GDPR Compliance Playbook
Your blueprint for achieving GDPR compliance.
Compliance regulations in the data security space are constantly changing and evolving, with more new acronyms for regulatory standards being introduced every year. In our global economy, staying compliant with government and industry regulations can be challenging, but with the right strategies, it doesn’t have to be a major burden.
In this guide, we’ll cover:
Data use compliance refers to the standards and regulations that govern how companies and government organizations keep data secure, private, and safe from breaches or damage. This often applies to consumer data, but can also cover employee data, financial records, and more.
A company is ‘compliant’ when the way it manages, stores, and transmits data follows the regulations laid out in a series of laws and standards — which we’ll outline below.
Your blueprint for achieving GDPR compliance.
Compliance laws are more than just a hoop that organizations must jump through to avoid fines. They’re designed to protect consumers, employees, and businesses themselves. These regulations are built around best practices that help keep data secure from breaches, improper use, destruction, leaks, and more. Companies that remain compliant don’t just stay on the right side of the law — they also tend to have a more streamlined data management framework that improves their effectiveness and profitability in the long run.
That said, compliance laws have limitations.
It’s important to note that while compliance laws are designed to help companies properly store and secure data, they have limits. One trap that many businesses fall into is believing that just because they’re compliant, they are also secure. But since every organization is different, compliance laws can’t account for the intricacies of each one.
For instance, you may be compliant with all relevant standards, but still have holes in your data security methods that could leave you and your customers exposed. And, even if a data breach doesn’t stem from noncompliance, the results can be devastating — from lost consumer trust and bad press, to lawsuits and fines.
[Read More] Data Owners: Privacy is YOUR Problem
Below is a list of the most significant and widely applicable regulatory compliance laws in the U.S. and beyond. While this is not an exhaustive list of every regulatory law governing sensitive data use, it covers many of the most common and important laws you’ll want to know about when it comes to maintaining compliance.
The European Union signed the General Data Protection Regulation (GDPR) into law in 2018, specifying standards for any organization that processes EU residents’ personal data. In effect, the GDPR applies to not only European companies, but a broad swath of U.S. organizations as well.
The GDPR requires companies to process personal data in a way that helps protect against unauthorized data collection, processing, loss, damage, or destruction. The fines for failing to do so are significant — organizations can be fined as much as 4% of their annual revenue or €20 million, whichever is higher.
[Checklist] 5 Essential Steps for Building a GDPR-Compliant Data Strategy
The California Consumer Privacy Act (CCPA) applies to organizations with a revenue at or above $25 million, or that possess at least 50,000 individuals’ data. Under this act, every resident of California has the right to see all data that a company has saved about them, as well as any and all third parties that company has shared their data with at any time.
If a consumer believes that a company is in violation of CCPA with regard to their data, they have the right to sue the company.
It’s important to note that this applies to the data of individual California consumers, not companies. So, even if an organization is not based in California and has no physical presence there, it can still be affected by CCPA if it stores the data of any California resident.
Failure to comply with CCPA can result in lawsuits and fines. Recently, California voters passed an update to CCPA, called the California Privacy Rights Act.
The California Privacy Rights Act (CPRA) is an evolution of CCPA that will go into effect in early 2023. CPRA will generally expand on the CCPA, making some aspects of it more strict, but also removing smaller companies from its jurisdiction.
The changes of the CPRA include prohibiting businesses from retaining customer data longer than necessary, expanding customers’ rights to opt out from having their data collected, and more.
One of the more widely known compliance laws, the Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers to ensure digital health information is confidential, secure, and available when being stored or transmitted. It also mandates healthcare providers to make reasonable efforts to protect against threats, security breaches, and improper use of health data.
Fines for failing to comply with HIPAA can be steep — up to $50,000 per violation and $1.5 million per year. Some HIPAA violations can even come with prison terms of up to 10 years.
The Federal Information Security Management Act of 2002 (FISMA) affects all federal agencies, their subcontractors, and their service providers, alongside any organizations that operate IT systems for a federal agency.
FISMA requires that these organizations categorize data they store by how negatively impactful it would be if hacked, breached, or compromised. Additionally, these agencies and organizations must conduct regular risk assessments to reduce the risk of data compromise to an ‘acceptable level’ through proper data controls. Organizations that fail to meet FISMA standards can be hit with reduced budgets, more bureaucratic oversight, and limited capabilities.
The Sarbanes-Oxley Act of 2002 (SOX) increased the requirements for public companies to be accurate and reliable in corporate disclosures. Designed to protect both investors and the general public, SOX was enacted by the SEC as a direct response to financial scandals of the early 2000s, such as Enron and WorldCom.
Any public company, as well as management and public accounting firms, must follow the regulations outlined in SOX, which include requirements for how businesses must record and store information, and how long they must retain certain records.
PCI DSS is the Payment Card Industry Data Security Standard. It pertains to any business that deals with the processing, storage, or transmission of credit card information, and is designed to protect card data that is stored both electronically and in paper records.
Organizations that must follow the PCI DSS are required to build a secure network, implement certain access controls for cardholder data, and maintain a regularly tested security system and vulnerability management program. Companies that fail to follow PCI DSS can expect to be fined as much as $100,000 per month that they’re noncompliant and can even lose the right to accept cards.
[Case Study] How a Top Bank Saved $50M by Automating Data Access Controls
The following is a list of some additional standards and frameworks that may affect your business, depending on your industry and the type of data you manage and store.
The National Institute of Standards and Technology Special Publication 800-53 (NIST SP 800-53) is a framework that provides a standard for government agencies to follow in order to become compliant with FISMA, outlined in the previous section. Though not required for private companies, many organizations choose to follow it, as it helps ensure best practices for data storage and information systems.
This additional NIST framework focuses on mitigating cybersecurity risks by improving information security, safeguarding against breaches, and more.
The ISO 27000 is a series of IT security standards for organizations looking to protect financial data, employee data, IP, and other data assets. These also include a standard for implementing and maintaining information security management systems, or ISMS.
Looking to improve your data compliance practices? It begins with understanding which compliance laws apply to you and your organization. Beyond that, there are three key areas to focus on when getting on the path to data security compliance.
First, it’s important to understand what type of data you’re dealing with on a regular basis. Are you at a healthcare company dealing with patient records, or a business dealing with customer credit card information or other types of secure data? The type of data you store will determine which information security standards and data security laws you’re required to follow, so this is the best place to begin when seeking data security compliance.
Using a tool that uses sensitive data discovery to automatically identify, tag, and classify sensitive data helps organizations keep tabs on what kind of data they have so nothing falls through the cracks.
Data security compliance won’t simply happen as a result of your company striving to make smart data security choices. Every organization should have an explicit plan that outlines its compliance requirements and how to reach and maintain compliance with those regulations. In some cases, businesses can partner with third party data security platforms to help achieve and maintain data security compliance. Leveraging a platform that provides flexible attribute-based access control and dynamic data masking helps ensure that compliance policies are enforced across all cloud data platforms to maximize data privacy and utility.
Many organizations achieve compliance once and determine that their job relative to data security compliance is finished. But over time, the goalposts shift, new regulations emerge, and consumer data standards change. Meanwhile, the standards you’ve established within your company may fall by the wayside or slowly lose priority with new hires or leadership.
That’s why it’s important to perform regular data assessments that help determine where you stand, identify areas to improve compliance and security, and optimize your data security processes.
[Tip] Get Risk Assessment Frameworks in the Governance, Risk, and Compliance Playbook
It’s also worth noting that an increasing number of individual states are proposing specific legislation governing data use and security. This means that while you may be compliant according to one state’s laws, you may not be compliant according to another’s. You may even find that compliance language isn’t consistent from one state or jurisdiction to another. That’s another reason why regular data assessments are so critical.
However, Immuta can help. Our full-scale Data Security Platform keeps your data secure, compliant, and accessible to the people that need it, when they need it. If you want to learn more, request a demo today.
Innovate faster in every area of your business with workflow-driven solutions for data access governance and data marketplaces.