Passing a data protection compliance audit is a badge of honor. It shows that you have implemented the necessary controls and security policies as part of a process that keeps your company’s information safe from cybercriminals. The levels of compliance required will vary according to the region, industry, and the types of data you manage every day.
Since the European Union’s General Data Protection Regulations (GDPR) came into effect in 2016, it shifted the global conversation, and many countries now have similar legislation on the books. Although data protection laws aim to improve information security, each jurisdiction’s implementation could be slightly different. To ensure you understand the different data compliance requirements, this blog will discuss the major pieces of legislation and certification programs that may apply to your organization.
Different Data Protection Compliance Regulations
While most organizations are now familiar with GDPR, you’ll also have address requirements from new legislation passed in India, Brazil, and the State of California, to name a few. The main pieces of legislation that applies to data protection are:
- GDPR – Applies to any organization that collects data from European Citizens.
- LGDP – Brazil’s Lei Geral de Protecao de Dados (translates to General Data Protection Law) came into effect as of February 2020.
- DPB – The Personal Data Protection Bill from India was approved by parliament in December 2019.
- CCPA – As of 1 January 2020, the California Consumer Protection Act applies to all companies who collect, process, and store data from the state’s citizens.
- PoPI – Dating back to 2013, the Protection of Personal Information Act is South Africa’s GDPR equivalent.
Each of these data protection laws has subtle nuances and different requirements. However, the regulations apply to any organization that collects data from citizens in those jurisdictions. It means even if your company doesn’t operate from one of these locations, and if you manage personal information from that region, you’ll need to comply with the requirements.
Industry and Information Specific Laws and Compliance Frameworks
Additional laws currently apply to at least 25 U.S. States and Puerto Rico. Depending on your company operations, other compliance regulations and certification programs may be required. These include:
- HIPAA – The Health Insurance Portability and Accountability Act (specifically the new Security Rule) applies to organizations that manage electronic protected health information of U.S. citizens.
- SOX – The Sarbanes-Oxley Act requires public companies in the U.S. to establish validation and reporting controls on all financial information.
- PCI-DSS – Enforced by the Payment Card Industry (PCI) Security Standards Council, the Data Security Standard (DSS) applies to all organizations that handle credit cards from major issuers (including MasterCard and Visa).
- SOC 2 – A Service and Organization Controls 2 Report is an audit process developed by the American Institute of Chartered Public Accountants (AICPA).
- ISO 27001 – Internationally recognized compliance framework and Information Security Management Standard (ISMS).
As you can see above, compliance requirements are more complex than ever, and your company may need to comply with any combination of these laws. For example, any marketer that administrates a list of subscribers will need to comply with all the requirements of a specific region even if only one person from there uses their services.
Data Protection Frameworks and Approaches for Compliance
With information and company data regularly crossing international borders, you’ll need a holistic framework that keeps you compliant. Instead of establishing individual policies to comply with a specific piece of legislation, adopting a data protection plan that addresses all requirements can reduce the level of effort required.
Popular Frameworks for a Holistic Data Protection and Security Plan
The key to developing a data protection and security framework is understanding your entire information perimeter. You’ll need to have a clear map of all your information systems, including any integrations with vendors, suppliers, and customers. You should then develop controls for network security, endpoint security, and infrastructure security.
Some popular data security frameworks you can consider are:
- Generally Accepted Privacy Principles (GAPP) – Published by the AICPA, GAPP incorporates ten privacy principles to help companies establish a framework for compliance.
- Fair Information Practice Principles (FIPPS) – The Federal Trade Commission (FTC) of the U.S. uses FIPPS to provide eight principles that help you understand the risks in your information security systems and guidance on how to solve these issues.
- Privacy By Design – By using seven foundational principles, Privacy by Design is a certification program that seeks to build security into the design of all IT systems.
All three of these frameworks aim to provide your organization with a toolbox to establish a data protection plan that complies with applicable legislation. However, there is no single solution available that can solve all your problems for you. The frameworks provide guidance, but you’ll need to understand the risks your organization faces and ensure you build controls that address them adequately.
Challenges with Data Protection Compliance
When assessing your data protection requirements, you’ll need to develop solutions that mitigate the risks you’ve identified. Endpoint security today is one of the biggest challenges all organizations will need to overcome. With additional devices (BYOD, IoT, etc.) entering your perimeter daily, securing all your endpoints must be one of your data protection compliance priorities.
A compromised device can lead to a complete failure of your data protection plan. When staff logs into business systems that store private information, you should ensure they use 2ndFactor Authentication or Multi Factor Authentication (MFA) (2FA) and use encrypted communications, especially when accessing the system from outside the corporate network.
To help protect sensitive information that resides on a device, physical security such as keyed or combination locks can help. Ensuring your staff has the tools to secure endpoints, whether in the office, working from home, or traveling, can help you to remain compliant with all regulatory stipulations. Visual hacking is another risk you’ll want to address, so you’ll need to consider privacy screens for both office and home workers.
Establishing a Robust Compliance Framework for Your Organizational Data Security
Understanding the different requirements that data protection regulations bring to your organization will depend on your operational processes and technology stacks. You’ll need to ensure you identify all the risks facing your information and implement controls that adequately address these concerns. Compliance will continue to become more complex in the future, so using a framework that encompasses a proactive approach to secure your data is vital going forward.
Kensington remains committed to helping organizations secure their information systems and improve compliance with data protection legislation.