Whether we like it or not, our personal data is constantly being gathered and—often stored—electronically. The recent scandal around Facebook and Cambridge Analytica highlights just how vulnerable our personal data is and the importance of it being handled and used responsibly.
Three notable examples of laws and regulations have been put in place by governments and by industry to protect personal data are HIPAA, GDPR, and PCI-DSS. This blog will look at these data security and privacy regulations and how Axilient’s Velocity Platform can help supporting their compliance.
HIPAA Privacy and Security Rules
The main motivation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was to improve health care efficiency and patient care outcomes by encouraging the free flow of health information in the US. At the same time, these HIPAA compliance requirements mandated national standards to secure the privacy of personal health information. Compliance with HIPAA’s final Privacy Rule has been compulsory since April 2003, and with its final Security and Enforcement Rules since April 2005.
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit.
- Identify and protect against reasonably anticipated security threats.
- Protect against reasonably anticipated, impermissible uses or disclosures.
- Ensure compliance by their workforce and business associates.
GDPR Data Protection
The General Data Protection Regulation (GDPR) was enacted by the European Union to deepen and harmonize personal data protection regulations. Now in effect as of May 25, 2018, it is a comprehensive and clear set of guidelines that acknowledges that different “flavors” of personal data require different levels of protection. Sensitive data, such as health, biometrics, genetic, or criminal history are subject to the highest levels of protection. The quantity of data also counts, with companies that regularly collect and process large volumes of personal data having to register with government-appointed Data Protection Authorities.
- Consent: Organizations must get consent to collect personal data, with the level of consent varying according to the type of personal data being collected.
- Data minimization: Responding to years of gratuitous collection of personal data by apps, with no clear purpose in mind, the GDPR stipulates that organizations can only collect personal data that is clearly related to a well-defined business objective. If an organization gathers personal data for one purpose but then decides it wants to use it for another purposes (such as consumer profiling), that could be considered non-compliance.
- Individual rights: Another key feature of the GDPR is the very clear rights that it gives data subjects (i.e., the individuals whose personal data is being collected) to understand why their data is being collected and how it is being processed. They have the right to object, to correct—and they have the right to be erased/forgotten. They also have the right to be notified (individually) if their personal data has been breached in a way that could endanger their freedoms and rights.
One of the most unique aspects of the GDPR is its “teeth”—very stiff penalties for non-compliance (up to €10 million or 2% of worldwide annual turnover, whichever is higher) and breaches (up to €20 million or 4% of worldwide annual turnover, whichever is higher). Just as painful is the right of Data Protection Authorities to prevent a company from collecting or processing personal data while a suspected non-compliance or breach is being investigated.
Payment Card Industry Data Security Standards (PCI-DSS) is a set of security standards developed by the major credit card companies to help protect sensitive cardholder data. Unlike HIPAA and GDPR requirements, which are based on governmental regulation, PCI-DSS compliance requirements are contractual commitments maintained and enforced by the Payment Card Industry Security Standards Council (PCI SSC), an independent global body established in 2006.
PCI-DSS applies to all merchants or organizations that accept, transmit or store cardholder data. However, there are different PCI-DSS compliance levels depending on the quantity of payment transactions that a merchant/organization has handled over the previous twelve months. The PCI-DSS describes six categories of control objectives:
1. Build and Maintain a Secure Network and Systems
2. Protect Cardholder Data
3. Maintain a Vulnerability Management Program
4. Implement Strong Access Control Measures
5. Regularly Monitor and Test Networks
6. Maintain an Information Security Policy