPA follows the principle of reasonableness by mandating an organization to consider what a reasonable person would consider appropriate in the circumstances. | CCPA follows the principle of non-discrimination i.e. Prohibition for a business from discriminating against a consumer because the consumer exercised any of the consumer’s rights under CCPA. |
| Consent | GDPR says that consent must be freely given and it must be specific. It must not be a pre-condition for the provision of service. | PDPA provides for expressed or deemed consent and the notification for the purpose must be provided. | CCPA says that businesses are allowed to process and sell the personal information of all consumers who make an online purchase or sign up. |
| Purpose | GDPR says that the data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. | PDPA states that an organization may collect, use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances; and that the individual has been informed of. | CCPA states that businesses can collect personal information for one specific purpose, except if prior notice is given to the consumer. Under CCPA, businesses are prohibited from retaining, using, or disclosing personal information for any purpose other than for the specific purpose of performing the services specified in the contract, including for a commercial purpose. |
| Privacy Policy | Under the GDPR, organizations must provide extensive information about the processing of personal data and the individuals’ rights; recipients of the personal data; identity and contact details of the controller and the data protection officer; right to lodge a complaint with a DPA; retention period for the data; information regarding the source of the data; the existence of automated decision-making. | Under PDPA, an organization must formulate and implement policies and practices that are necessary for the organization to meet the obligations of the organization under this Act (including training); provide on request about the above policies and practices; develop a process to receive and respond to complaints that may arise with respect to the application of this Act. | Under CCPA, The Privacy Notice must include: a description of the rights (opt-out, disclosure, deletion) and how to exercise these rights; a list of the categories of personal information that the business collects, sells, and discloses, and to update this list every 12 months; and a toll-free phone number or, if a business operates solely online, a link on the website through which the consumer can exercise their rights. |
| Data Protection Officer | Mandatory to appoint an officer. | Mandatory to appoint an officer. | Not mandatory to appoint an officer. |
| Transfer | Mandatory to obtain consent (of data owner) before engaging in data transfer. | Mandatory to obtain consent (of data owner) before engaging in data transfer. | Mandatory to obtain consent (of data owner) before engaging in data transfer. |
| Data Breach Notification | Mandatory to provide data breach notification. | The actions to be taken by organisations is still under review. | Mandatory to provide data breach notification. |
Please note that this comparison doesn’t contain every single aspect mentioned in the regulations. This blog post aims to highlight some of the key elements from the different regulations and serve as a quick reference. We recommend that you access and reach each regulation document for more detailed information: GDPR, PDPA, and CCPA.
Right-Hand’s Compliance Readiness solution relies on a Machine Learning engine that automates and customizes the ability of your security information management team to develop, store, disseminate, increase awareness, and drive behavior change for corporate policies. Combined with Training Readiness‘s customized bite-sized learning approach, you will have everything you need when dealing with the different regulations’ requirements.
