GDPR gets all the press. But if your organization operates globally, or plans to, you're facing a patchwork of privacy regulations that each require attention and, critically, a compliance architecture that can serve them all without rebuilding from scratch for each one.
CCPA / CPRA (California, USA)
The California Consumer Privacy Act (CCPA), enhanced by the California Privacy Rights Act (CPRA), gives California consumers rights similar to GDPR: right to know, right to delete, right to opt-out of sale. Key differences from GDPR:
Organizations that built GDPR compliance first have a significant head start on CCPA/CPRA, many of the same mechanisms apply, with adjustments.
LGPD (Brazil)
Lei Geral de Proteção de Dados (2020) is Brazil's GDPR equivalent. Nearly identical structure: six lawful bases, data subject rights, mandatory DPO for some organizations, breach notification within 72 hours. Key difference: enforcement is still maturing, the Brazilian National Data Protection Authority (ANPD) has been ramping up gradually.
India's Digital Personal Data Protection Act came into force in 2023 and represents one of the largest jurisdictions outside the EU to implement GDPR-like protections. Applies to any organization processing digital personal data of Indian residents. Significant Data Fiduciary obligations, similar to data controller under GDPR.
The EU AI Act (2024)
The EU AI Act is the world's first comprehensive AI regulation. It takes a risk-tiered approach:
Most enterprise AI falls in the "high-risk" or "limited risk" categories. Every CDO operating in the EU needs an AI Act compliance audit of their AI portfolio.
Vérification des acquis
1. Which of the following is a key difference between CCPA/CPRA and GDPR?
2. Under the EU AI Act, which category includes AI systems used in employment, education, and critical infrastructure?
3. Under Brazil's LGPD, what is the equivalent role to GDPR's 'data controller' concept that organizations must understand for compliance?
4. Select ALL AI practices that are PROHIBITED outright under the EU AI Act.
Sélectionnez toutes les réponses correctes.
5. Select ALL correct statements about the global privacy regulatory landscape described in the lesson.
Sélectionnez toutes les réponses correctes.
The mistake: building separate compliance programs for each regulation. Separate GDPR team, separate CCPA team, separate AI Act team. This is expensive, creates inconsistencies, and doesn't scale as new regulations emerge.
The solution: a privacy compliance platform approach.
Core capabilities needed:
1. Data inventory and ROPA: Centralized record of all processing activities, applicable regulations, lawful bases, and retention periods. One record, multiple regulatory lenses.
2. Consent and preference management: A system of record for individual consent and preferences, queryable by regulation. Customer says "opt out" → this flows to CCPA compliance and GDPR processing simultaneously.
3. Data subject rights workflow: Automated intake, routing, and fulfillment of DSARs across all systems. Must handle access, erasure, portability. Must meet deadlines (30 days for GDPR, 45 for CCPA).
4. Vendor and DPA management: Track all data processors, DPA status, transfer mechanisms. Updated when vendors change.
5. Privacy impact assessment (DPIA/PIA): Integrated workflow that triggers when new projects or systems are proposed, routes to DPO review, documents decisions.
Tools in this space: OneTrust, TrustArc, Osano, DataGrail. These are not cheap, but the alternative (manual compliance management across multiple regulations) is more expensive and more risky.
The AI Act creates a new responsibility for CDOs: AI system inventory and risk classification. You need to know:
This doesn't exist in most organizations today. Building the AI inventory is a foundational CDO task that must happen before June 2026, when most AI Act obligations come into force.