Data Protection Act

Many countries have adopted general data protection and privacy laws or data protection acts. With similar names, it can be challenging for non-data privacy experts to keep one straight from another. Following is a review of data protection acts and other laws that include data protection provisions to clarify the differences and help make sense of it all.

Data Protection Act 2018 (UK)

The UK Data Protection Act implements the European Union’s (EU) General Data Protection Regulation (GDPR) with the addition of several exemptions and UK-specific provisions related to academic research, financial services, and child protection. The Data Protection Act governs data covered by the GDPR and covers all other general data, law enforcement data, and national security data.

Data Protection Act Core Principles

• Accountability
  Organizations’ obligation to take responsibility for the personal data they handle 
• Accuracy
  Responsibility to either update inaccurate information or delete it
• Data minimization
  Limitations on requests for individuals’ information beyond that which is specifically needed for the stated purpose
• Integrity and confidentiality
  Requirements related to the safeguarding of personal data 
• Lawfulness, fairness, and transparency
  Specification that users must understand what they are signing up for when they share personal data
• Purpose limitation
  Data usages is limited to the specific use that it was collected for
• Right to be forgotten
  Individuals can have all information about them, or just specific details, deleted upon request
• Storage limitation
  Restrictions on how long organizations can keep data beyond that of its intended purpose

GDPR

GDPR is comprehensive data protection and privacy law for the EU. Any organization that collects and processes personal data from EU residents must comply with GDPR or face penalties regardless of where the organization is located. GDPR includes many requirements related to privacy rights, data security, data control, and governance related to personal information.

Sample Data Protection Laws at the US State Level

Often considered a cluttered mess of different rules, data protection and privacy laws at the state level (US) range from specific data types (e.g., financial, children’s information) to general information (e.g., any consumer’s data). While most regulations are similar, their differences are material, and not understanding them puts individuals and organizations at risk. California and New York have enacted data protection acts that are considered the toughest in the country, if not the world.

CCPA

The California Consumer Privacy Act (CCPA) focuses on ensuring that organizations have a business purpose for requesting personal information, as well as giving consumers control of their data. The CCPA must be adhered to by businesses that receive, buy, or sell California consumers’ data. It enables Californians to easily request, delete, or protect their personal information (PI) that's collected and governed by a business.

New York SHIELD Act

The New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act requires businesses to adopt security programs to reduce the risk of a data breach and ensure timely notifications in the event of a breach. Like GDPR, the New York SHIELD Act is far-reaching. Any person or business that owns or licenses digitized copies of private information about New York residents must comply with the act or be subject to fines and legal actions.

The New York SHIELD Act requires businesses to implement safeguards to protect data. It casts a wide net in terms of what is considered private information and obliges companies that incur a breach to undergo broad notification effort.

Data Protection Under the Federal Trade Commission Act

When companies tell consumers they will safeguard their personal information, the Federal Trade Commission (FTC) can and does take law enforcement action to ensure that those companies fulfill their obligations. Section 5(a) of the FTC Act provides that “unfair or deceptive acts or practices in or affecting commerce . . . are . . . declared unlawful.” This encompasses the enforcement of data security and privacy legislation and data protection acts. 

Acts that the FTC has a hand in enforcing data protection components for include:

• Children’s Online Privacy Protection Act (COPPA)
  Requires providing notice to or obtaining consent from the parent about collection of their child’s data and providing reasonable means for parents to review the collected data, withdraw their consent, and deny further use of the data
• Fair Credit Reporting Act (FCRA)
  Governs how credit bureaus can collect and share information about individual consumers and gives consumers certain rights, including free access to their credit reports
• Fair Debt Collection Practices Act
  Prohibits exchange of information about individuals who allegedly owe a debt 

The FTC also enforces key international privacy frameworks, including:

• EU-US Privacy Shield Framework
  Provides a legal mechanism for companies to transfer personal consumer data between the European Union and the United States
• Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) System
  Enhances privacy and security of consumers’ personal information transferred amongst the United States and other APEC members

This broad authority allows the Commission to address a wide array of practices that affect consumers, including those that emerge with development of new technologies and business models.

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

HIPAA is, in part, a data protection act that supports the safeguarding of medical information. It established standards to protect individuals’ medical records and other personal health information.

HIPAA applies to health plans, health care clearinghouses, and health care providers that conduct certain health care transactions electronically. Organizations that handle this protected health information (PHI) must have and follow security measures to protect physical locations, networks, and processes and ensure HIPAA compliance, including the following:

Administrative Safeguards
Define policies and procedures that set out what is required to protect PHI, such as:

• Contingency plan to respond to data loss from disaster or malicious activity
• Security management protocols to identify and analyze risk 
• Training programs and related policies

Physical Safeguards
These focus on measures to prevent unauthorized access to PHI, as well as to protect data from fire and other environmental hazards and control access to facilities and computer systems, such as:

• Locks and alarms
• Cable locks for workstations
• Computer monitor privacy filters

Technical Safeguards
These relate to controls and systems to maximize data security when PHI is shared on an electronic network; technical safeguards as well and policies and procedures for its use must be in place, such as:

• Access controls
• Encryption for data and networks
• Network monitoring

The Gramm-Leach-Bliley Act (GLBA)

GLBA is a data protection act that sets forth rules about how financial institutions should address the privacy and security of personally identifiable financial information relating to individuals. It requires financial institutions to send consumers annual privacy notices and allow them to opt-out of sharing their information with unaffiliated third parties.

GLBA also requires financial institutions to implement reasonable security policies and procedures, including having a security program to:

• Ensure the security and confidentiality of consumer records and information
• Prevent unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer
• Protect customer records against any anticipated threats or hazards to their security or integrity

Data Protection Acts—Requirements With Global Reach

In addition to the several data protection laws that are noted here, there are many more from across the United States and worldwide. The Data Protection Act is associated with the UK’s 2018 law, but many other laws bear the same name.

It is imperative to have a clear understanding of the laws in jurisdictions where your business is based and those in the localities where it has any operations. As illustrated with the New York SHIELD Act, the reach of these laws cannot be underestimated. 

Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.

Last Updated: 14th February, 2022

Get started with Egnyte.

Request Demo