Data compliance is the practice of following regulations set forth by corporate governance, industry organizations, and governments. These regulations set forth protocols for how sensitive data is collected, used, stored, and managed, among other requirements. Many data compliance requirements are related to data governance and data security protections.
It is important to understand that data compliance is not the same as data security. Data compliance focuses on guidelines and rules, while data security encompasses mechanisms, processes, procedures, and technologies. Data compliance and data security share a common goal of protecting sensitive data and guarding against breaches.
Let’s jump in and learn:
- General Data Protection Regulation (GDPR)
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- Payment Card Industry Data Security Standard (PCI DSS)
- Sarbanes-Oxley Act of 2002 (SOX)
- California Consumer Privacy Act (CCPA)
- Personal Information Protection and Electronic Documents (PIPEDA)
- The Brazilian General Data Protection Act (LGPD)
- Australian Data Privacy Regulations
- The Protection of Personal Information Act (POPI)
- Federal Information Security Management Act of 2002 (FISMA)
- Family Educational Rights and Privacy Act (FERPA)
- Gramm-Leach-Bliley Act (GLBA)
- How to Ensure Data Compliance
- Data Compliance Frameworks
- Committing to Data Compliance
General Data Protection Regulation (GDPR)
The GDPR is one of the newest and most wide-ranging data compliance regulations added to the many already in place. It includes requirements for any organization that conducts business with individual subjects in the European Union (E.U.) and the European Economic Area (EEA)—regardless of its location and the data subjects’ citizenship or residence.
The GDPR focuses on people’s right to know what data businesses have on them and how companies process the data. It also specifies rules for data breach reporting.
Aside from data privacy requirements seen in other regulations, the GDPR includes specific requirements, including obtaining consent for data collection, minimizing the amount of data stored, and ensuring the rights of data subjects to access and request removal of their personal information. Systems and processes must be in place to track, protect, and manage this information to ensure data compliance.
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
HIPAA drove the creation of national standards to protect sensitive patient health information from being disclosed without a patient’s consent or knowledge. Health organizations must evaluate how their data is gathered and managed and have safeguards to prevent “unnecessary or inappropriate” access to personal health information (PHI).
HIPAA specifies administrative, physical, and technical regulations that stipulate the mechanisms and procedures that have to be in place to ensure the integrity of PHI:
- Administrative regulations specify the requirements for risk assessments to clarify potential vulnerabilities related to the integrity of PHI.
- Physical regulations focus on the measures implemented to prevent unauthorized access to PHI.
- Technical regulations relate to protocols that ensure data security when PHI is being communicated on an electronic network.
Payment Card Industry Data Security Standard (PCI DSS)
The Payment Card Industry Security Council was founded by Visa, MasterCard, Discover, JCB International, and American Express to develop, maintain, and enforce a set of security standards to protect cardholder data from theft and fraud. PCI DSS regulates the storage, processing, and transmission of cardholder data to ensure its security and integrity by preventing data breaches and other forms of unauthorized access.
According to PCI DSS data compliance rules, cardholder data cannot be stored unless there is a legitimate business need. If this data is stored, records must be classified and handled with the appropriate protections. Also, data must be encrypted if it is transferred across open, public networks.
Sarbanes-Oxley Act of 2002 (SOX)
SOX requires public companies in the United States to comply with regulations that direct how records are retained. This includes timely backups of key information and document management systems with security systems to ensure data integrity.
According to SOX’s data compliance directives, the following must be monitored, logged, and audited:
- internal controls
- network activity
- database activity
- login activity
- account activity
- user activity
- information access
California Consumer Privacy Act (CCPA)
Much like the GDPR for the E.U., the CCPA applies to most organizations that conduct business in California and collect consumers’ personal data. The CCPA gives consumers more control over the personal information that businesses collect about them as well as visibility into how information about them is used and shared.
CCPA also bolsters protection for consumers’ personal data by giving them the right to take action against a company if their information was compromised in a data breach. An action for damages can be filed if the organization failed to “implement and maintain reasonable security procedures and practices” to protect consumers’ personal information.
Personal Information Protection and Electronic Documents (PIPEDA)
PIPEDA applies to all businesses operating in Canada and handling personal information that crosses provincial or national borders. This includes personal information collected, used, or disclosed in the course of a commercial activity.
Organizations must follow core principles that give individuals visibility into how their personal data is managed. PIPEDA also gives users control over their personal information, including giving consent to its use, having the ability to access and correct it, and knowing that it will be protected.
To meet PIPEDA’s data compliance requirements, companies must secure the personal information in their control to avoid loss and theft as well as unauthorized access, use, or modification. Safeguards include physical, technical, and organizational measures.
The Brazilian General Data Protection Act (LGPD)
The LGPD (Lei Geral de Proteção de Dados Pessoais) is Brazil’s version of GDPR. It consolidated over 40 regulations into one regulatory framework to govern the use of personal data in Brazil—online and offline, in the private and public sectors.
The LGPD protects Brazilian citizens and any individual whose data has been collected or processed while inside Brazil. According to the LGPD’s data compliance requirements, any organization that collects or processes personal information is required to adopt technical and administrative measures to protect this data from data breaches or leaks that could result in unauthorized access, loss, or modification.
In addition, organizations must document the processing of personal data throughout its lifecycle. This includes a description of what is collected, the purpose of collection and processing, retention time, and how data is shared.
Australian Data Privacy Regulations
The Privacy Act 1988 (Privacy Act) is Australia’s primary law that addresses data compliance as related to the handling of personal information about individuals. This includes collecting, using, storing, and disclosing personal information by public and private organizations.
The Australian Privacy Principles (APPs) in the Privacy Act provide data compliance direction related to the collection, use, and disclosure of personal information. Under the Privacy Act, organizations are responsible for the data governance, accountability, and integrity of personal information.
The Protection of Personal Information Act (POPI)
South Africa’s POPI directs how businesses must organize, store, secure, and discard personal information. POPI also changes the default consent from opt-in to opt-out. While companies do not need to get permission to collect information, they are not allowed to share collected information with anyone else or send marketing material without consent.
POPI includes data compliance requirements related to the processing of personal information, data quality, and data protection. POPI also has significant penalties for data breaches.
Federal Information Security Management Act of 2002 (FISMA)
FISMA protects government information, assets, and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. It applies to all agencies within the U.S. federal government as well as state agencies administering federal programs, such as unemployment insurance, student loans, Medicare, and Medicaid.
The National Institute of Standards and Technology (NIST) provides specific guidance for complying with FISMA, including:
- implementing a risk management program
- protecting data and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction
- ensuring the integrity, confidentiality, and availability of sensitive information
Data compliance requirements include maintaining an inventory of information systems, categorizing information and information systems according to risk level, and conducting continuous monitoring.
Family Educational Rights and Privacy Act (FERPA)
FERPA is a U.S. federal law that protects the privacy of student education records, including report cards, transcripts, disciplinary records, contact and family information, and class schedules. Data compliance rules prohibit unauthorized access or disclosure of personally identifiable information derived from education records.
FERPA’s data compliance requirements apply to any public or private elementary, secondary, post-secondary school, and any state or local education agency that receives funds under an applicable program of the U.S. Department of Education.
Gramm-Leach-Bliley Act (GLBA)
GLBA requires financial institutions to maintain the security and confidentiality of customer data and protect against any threats to the data. Data compliance requirements under GLBA cover nonpublic personal information, including Social Security numbers, credit and income histories, credit and bank card account numbers, phone numbers, addresses, names, and any other personal customer information received by a financial institution that is not public.
GLBA data compliance requires that private information be secured against unauthorized access. Customers must be notified of private information sharing between financial institutions and third parties. Customers can opt out of private information sharing, and user activity must be tracked, including any attempts to access protected records.
How to Ensure Data Compliance
Taking care to follow key data security and compliance strategies goes a long way to ensuring data compliance. Consider these four foundational data compliance guidelines at the core of these strategies:
- Continuously check for changes in laws and regulations related to data compliance. Software solutions are available to provide notifications about updates, but someone needs to be responsible for ensuring that any necessary changes are made.
- Identify and leverage third-party expertise. Find the best technology and people to support data compliance programs.
- Create processes and policies that ensure that employees support data compliance programs. Following data compliance best practices that integrate with employees’ workflows helps to make data compliance programs successful.
- Do not wait for external audits to assess data compliance. Regular internal audits are the best way to identify and remediate data compliance gaps.
Data Compliance Frameworks
A data compliance framework is a set of guidelines and best practices that helps organizations adhere to regulatory requirements. These are designed around specific laws and regulations, such as PCI DSS, HIPAA, and GDPR.
A data compliance framework provides direction on technical requirements, such as:
- Access control
- Incident response
- Perimeter defense
- Risk management
It also offers guidance for how data compliance should be managed across the organization to meet requirements.
Committing to Data Compliance
Data compliance requires a concerted commitment backed up with robust programs. Take the time to identify the right resources—people and technology—to meet data compliance requirements. In addition to avoiding penalties for violations, data compliance provides greater visibility and access to data to power analytics that deliver valuable insights.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.