Understanding Data Privacy and Protection Compliance

In our rapidly changing and interconnected world, everyone can know everything about what you are doing and how you are acting—in an instant.


As news of cyberattacks and data breaches has made frequent appearances in our newsfeeds, the public demand for increased data privacy and protection has reached an all-time high. According to a survey published by Pew Research Center’s American Trends Panel, about eight-in-ten or more U.S. adults say they have very little or no control over the data that government (84%) or companies (81%) collect about them, while 79% say they are not too or not at all confident that companies will admit mistakes and take responsibility when they misuse or compromise data.


Although the right to privacy is cited as a fundamental human right in the UN Declaration of Human Rights, privacy has not always been a legally protected right. Governments around the world are now responding to the public's growing demand for more protections, and new legislation is just beginning to hold businesses accountable for their data privacy practices.

To better understand the current environment around data privacy, it’s important to understand GDPR, CCPA and the impact that data privacy has on your business.

Take our Data Compliance Guide With You

Download Now

The EU General Data Protection Regulation (GDPR)


The EU General Data Protection Regulation (GDPR), which took effect on May 25, 2018, is the most important change in data privacy regulation in 20 years. This groundbreaking legislation harmonizes data privacy laws across Europe, protecting and empowering European Union citizens when it comes to their data privacy. The implications of GDPR reach well beyond the EU, as companies around the globe—those offering goods or services to EU residents—must comply, regardless of their location.

Why the GDPR is Important

With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial to businesses and organizations—and to individuals. Having clear laws with safeguards in place is more important than ever given in today's digital economy.


Companies operating in Europe must comply with the GDPR, regardless of where the personal data processing takes place. Companies based outside Europe that target goods or services at people based in Europe (or that monitor their behavior) must comply with the GDPR.


In addition, the GDPR introduced new statutory obligations on companies that are simply processing data on behalf of another company. Previously, processors only needed to comply with the contractual obligations placed on them by controllers (that is, companies determining the purposes and the means of processing).


Under the GDPR, people must have a clear understanding of how their information is being used and an individual's actions must be sufficiently indicative of his or her agreement to the relevant processing. Processing of nonsensitive personal data is justified if the individual has freely given his or her unambiguous consent to the processing. To the extent that companies rely on consent to process personal data, they must be able to demonstrate consent.


Companies have to be able to demonstrate that policies and procedures are in place to ensure compliance with the GDPR. This may involve the appointing of a Data Protection Officer—a specialist person who advises us about our data protection compliance. 


Special category data—often referred to as sensitive personal data—is a subset of personal data that attracts even stricter protection. It reveals information about a person's racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union memberships, sex life, or health. Under the GDPR, data related to sexual orientation, biometric data (if it uniquely identifies a person), and genetic data are included on this list. Also, criminal convictions and offenses data is treated as a completely different category of data and is afforded greater protection than personal data.

The Challenges of Compliance


If your organization is struggling to keep up with GDPR requirements and compliance, you're not alone. More than 80% of respondents in Bloomberg Law's 2019 GDPR Readiness Survey agreed that "integration of GDPR compliance processes across multiple systems and the complexity of the regulation and implementation laws are challenging." What are the biggest  challenges? Survey respondents cited two main issues—budgets and resources (75%) and time constraints (70%).


The lack of a dedicated budget, resources, and training can have a major impact on whether an organization can successfully reach full compliance. While many companies are determining the best approach, serious GDPR enforcement efforts have begun to take hold, which means breach notifications and GDPR fines are on the rise.


The penalties for noncompliance are steep. You may have seen some of the GDPR-related "mega fines" in the headlines, including Google's 50 million euro fine in France for failing to adequately disclose data collection terms to users. You can follow the fines and penalties imposed under the GDPR by using the GDPR Enforcement Tracker. It even includes not-yet-finalized fines, like British Airways' and Marriott's multi-million euro fines in the United Kingdom for data breaches.


Brazil's General Data Protection Law (Lei Geral de Proteção de Dados Pessoais)—inspired by the GDPR—will regulate the processing of personal data in Brazil when it takes effect in August 2020. And in Asia, Hong Kong has proposed major reforms under the Personal Data (Privacy) Ordinance (Cap 486) ("PDPO").

Is your E&C team prepared to train on CCPA?

Download our Guide

California Consumer Privacy Act (CCPA)


The California Consumer Privacy Act (CCPA)—a data privacy law that imposes new obligations and regulations on businesses with consumer customers located in California, regardless of where the company’s headquarters is—took effect January 1, 2020. The state plans to begin enforcing the law, known as AB 375, on July 1, 2020, giving California residents unprecedented access to, and knowledge of, the personal information that data businesses collect about them.



 Consumers can now control their personal information in powerful ways that weren't around before the CCPA. These new, expanded consumer rights means organizations now have to follow three general areas of regulation:

  • Notice provisions, including the Right to Know;
  • Individual Rights of Control, including the right to delete, right to a copy/access, and right to opt out; and
  • Administrative provisions, how to implement the processes that give individuals ways to exercise their rights.


What businesses are impacted? The law applies to for-profit companies that conduct business in California and meet at least one of the following criteria:

  • annual gross revenue exceeding $25 million;
  • gather or disclose annually the personal information of 50,000 or more consumers, households, or devices; and
  • derive 50% or more of annual revenue from selling California residents’ personal information.

Consumers in California have a right to know what personal information companies collect about them, their children and their devices; and to whom these companies are selling that data. They have the right to access their own personal information, and the right to request the company delete the data. They can also tell companies not to sell their personal information to third parties without the fear of the company retaliating. In addition, they can sue companies if the privacy guidelines are violated, even if there is no breach; plus, class action lawsuits for damages are allowed.



The CCPA takes a broader approach than the GDPR when it comes to defining sensitive data. It defines personal data as anything that “is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This includes:

  • name;
  • postal address;
  • IP address;
  • email address;
  • social security number;
  • driver’s license number;
  • browsing history;
  • search history; and
  • geolocation data.


Beyond the data listed above, the CCPA also addresses emerging technology, including biometric data, such as DNA or images of the eyes, fingerprints, hand, and face.


Note that “publicly available” information collected and published by federal and state governments is not protected. This includes property records, court filings, voter registrations, and birth, marriage, and death records, commonly sold by data brokers. Also not included in personal information is anonymized user information that can be used for AI models.

Get our full guide to data privacy and protection compliance training


The Impact on Your Business


Just imagine the impact a data breach could have on your company. The reputational damage alone would be devastating—not to mention the costs associated with fines, litigation, and lost productivity. It's no wonder that workplace education on data privacy is now a priority for business leaders.


Simply providing a few courses on data protection and privacy isn’t enough. Companies need to hammer home both the organizations’ and employees’ obligations to safeguard the data of clients and customers, educate employees on the permanence of their digital correspondences, and use interactive learning to affirm ethical and effective behaviors. The bottom line is—everyone in your organization needs to learn to treat others’ data as they wish their own to be treated.


Here are two guidelines to keep in mind as you consider the best ways to ensure your people are fully prepared:

Safeguard the information employees are trusted with and teach them about how lasting and potentially damaging digital communications are.

Workplace education on data privacy needs to be crystal-clear about the types of information that are acceptable to share via email, over social media, via marketing materials, and through HR, and which types of information would be potentially damaging to the company. Equally important, personal information about customers, employees, and trading partners must be kept secure. 

Use interactive digital learning to help increase the retention of data privacy knowledge and make complex material more accessible.

The data protection and privacy subject is rife with nuance and technical complexity, which can be overwhelming and makes retention difficult. In addition, regulations are passing with greater frequency, so training employees regularly keep up with legislation is critical. By creating and updating interactive content, education programs can help employees engage with the subject matter more directly and authentically, and absorb the ideas more readily.

The LRN Approach

At LRN, we believe it's important for workplace education about data privacy to not only reinforce the legal requirements companies and employees need to meet, but also the moral ones, and to communicate them in an effective way. Businesses hold a lot of power through their access to clients’ and customers’ personal data, and it’s increasingly important that they navigate this power responsibly.


Providing effective training for your people helps you meet compliance requirements, prevent breaches, protect your brand, strengthen your business, support ethical behavior, and build consumer trust and loyalty.


From foundational courses on the fundamentals of data protection and privacy to microlearning mini-courses, we offer several ways to customize our courses to suit your needs. Our learning platform includes a broad range of curricula, including online courses on data protection and privacy, and cybersecurity that feature video vignettes, live workshops, and blended learning. LRN courses frequently employ guided questioning, drag and drop activities, infographics, and short quizzes to ensure that employees are internalizing the content presented. By creating an environment where the learner must do something with the information—assess, evaluate, and apply knowledge—the courses reinforce the material so it may be recalled in real-world situations.

Upon completion of an LRN course on data privacy, learners are able to:

  • Describe different risks to company data and other secure information
  • Describe the essential goals of privacy and protection policies
  • Recognize the primary types of information that must be protected and why that protection is critical
  • Describe how to take personal responsibility for safeguarding sensitive information
  • Address common hazards and activities
  • Explain the potential impact when protected, private, or secure assets are at risk
  • Learn to safeguard against and respond to data breaches, stolen data, and compromised security and computer systems
  • Learn to safeguard against and respond to data breaches, stolen data, and compromised security and computer systems
Know what to do if they see or are involved in an incident and how to report it

LRN Data Protection and Privacy Courses



Essential for those who process data, this foundational course is essential to ensure they know the risks associated with data processing and how to protect it. Employees need to be aware of the steps the company takes to keep information safe, the code of conduct and IT protocols are both good places to start.



The EU's General Data Protection Regulation (GDPR)—in effect since May 2018—is the most significant data protection reform in Europe for 20 years. It includes increased compliance obligations requiring companies to be more accountable, more in control of their data handling practices, and more transparent with individuals. It also includes heavy financial penalties if companies fail to comply with their obligations.

This module provides an overview of some of the key requirements of the GDPR, and then provides significant examples of how company employees must handle personal data and interact with the individuals whose data they hold. The examples may be organized by job area/function (for example, IT, customer service, sales, marketing, HR) and can eventually be developed into standalone modules for most common business verticals.

Offering a fresh take on best practices in data protection and privacy, this module emphasizes the tenets of the new European legislation for global companies. The goal is to provide an overview of some of the key changes under the GDPR as well as a deeper understanding of the core data protection principles and concepts on which the GDPR is based and how companies must comply with these principles to conduct themselves ethically on a global level.



The California Consumer Privacy Act (CCPA) imposes new obligations on companies with consumers located in California. This course explains how the CCPA has advanced state law out of mere security of information to the point where consumers actually have more control about how their data is used.

Wherever your company is on its data privacy and protection journey, remember these simple rules:

  • Always consider the purpose for a particular data use, and make sure the individual knows what that purpose is.
  • Only use personal data in a way that benefits the individual (or at least creates no adverse effect on the individual).
  • Personal data is an important corporate asset. Understanding what your company has, how it's used, and who has access to it is just as important with data as it is with cash.
  • Respect the wishes of the individual.
  • Privacy and information security are as much business issues as technology issues.

Take your E&C program to the next level

Book a Demo