The Privacy Playbook: Navigating CCPA, GDPR + Risk Assessments

Transcript

Mary Costigan
Principal, Berkeley Heights

On behalf of the L&E Global Data Protection group, welcome to our podcast. L&E Global is an international alliance of over 30 labor and employment law firms that provide clients with legal advice to achieve their objectives wherever they operate. Within L&E Global, we established a data protection group designed to help our clients navigate the complex global data protection laws that apply to employee data, contractor data, and applicant data.

As part of our efforts to meet client needs, L&E Global frequently produces informational content, including articles, webinars, and podcasts like this one. I'm Mary Costigan, a principal within the U.S. law firm Jackson Lewis and a member of the firm's Privacy, AI, and Cybersecurity Group.

Dr. Michael Witteler
Partner, Pusch Wahlig Workplace Law

Thank you very much for the warm welcome and the invitation to host this podcast together with you today. My name is Michael Witteler, and I'm a partner at Pusch Wahlig Workplace Law in Germany. I work at our Berlin office and specialize in data protection law at the intersection with employment law, which is also very important in Germany, as well as co-determination law. However, data protection law in the E.U. is heavily influenced by E.U. law, so what I'm telling you today applies in all other EU Member States as well, not just in Germany.

Costigan

Thanks, Michael. Before we get started, a quick reminder: this discussion is for informational purposes only and does not constitute legal advice. Also, any opinions we may express are not those of our respective firms.

Our topic today is risk assessments. For those of you familiar with the E.U. General Data Protection Regulation, you know that conducting a data protection impact assessment is an integral part of that framework. Here in the U.S., the long-awaited California Consumer Privacy Act Risk Assessment Regulation was enacted last fall. Michael and I plan to discuss the similarities and the differences between the CCPA risk assessment requirements and the GDPR DPIA.

A quick note before we get further into this: for those of you who aren't that familiar with the California Consumer Privacy Act, the California Private Consumer Privacy Act, or the CCPA, will apply to any for-profit business, regardless of where they're located, that does business in California, which could include a physical presence or offering goods and services to California residents, that has a global gross annual revenue in the preceding year of over $26 million, and also collects and processes the personal information of California consumers. Unlike most U.S. consumer data protection laws, under the CCPA, a consumer includes not only a consumer in the traditional sense but also California residents who are job applicants, employees, or individuals interacting with a business in a business-to-business context. For the purposes of this discussion on risk assessment, I will only be discussing the assessments with respect to employee and applicant data. Also, one final note on the CCPA: the term "business," which I will use throughout our discussion, is essentially the same as a data controller under the GDPR.

With that, Michael, I'll hand it off to you.

Witteler

Mary, thank you very much. You already told us that the recently enacted CCPA regulations include a data controller obligation to conduct a risk assessment, but when is a risk assessment required under these regulations?

Costigan

For purposes of the CCPA, it applies to any processing activity that presents a significant risk to employee or applicant data. The goal here is to help the business determine when to restrict or prohibit the processing of personal information if the risks to the employee's or applicant's privacy outweigh the benefits to the employee or applicant, or the benefits to the employer or others.

Witteler

Thank you very much. Perhaps I can add the European perspective at this point. I would frame this slightly differently. We would talk about a data protection impact assessment rather than a CCPA risk assessment. What matters here in Europe is first and foremost the risk to the individual, not just the operational or legal risk to the company. The question is not simply whether the business is using a new tool, but whether that tool may significantly affect applicants, employees, or other individuals; it doesn't matter. Our focus here is applicants and employees.

A DPIA must be done before the processing is rolled out. In practice, that means at the design or implementation stage, not after the system is already live. Typical triggers for this are well known. The use of new technologies, the systematic monitoring, profiling or scoring, and the processing of sensitive data. If several of those factors come together, the case for a DPIA becomes very strong. This is especially relevant in HR and AI contexts, because these systems often evaluate people, predict behavior, or influence important decisions such as hiring, promotion, or performance management.

Finally, companies should not look only at the text of the GDPR. Supervisory authorities across Europe have published guidance and trigger lists that provide a much clearer sense of the volume at which a DPI is expected in practice. The text of the GDPR is not that detailed. In Europe, the key question is not whether something is on a list of authorities or wherever, but whether it poses a high risk to individuals.

Mary, what constitutes a significant risk that would trigger the risk assessment obligation in California or in the United States?

Costigan

The recently enacted regulation identifies a set of specific processing activities that present significant risk. In the employment context, these activities include processing sensitive personal information, except when it's being processed for core human resources functions. For example, administering compensation payments or benefits, or providing reasonable accommodations or wage reporting, as required by law.

The first processing activity that would create significant risk is the processing of sensitive personal information. The second would be using an automated decision-making tool that results in a decision affecting employment opportunities or compensation. Also, using an automated decision-making tool or using personal information to train an automated decision-making tool to make a decision concerning employment opportunities or compensation. That's the second and third test or specific processing activity. Quickly, an automated decision-making tool under the CCPA is a technology that processes personal information, uses computation to replace or substantially replace human decision-making, and can include profiling. So, those are the first three.

Another flagged processing activity is using automated processing to infer or extrapolate certain characteristics about an applicant or employee. We're talking about characteristics such as intelligence, aptitude, performance at work, health, maybe mental health, reliability or location. It's inferring or extrapolating these characteristics based on systematic observation of the employee or applicant or their presence in the sensitive location. That's another significant risk activity.

Then, the last one in this context would be processing personal information to train technology for employee or applicant identification, verification, or profiling. Those are pretty much the types of processing activities that would constitute or present significant risk for purposes of conducting a risk assessment.

Witteler

Thank you very much. The European category is slightly different, but we do have clear indicators for a high risk. In European practice, profiling and scoring are among the clearest indicators of high risk because they move beyond simple data processing and begin to shape how a person is assessed, categorized, or treated. Systematic monitoring is another major trigger. Once an employer starts tracking behavior, presence, productivity or communication patterns on an ongoing basis, the privacy risk increases very quickly.

The use of sensitive data further raises the threshold. If health data, biometric data or similarly sensitive categories are involved, the analysis becomes much stricter from the outset. In employment situations, this matters even more because employees are not seen as entirely free actors. There is a structural imbalance so that law takes a more protective view of what counts as risky.

In reality, high-risk cases usually do not involve just one indicator. They involve several at once, for example, monitoring plus scoring plus a meaningful impact on someone's job prospects, which is exactly why a DPIA is so often required in an HR context. In Europe, high risk typically arises where monitoring, evaluation and power imbalances converge.

Mary, now we have learned when a risk assessment has to be done, what should the risk assessment include?

Costigan

The contents of a risk assessment are going to be very similar to a DPIA, but essentially based on the regulations, it should include the categories of personal information processed, the sources, the purpose for processing, how long each category of personal information will be retained, and the manner in which the business interacts with the employees or applicants. Are they collecting this information through technology or in person? What types of notice are given to the employees and applicants, and how is that notice provided? Who are the categories of third parties to whom the employer discloses or makes available employee or applicant personal information for the processing? Whether it includes automated decision-making tools, and, if so, the logic, the output, and how the business will use the output to make a significant decision for purposes of this risk assessment. It identifies the people who reviewed and approved the risk assessment, of course, excluding any legal counsel or advice. 

Those are the key items that go into the risk assessment.

Witteler

In Europe, this is also less about completing a template and more about conducting a meaningful upfront assessment. A proper DPIA starts with a clear description of the process, what data is being used, for what purpose, in which systems, who receives or has access to the data, and how long it is kept. Without that basic map, the rest of the assessment is not really possible.

The exercise cannot stop at description. The central question is whether the processing is actually necessary and proportionate. In other words, do we really need this tool in this form? And are we using more data than is justified? The DPIA should also test the processing against the core GDPR principles, especially transparency, purpose limitation, and data minimization. This is where many businesses' projects become much more difficult than they first appear.

Then comes the risk analysis itself, and that must be done from the perspective of the individuals affected. The issue is not only whether the company is comfortable with the tool, but whether the individual may suffer unfair treatment, exclusion, or loss of control. A good DPIA also sets out concrete safeguards. For example, human oversight, access controls, bias mitigation, escalation processes, or restrictions on how outputs may be used.

Finally, the data protection officer should be involved where required. That is not just a formality. It helps show that the assessment was done seriously and with the right level of internal scrutiny. A DPIA is not just documentation. It is proof that the processing is justified and controlled.

Mary, are there any specific publication or record-keeping obligations that apply to the completed risk assessment?

Costigan

The risk assessment should be retained for as long as the processing activity continues, or for five years after the later of the following: the risk assessment is completed, or the processing activity continues. The business is not required to submit the risk assessment to the regulator. However, they must submit an attestation that the risk assessment has been completed. That attestation will go through the regulator's portal. It will include the business's name, point of contact, contact information, the period covered by the assessment, the number of assessments conducted during that period, whether the assessment addresses processing involving sensitive personal information, and the types or categories of personal information.

Perhaps most scary for businesses at this point is that it requires an attestation. A person must attest that the business conducted the risk assessment during the period of time covered by the submission. The certifying party must be a member of executive management with direct responsibility for the assessment and knowledge of the assessment. They must declare that the risk assessment information that they're submitting through the portal is true and accurate.

Those are the key requirements with respect to the assessments.

Witteler

This is a point where the difference to the U.S. approach becomes very visible. Under the GDPR, the DPIA has to be documented properly, because accountability is a core principle of the GDPR. The company and the controller must be able to show, if challenged, that it identified the risks and thought through the safeguards in a structured way.

What the GDPR does not require, however, is a general obligation to publish the DPIA or routinely file it with the authority. That is an important difference from systems that rely more heavily on external reporting. The supervisory authority only comes into the picture if, after all safeguards, a high residual risk still remains. In that situation, prior consultation might be necessary before the project goes ahead.

It is also not a one-time paper exercise. If the processing changes in a meaningful way because the system evolves, more data are added, or the purpose expands, the DPIA should be revisited and updated. While the GDPR does not prescribe a fixed retention period for DPIAs as such, they should be kept in a way that supports governance, internal review and possible regulatory control. In Europe, it's about documentation and governance, but not about public filing.

Mary, can the business use a risk assessment drafted for other purposes?

Mary

Yes, as long as that risk assessment covers all the mandated requirements or content requirements of the CCPA risk assessment. Yes, it is possible to do so.

Witteler

It's the same in Europe. The short answer is yes. An existing assessment can absolutely be reused if the processing is sufficiently similar. Companies do not have to reinvent the wheel every time they deploy the same or a comparable tool in another part of the organization. The crucial point is that the reused document must still contain the elements that the GDPR expects, especially around necessity, proportionality, risks to individuals and safeguards.

That is why assessments developed outside Europe, especially US-style risk assessments, often need further work before they are suitable for the GDPR purposes. They may be a good starting point, but not the finished product.

This is particularly true in HR scenarios because the employment context raises specific concerns around power imbalance, transparency, and proportionality that are not always fully reflected in global templates. In practice, many multinational companies work with modular or global DPIA frameworks. It can be very efficient as long as local adaptation is built in rather than treated as an afterthought. You can reuse, but you must adapt it to the GDPR’s logic.

Costigan

One thing to add there, too, is that the two laws define personal information differently. That could potentially have an impact on the risk assessment, as could the types of mitigation steps. Again, two things to keep in mind if the client is intending to use or reuse a risk assessment.

Witteler

What do you see as the key differences between a GDPR DPIA and a CCPA risk assessment?

Costigan

I jumped the gun there and gave two of those as potential key differences. One is the definition of personal information, as well as mitigation steps. Also, with respect to the CCPA, the risk is that it doesn't apply unless a company or business meets the jurisdictional threshold, which differs from the GDPR. Not every company doing business in California is going to be doing a risk assessment. Again, the risk assessment is only going to apply to California residents. 

Another interesting difference is that the potential fines relating to risk assessments under the CCPCBA will be significantly lower. They're going to range from about $2,600 to $7,900 per incident. A very different type of penalty structure than the GDPR.

Witteler

Yes, that's true. If I had to summarize it in one sentence, Europe focuses more on impact on individuals. As you already mentioned, one major difference is the scope. GDPR applies very broadly and is not limited in the same way to certain types of businesses or thresholds. That DPIA question can arise across a much wider range of organizations.

The second difference is that a DPIA is directly tied to the core GDPR principles, especially lawfulness, fairness, transparency, purpose limitation and data minimization. It is inside a broader rights-based framework. The context also matters much more explicitly in Europe. In employment settings in particular, the same technology may be viewed as far riskier because of the dependency relationship between employer and employee.

There's also a very real enforcement angle under the GDPR. Depending on the type of infringement, administrative fines can reach up to 20 million euros or 4% of worldwide annual turnover, whichever is higher. The GDPR is about fundamental rights and real-world impact, not just predefining processing categories.

Costigan

Michael, thank you. It's always a pleasure and very informative to speak with you. We are in the early days of the CCPA risk assessment, so I'm sure we will see enforcement activity and further guidance to help us decide how to implement this, and perhaps more comparisons between the DPIA and the risk assessments.

Thank you for joining me. We invite you to check out the L&E Global website for more information, and watch this space for future podcasts from the L&E Global Data Protection Group. Thanks for joining us.