Whether we like it or not, our personal data is constantly being gathered and—often stored—electronically. The recent scandal around Facebook and Cambridge Analytica highlights just how vulnerable our personal data is and the importance of it being handled and used responsibly.
Three notable examples of laws and regulations have been put in place by governments and by industry to protect personal data are HIPAA, GDPR, and PCI-DSS. This blog will look at these data security and privacy regulations and how Axilient’s Velocity Platform can help supporting their compliance.
HIPAA Privacy and Security Rules
The main motivation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was to improve health care efficiency and patient care outcomes by encouraging the free flow of health information in the US. At the same time, these HIPAA compliance requirements mandated national standards to secure the privacy of personal health information. Compliance with HIPAA’s final Privacy Rule has been compulsory since April 2003, and with its final Security and Enforcement Rules since April 2005.
GDPR Data Protection
The General Data Protection Regulation (GDPR) was enacted by the European Union to deepen and harmonize personal data protection regulations. Now in effect as of May 25, 2018, it is a comprehensive and clear set of guidelines that acknowledges that different “flavors” of personal data require different levels of protection. Sensitive data, such as health, biometrics, genetic, or criminal history are subject to the highest levels of protection. The quantity of data also counts, with companies that regularly collect and process large volumes of personal data having to register with government-appointed Data Protection Authorities.
One of the most unique aspects of the GDPR is its “teeth”—very stiff penalties for non-compliance (up to €10 million or 2% of worldwide annual turnover, whichever is higher) and breaches (up to €20 million or 4% of worldwide annual turnover, whichever is higher). Just as painful is the right of Data Protection Authorities to prevent a company from collecting or processing personal data while a suspected non-compliance or breach is being investigated.
Payment Card Industry Data Security Standards (PCI-DSS) is a set of security standards developed by the major credit card companies to help protect sensitive cardholder data. Unlike HIPAA and GDPR requirements, which are based on governmental regulation, PCI-DSS compliance requirements are contractual commitments maintained and enforced by the Payment Card Industry Security Standards Council (PCI SSC), an independent global body established in 2006.
PCI-DSS applies to all merchants or organizations that accept, transmit or store cardholder data. However, there are different PCI-DSS compliance levels depending on the quantity of payment transactions that a merchant/organization has handled over the previous twelve months. The PCI-DSS describes six categories of control objectives:
1. Build and Maintain a Secure Network and Systems
2. Protect Cardholder Data
3. Maintain a Vulnerability Management Program
4. Implement Strong Access Control Measures
5. Regularly Monitor and Test Networks
6. Maintain an Information Security Policy
We just sent you an email. Please click the link in the email to confirm your subscription!