What is data compliance?
What are the data compliance regulations and standards to respect?
How do you comply?
In this article, we will break down the concept of data compliance so you know all there is to know about it.
Are you ready?
Let’s get started!
What is data compliance?
Data compliance is the process of ensuring that sensitive data handled by organizations are managed with minimal risk of loss, theft or misuse in order to achieve compliance with applicable laws, regulations and standards.
Compliance may be required in a variety of ways, such as:
- Compliance with industry standards
- Compliance with state or provincial laws
- Compliance with federal or national
- Compliance with supra-national laws
- Compliance with regulations
- Compliance with policies and procedures
The laws, regulations or standards dictate what type of data must be protected and the acceptable measures to achieve that goal.
Organizations will need to assess their compliance requirements, their exposure and risk tolerance to determine how to achieve compliance.
Generally, businesses can be exposed to hefty fines should they fail to respect the applicable laws or regulations.
For example, under GDPR, fines can go up to the greater of €20,000,000 or 4% of a company’s annual global turnover.
As the saying goes: an ounce of prevention is worth more than a pound of medicine.
Why is data compliance so important?
Data compliance is important
Thre is a never-ending list of laws and regulations companies need to abide by such GDPR, CCPA, PIPEDA, POPI, LGPD, HIPPA, FISMA and what have you.
Japan, Australia, South Africa, Europe, California, Canada, Brazil, South Korea are all into the data protection and privacy arena.
More laws and regulations are coming.
Based on the current data breach track-record, we have seen high profile cases like Amazon, Facebook, Marriott Hotels and Google+ getting a taste of what it means to fail in data compliance.
However, these companies are not necessarily bad actors.
They are innovative companies that we have learned to love and trust over the years.
I’m not saying they are angels, but their primary objective is to innovate and not cause harm to people.
They breached data protection laws not because they were malicious but because they are behemoths unable to implement policies quickly enough to meet the legal and regulatory requirements or just feel that paying the penalty is cheaper than implementing something sustainable.
What about those individuals and companies with malicious intent.
What about those who are looking to misuse personal data or steal your information?
That’s when data compliance must work hand-in-hand with data security.
To achieve data compliance, companies should take the opportunity to review their processes, technologies and systems to ensure they implement proper security measures.
It’s one thing to achieve a minimum level of compliance but it’s another thing to truly safeguard and protect data.
Data compliance is important as it forces companies to change, evolve and adapt.
Data compliance vs data security?
What is the difference between data compliance and data security?
Data compliance and data security are often confused and the terms are even used interchangeably.
To achieve data compliance, you need to achieve the minimum standards and the requirements outlined in the data protection laws.
To achieve data security, you will need to look at all your internal processes, procedures, technologies, systems and operations to see how data is handled, used and manipulated so you can protect it against possible risks.
Data security is the manner an organization handles and secures sensitive data in its possession.
A company deals with many individuals on a daily basis such as employees, customers, clients, partners, shareholders, managers and so on.
In that process, individuals may share personally identifiable information (PII) with the company.
When a company acquires personally identifiable information, it will have the duty to ensure it protects and safeguards sensitive data in its possession to comply with any applicable regulation.
Data security means that depending on the nature of the personal information you acquire, you will have a varying level of obligation to protect and safeguard the data.
The data security measures are to protect personal information against data breach as per applicable data privacy laws.
Data compliance is the process of achieving the required data protection result required by the law.
To be compliant, it means that a company must implement measures, policies, procedures, workflows and operations designed to ensure its legal obligation is met.
Adopting the minimum safeguards required by law does not necessarily mean that your data is properly secured.
Achieving data compliance with data security
Every organization must consider the nature, type and sensitivity of the personal data they acquire on a person to implement the right security measures.
For example, a company collecting credit card information or national identification numbers will not have the same level of security measures to implement than a company collecting a person’s email address.
This is not to say that an email address is not important to protect but the security measures may not be the same.
No matter what type of information you collect on individuals, cybercriminals are constantly evolving and finding new ways to attack your networks and systems.
Data compliance does not have an end-result or a day where you can say “mission accomplished”.
Data compliance is achieved through constant and continual effort in securing your data.
IT professionals have an important role within organizations to keep up with the state-of-the-art and implement the latest technologies aimed at securing data and thus achieving compliance.
Implementing data protection law requirements is a great way to start implementing security measures to protect data even though security goes beyond what’s stated in the law.
Data compliance standards for businesses
There are certain standards that companies can adopt to demonstrate that they have taken measures to secure sensitive data and achieve data compliance.
These standards may be industry standards or a recognized form of international standards.
By adopting a compliance standard, companies make a statement about their operations to the world.
They are essentially sending the signal that they take data compliance seriously a person can have trust and confidence that their personal data will be protected.
Let’s look at some well-known compliance standards.
ISO 27000 series
The International Organization for Standardization (ISO) is a standard that businesses can implement to protect sensitive data at the data level or what is commonly known as “information security management systems” (ISMS).
ISO 27001 is a well-known data security standard for businesses.
ISO provides for IT security standards aimed at:
- Protecting financial information
- Employee personal data
- Intellectual property
- Crucial assets
NIST SP800-53 is a framework establishing security standards and various guidelines applicable to governments, governmental agencies and the federal information system.
Due to its general nature and how it outlines best practices, many companies in the private sector have adopted NIST SP800-53 standards to protect their data.
NIST Cybersecurity Framework
The NIST Cybersecurity Framework is a security standard allowing companies to manage their cybersecurity risk.
BS 10012 is a data security standard following the requirements of GDPR.
By adopting BS 10012, a company cannot achieve full GDPR compliance but they can achieve many compliance aspects required by GDPR.
PCI DSS stands for Payment Card Industry Data Security Standard.
PCI DSS outlines a set of rules crucial for handling and protecting cardholder data such as credit card numbers.
The industry has adopted the PCI DSS standards to ensure that companies handling cardholder data adequately protect the data in their possession.
Just like a law or regulation, a breach of the PCI DSS standards can result in heavy fines to a company.
An interesting compliance aspect under PCI DSS is that even if a merchant outsources its payment processing to a third-party service provider, which is the case most often, the merchant remains responsible to ensure the safety of the cardholder’s data.
To comply with PCI DSS, companies must have a good understanding of the requirements and ensure they implement the 12 essential requirements as issued by the PCI Security Standards Council.
There are also six PCI DSS categories of control objectives:
- Build and maintain a secure network and systems
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
What are some data compliance laws and regulations?
To achieve data compliance, organizations should holistically consider their business operations and determine what laws and regulations apply.
Don’t be fooled, you may not only have one law or regulation to deal with.
If you sell your products and services to people in different countries, you may be subject to more data protection laws and regulations than you might think.
For example, in the United States, each state may have its own data protection regulation.
If you do business in Europe, you will have to comply with regulations such as the General Data Protection Regulation (GDPR) governing how European personal data should be protected.
What are some of the important data compliance regulations out there?
You may have already heard of it.
GDPR came into effect on May 25, 2018, and provides for a comprehensive set of guidelines to protect personal data.
It’s a supra-national regulation adopted by the European Union having the force of law within all the Europen Union countries.
It can also apply to many foreign organizations dealing with European residents or nationals.
It has a broad territorial application making it very difficult to escape for companies outside of Europe be dealing with EU data subjects.
GDPR establishes rules and minimum standards on how a company should collect, use and process personal information.
Since GDPR can apply to American, Canadian or any foreign organization, companies must ensure they comply with GDPR standards if they deal with Europe.
Practically speaking, if you are selling goods and services online to EU data subjects or if your business is global in scope, you will need to comply with GDPR.
GDPR provides for different levels of protection for different types of personal data.
Special categories of data are more “sensitive data” such as health information, biometric, genetic, criminal history and so on.
The protections and mandatory requirements applicable to special categories of data are different than personal data.
GDPR lays out 7 guiding principles for companies to observe and one of them is “accountability”.
This means, compliance.
HIPAA stands for the Health Insurance Portability and Accountability Act of 1996.
HIPAA deals with an individual’s healthcare and medical record.
The law requires that companies handling or processing a person’s medical data take the necessary security and confidentiality measures to protect these records from a possible breach.
For example, organizations must:
- Only share medical information to those who have a need-to-know
- Make sure they encrypt the data
- Make sure the implement proper access controls
- Control and monitor the communication of medical records
- Keeping an event log for audit purposes
Healthcare and medical information represent some of the most sensitive information about a person.
It’s no surprise that HIPAA has established a strict regime to ensure that companies protected medical records.
HIPAA also provides for heavy fines in the event of non-compliance.
SOX stands for the Sarbanes-Oxley Act of 2002.
This law was adopted following the major corporate accounting fraud resulting in millions of dollars lost by many individuals.
Following the accounting scandals, the American authorities adopted the measures outlined in SOX to prevent future abuse of investors.
This regulation is less about personal data but more about a company’s financial reporting obligations.
It’s compliance nonetheless.
As such, SOX is a compliance law governing how a company reports its financial position.
To comply with SOX, a company must ensure that it validates the numbers reported on its financial statement.
Validating numbers means that companies must implement measures to ensure the integrity of the financial reports they produce.
A company must also keep its financial records in the event an audit may be required or a regulatory probe.
With data retention obligations comes the obligation to perform backups, disaster recovery and so on.
CCPA stands for the California Consumer Privacy Act.
CCPA came into force on January 1, 2020, and represents one of the most strict data protection laws in the United States.
Its main focus is the consumers’ privacy rights.
Under CCPA, a company will have important obligations when dealing with a consumer’s private data.
For example, the following data can be considered as personal data:
- Cookies data
- IP addresses
- Internet activity
- Biometric data
- Household data, such as data generated by the Internet of Things
Just like GDPR, the CCPA takes a tough stance to protect the consumer’s private data.
Under CCPA, private data can be any information allowing a consumer to be directly identified but any disparate pieces of information that may allow a company to draw inferences about a person.
CCPA applies to:
- Companies earning more than $25,000,000 per year
- Buy, sell or receive personal information of more than 50,000 consumers, households or devices
- Businesses than earn more than 50% of their revenues from selling consumer personal information
Just like GDPR and other major data compliance laws and regulations, violations to CCPA can result in major fines to an organization.
PIPEDA stands for Personal Information Protection and Electronic Documents Act.
PIPEDA is a Canadian privacy law governing businesses and organizations in the private sector.
It has been in effect since April 13, 2000.
PIPEDA’s objective is to enhance the level of trust between individuals and businesses when personal information is being handled.
Similar to the 7 GDPR principles, PIPEDA has 10 fair information principles that companies must observe to comply with the spirit of the law.
The 10 principles are:
- Identifying purposes
- Limiting collection
- Limiting use, disclosure and retention
- Individual access
- Challenging compliance
Companies subject to PIPEDA must implement proper measures to comply with its requirements.
LGPD stands for the Brazilian General Data Protection Act.
LGPD imposes data protection and privacy obligations on both private organizations and public bodies.
What’s interesting about LGPD is that it’s objective is to protect personal data but to also strengthen the Brazilian economy and bring it into alignment with international data protection standards.
LGPR will apply to a business of any size dealing with personal information or personally identifiable information.
Just like GDPR, organizations should appoint a data protection officer to ensure they implement their LGPD obligations and communicate with the Brazilian data protection supervisory authorities.
The ADPR is a series of regulations handled at various levels such as federal level, state level and territory level.
Companies operating in the private sector are subject to the privacy obligations of ADPR.
Similar to GDPR and PIPEDA, companies have a duty to report data breaches to their supervisory authority in the event the breach can be harmful to the individuals concerned.
Violations of ADPR can result in penalties going up to $10,000,000 Australian dollars.
POPI stands for the Protection of Personal Information Act.
It was adopted by the South African government on November 19, 2013.
The primary objective of POPI is to protect personal information whether a company or organization operations in the public or private sector.
When companies collect and handle personal information, they must comply with the POPI standards.
They cannot use personal data for longer than necessary.
Disclosures to third parties are regulated.
FISMA stands for the Federal Information Security Management Act of 2002.
FISMA is a law affecting every federal agency, its subcontractors and services providers.
It also extends to service providers managing their IT network and systems.
FISMA protects the federal government’s information.
For example, data must be categorized and protected based on the potential harm a breach may cause.
There must be regular and ongoing risk assessment evaluations to ensure data is well protected.
To achieve FISMA compliance, companies will need to adopt FIPS 200 security standards.
FERPA stands for the Family Education Rights and Privacy Act.
FERPA applies to American educational agencies and institutions that receive funds from the federal government.
Its objective is to protect student records from a potential breach.
Educational institutions must take proper measures to protect student records from unauthorized disclosure.
GLBA stands for Gramm-Leach-Bliley Act.
GLBA applies to all organizations in the United States providing financial products and services to their customers.
The objective of GLBA is to protect nonpublic personal information and any personally identifiable information.
Just like other major data protection laws, GLBA requires that companies secure the collection and disclosure of personal information or nonpublic information.
There are some disclosure obligations required to the consumers of what data is collected about them, to whom it may be disclosed, how it will be used and so on.
How to achieve data compliance?
Data compliance is a practice of protecting sensitive data in accordance with legal and regulatory frameworks.
Companies can achieve data compliance in many ways.
Data compliance can be achieved by implementing proper procedures, workflows, policies and operations in place to safeguard and protect sensitive data handled by an organization.
Here are some tips to achieve data compliance:
- Understand your data
- Conduct risk assessments
- Have a plan
- Stay informed
- Speak to experts
Understand your data
The first tip is for a company to understand what type of data it holds.
You need to know what you have so you can determine how to protect it.
Are you holding basic contact information on someone?
Are only holding business information?
Are you holding cardholder information?
Perhaps medical records?
What’s important is that you perform data discovery and classification so you know what data you have and ensure you can track or trace them.
Conduct risk assessments
The second tip is for you to conduct risk assessments on an ongoing basis.
Data compliance is not a one-time gig, it’s a continual effort.
You need to continually assess and reassess your processes, technologies and systems to ensure you are keeping up with the latest.
By performing ongoing risk assessments, you can:
- Detect risks
- Assess your exposure
- Take remedial actions
- Validate if the actions have produced the intended results
This cycle is ongoing.
Have a plan
Data compliance may not be easy, especially if you need to comply with different laws and regulations at the same time.
A company required to comply with GDPR, CCPA and PIPEDA will have to tackle this by being prepared, by having a plan.
Developing a plan allows you to identify what are the administrative, physical and technical measures you need to put in place to achieve the intended level of data compliance.
In the field of data protection, privacy, cybersecurity and technology, keeping up-to-date is the name of the game.
Companies must be continually adapting to new technologies.
Reading, participating in industry events, conferences, taking courses, doing certifications are all good ways to stay informed.
Speak to experts
The last advice we have to give is that you speak to experts in the field.
No matter how much you read or try to learn, you will learn additional valuable insights by speaking to leading experts in data protection, data privacy, security, cybersecurity and so on.
Data compliance strategy
Traditionally, companies have adopted different layers of software and security measures to protect data.
With every added layer of application, system or software, the management of a complex network becomes more and more challenging.
One strategy that is effective is to consider data compliance through data-centric security strategies.
In other words, instead of protecting against a potential threat, perhaps it may be worth protecting the data, at the source.
Whether the data is in motion, at rest or in use, protecting the data at the data-level can provide more effective and meaningful security.
More meaningful security means achieving data compliance.
For example, tokenization can be one strategy to adopt.
Through the process of tokenization, the company replaces the personal data or sensitive data with a unique identifier in such a way that the information becomes anonymous to the user.
This way, the company can have different stakeholders manipulate the data without meaningful risk of breach of privacy obligations.
Data compliance is the process of ensuring that sensitive data handled by organizations are managed in such a way as to prevent its loss, theft or misuse and meet any applicable legal or governmental regulations.
In this article, we’ve looked at data compliance holistically.
What is data compliance?
Why is data compliance important?
What are some of the data compliance standards?
What are the data compliance regulations?
How does data compliance and data security work hand-in-hand?
We’ve covered the essentials that you need to understand and hopefully achieve data compliance.