Preparing Your Business for GDPR and CCPA in 2022

Legislation like Europe’s General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) is in place to protect personal data collected by businesses. But this also requires businesses to follow guidelines for properly collecting, storing, and moving this data.  

If you interact with customers in either the EU or California, then you need to follow the GDPR and CCPA. Not doing so could result in hefty fines and a catalyst of events. And while these data privacy best practices aren’t required for all customers, it is a good rule of thumb for keeping consumer data safe. 

Here’s what you need to know about GDPR and CCPA to prepare for 2022.

Understanding GDPR and CCPA Regulations

Data privacy is becoming increasingly important. The more that we interact online, the riskier sharing data becomes. 

People share data online for all kinds of things, like connecting to e-newsletters, purchasing items, and registering for accounts. So data privacy laws are in place to protect how that data is collected and handled. 

In Europe, the GDPR was enacted as a way of harmonizing the data privacy laws across the many different countries in the EU. The GDPR was one of the first legislations enacted on a large scale and it was only done in 2018.

The CCPA followed up in 2020 and this legislation protects only consumers from California. For the most part, both pieces of the legislation believe in the consumer’s right to know what information is being collected by businesses, and it requires that businesses follow a set of guidelines when handling this data. 

Both the GDPR and the CCPA aim to protect:

  • Basic identity information such as name, address, and ID numbers
  • Web data such as location, IP address, cookie data, and RFID tags
  • Health and genetic data
  • Biometric data
  • Racial or ethnic data
  • Political opinions
  • Sexual orientation

Here’s a brief overview of each of these legislations:


The CCPA allows consumers:

  • The right to know about the data processing from each company
  • The right to know which information is being collected on them
  • The right to know which service provider(s) have access to their data
  • The right request that the sharing or selling of their personal information be stopped
  • The right to hold a business legally responsible for a violation of their privacy

The CCPA requires businesses to stay open with their data subjects, or consumers and allows consumers to control how much of their data is being shared or sold without their consent. 


The GDPR follows general principles for data privacy, including: 

  • Lawfulness, fairness, and transparency
  • Purpose limitation 
  • Data minimization
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality
  • Accountability

In order to ensure that businesses follow these principles, they require businesses to have someone monitor how data is handled, put data policy in place and require an appropriate level of security, such as two-factor authentication and encryption.

Consent is also extremely important. Consent on which data is being collected must be clearly provided to consumers/website visitors and they must also be informed of changes.

Not following the GDPR can result in large fines and business shutdowns. The fines for violating the GDPR are very high. There are two tiers of penalties, which max out at €20 million or 4% of global revenue (whichever is higher), plus data subjects have the right to seek compensation for damages. 

Eligibility for CCPA and GDPR

Complying with GDPR and CCPA regulations and maintaining consumer privacy should be standard for every company. This is especially the case if you:

  • Monitor your employees
  • Sell anything, like personal data, online
  • Collect any type of customer data through your website (like email addresses)

Here are the official criteria for CCPA compliance:

  • Businesses annual gross revenue exceeds $25 million
  • Businesses collect or obtain personal information of 500,000 or more California residents, households, or devices per year, or
  • 50% or more of annual revenue comes from selling California residents personal information

If a business hits any of these criteria, it could be subjected to fines. CCPA fines for a domestic violation are $2,500 USD. And international violations are up to $7,500 USD. 

There is also a per-incident fine, where you would compensate individuals $100 to $750 depending on the severity of the incident.

Here’s GDPR compliance:

  • If your business processes the sensitive personal information of EU citizens or residents, or you offer goods or services to such people, then the GDPR applies to you. This is the case even if you’re not in the EU

But I Don’t Think the GDPR and CCPA Apply to My Business?

You may think that the GDPR and CCPA don’t affect your company. Perhaps you’ve gone through every sale and you see no consumers from either of those jurisdictions. Or you think that because your business operates in the United States, then you would only need to comply with the CCPA and not EU privacy law.

Unfortunately, this is a bit of a gray area. In fact, unless you can see all of the banking data of every customer, then you could be interacting with customers from each of these jurisdictions and not even know it. The same goes for businesses that only collect safe online data like cookies and emails. You still must abide by proper data collection in this regard, and it can be hard to monitor every email to know where it is originating. And your visitors may be using a VPN so you truly have no way knowing if your visitors are from California or the EU or not. 

The bottom line is that there is a high chance that your business is interacting with people in these markets to some degree. And implementing data privacy best practices that comply with GDPR and CCPA will be better for your business, consumers, and website visitors. 

Preparing for Data Protection in 2022

Data Privacy Should be Designed by Default

The GDPR wants encourages businesses to consider data privacy in the design of their products and operations by default. This means that data privacy isn’t an afterthought, and privacy concerns and best practices should be part of the development early on. In doing this, your team will have a product that is less risky for both the business and the consumers, and it will make for a stronger overall product.

Perhaps you want to collect new data from your customers. If so, ensure the data security is applied to every step of the process: data is collected through encrypted methods (if required), immediately securely stored, and then your data monitoring policy is applied to the data monitoring software watching that data or during the data transfer process.

Create and Regularly Amend a Strong Data Privacy Policy

Data policy is one way to prepare for the GDPR and CCPA in 2022. Data policy will help to guide your C-level executives, managers, and employees so that each level of data involvement will have a clear understanding of what they can and cannot do in accordance with these laws. 

Not only that, but data privacy policy may be a requirement for the GDPR and CCPA. In the chance that your business is audited, they will be looking for data privacy requirements spelled out in the policy and regularly amended as laws change.

Data privacy policy can be written into the data monitoring software so that manager alerts are automated. Set up a trigger when data in a given folder is altered in any way and tag it to data privacy policy triggers.

Regularly Train Employees and Educate Staff on Data Requirements

Your staff is the ones who will be setting up the procedures for data collection, data security, and its uses. Therefore, your staff needs to be trained on how to properly do this. For example, your team will need to inform consumers about how their data is being used and there are certain rules around when employees and consumers can request their data to be deleted. Your employees need to be aware that they can delete their own data, but also be prepared for these requests from consumers.

While much of the policy can be written into your data monitoring software, you still need to educate those involved with the software and the sensitive data on how this process works. If you offload your data collection to service providers, then ensure that you vet their process and staff are prepared to manage this relationship.

Conduct Regular Security Audits

Security audits are useful for ensuring that your business is secure against vulnerability endpoints from both external hackers and insider threats. Security audits show you where the loopholes are at, where new vulnerabilities pop up, and are a great time to check on updated security patches. 

You need to ensure that you are conducting regular security audits because keeping your data secure is not only important to protect against data breaches, but it’s also part and parcel of securing data under CCPA and GDPR. 

Security audits might also inform you that you are holding on to too much data, and this can also be a sore point. Use security audits to save money, cut down on collecting unused data, and delete old data. Security audits can be completed easily completed through data monitoring software for convenience and cohesive data reporting. 

Conduct Data Monitoring

Data monitoring is the only way that businesses can really view their data movement in their company. Data and user monitoring using software are far more powerful than doing so manually, as it enables a set of automation and sophisticated tools.

For data privacy purposes, your data monitoring software can be configured to watch certain data, files, or folders for network activity. If an area of your network is not meant to be accessed, then your data monitoring solution will alert you to this behavior. This software can inform managers (via email or admin console) of unauthorized data movement and other potentially dangerous activities to data security.

Automate Data Policy

While data monitoring is absolutely necessary for complying with GDPR and CCPA, the truth is that your company will have a lot of data, and it will be impossible to stay on top of this data without automation. 

Consider data protection software like SoftActivity to automate some of these alerts, so your management team knows exactly what is going on with your sensitive data at any given time.

Trust Data Monitoring Software for GDPR and CCPA in 2022

Data monitoring for GDPR and CCPA data policy is essential to smooth company operations. If you collect any kind of data on consumers or employees, then you’ll likely need to consider data privacy laws, data monitoring policies, and data monitoring software. 

As mentioned, it can be difficult to perform data security best practices without automation and software. Consider network monitoring with SoftActivity, which comes with features like:

  • Triggers for data movement
  • Alerts for secure network access
  • Communication monitoring
  • Application and website monitoring
  • User behavior analytics
  • And keystroke logging, among others

You just can’t do it on your own. Reach out to SoftActivity today to set up the best defense against data privacy risks in 2022.

By SoftActivity Team.

January 31st, 2022