It’s an open secret that for every business Data Compliance is the question of the highest importance. Client’s personal data is gathered and stored by companies electronically, and they want to be sure there won’t be any leaks.
To handle and use sensitive information responsibly, several examples of laws and regulations have been put in place by governments and by industry to protect personal data. The most notable are HIPAA, GDPR, and PCI-DSS. We will also discuss CCPA, SOX, PIPEDA, POPI, and LGPD, which are also major concerns for enterprises.
So, before looking deeper into the compliance types, let’s figure out what data compliance deals with.
How Does Data Compliance Work?
Regulations around data compliance vary widely across different industries, governments, states, countries, and even continents (i.e. GDPR). However, they typically always address three things:
- what type of data needs to be protected
- what processes need to be implemented to protect that data
- what penalties will be exercised, should an organization not be compliant with said processes.
HIPAA (Health Insurance Portability and Accountability Act)
HIPAA is an act passed by the US Congress in 1996 that mandates privacy and security standards for the healthcare industry when it comes to protecting patients’ medical records and other health information. These standards provide patients with more control over how their personal health information is used and disclosed.
It is applied to covered entities, which include healthcare providers (i.e. doctors, dentists, hospitals), health plans (i.e. insurance companies), and healthcare clearinghouses (associated with insurance). Business associates refer to individuals that create, receive, maintain or transmit protected health information (PHI). Examples include accounting, legal, consulting, analysis, and/or administrative service providers.
GDPR (General Data Protection Regulation)
GDPR is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. It includes a set of standards, developed to give EU citizens more control over their data. Under GDPR, businesses must ensure personal data is gathered legally and adequately protected from misuse and exploitation. This means it applies to almost every major corporation in the world.
Sensitive data, such as health, biometrics, genetic, or criminal history are subject to the highest levels of protection. The quantity of data also counts, with companies that regularly collect and process large volumes of personal data having to register with government-appointed Data Protection Authorities.
The GDPR sets out seven key principles:
- lawfulness, fairness, and transparency
- purpose limitation
- data minimization
- accuracy
- storage limitation
- integrity and confidentiality (security)
- accountability
PCI-DSS (Payment Card Industry Data Security Standard)
PCI DSS is a data compliance regulation, designated for protecting consumers. It was developed back in 2006 to manage payment card security standards and improve account security throughout the transaction process. It provides security guidelines for organizations that process, store, or transmit credit card information.
PCI-DSS is required by credit card companies, for organizations to make online transactions. Any merchant looking to process, transmit, or store credit card data must be PCI-DSS compliant.
CCPA (The California Consumer Privacy Act)
The California Consumer Privacy Act of 2018 was established to provide consumers with more control over the personal information that businesses collect about them. It consists of privacy rights for California consumers, including the right to know how businesses are utilizing their information, the right to delta personal information collected by businesses, and the right to opt-out of the sale of their personal information.
Under CCPA, consumers will have the right to know what personal data is collected or sold, and for what purpose, including disclosures of previous sales dating back to January 1, 2019. They will have the right to access the data, request its deletion, and opt-out of it being collected or sold. Those who exercise these privacy rights will still be entitled to equal services at the same cost. Consumers will also have the right to sue companies for data breaches and for privacy failures.
Sarbanes-Oxley (SOX)
SOX compliance is mandatory for all public companies (with some provisions applying to privately held entities as well). It introduced significant changes to the regulation of financial practice and corporate governance in response to the corporate financial scandals involving Enron, Global Crossing, and WorldCom.
The goal of SOX is to protect investors by improving the accuracy and reliability of corporate disclosures.
Because of its broad applications, SOX compliance demands efforts from both finance and IT. During a SOX compliance audit, both departments need to work together to ensure their efforts and processes are aligned.
Failure to comply with SOX can result in severe penalties for both the company and the CEOs and CFOs. Depending on the violation, companies may lose their exchange listing or incur fines up to millions of dollars. Executives who disclose inaccurate information can also face fines and imprisonment.
PIPEDA (Personal Information Protection and Electronic Documents)
PIPEDA is the Canadian federal privacy law for private-sector organizations. Its original purpose was to evoke trust in electronic commerce by regulating businesses that handle personal information. This regulation applies to any Canadian-based private enterprise that collects consumer data in the course of commercial activities, as well as international companies that target Canadian customers. PIPEDA applies to data collected about an identifiable individual, such as name, age, ethnicity, medical history, opinions, comments, and marital status.
PIPEDA also holds organizations accountable for data loss or theft.
The 10 Canada PIPEDA principles are:
- accountability
- identifying purposes
- consent
- limiting collection
- limiting use, disclosure, and retention
- accuracy
- safeguards
- openness
- individual access
- challenging compliance
POPI (The Protection of Personal Information Act)
Under POPI, South African institutions must adhere to a set of compliance standards that ensure responsible collecting, storing, processing, and sharing of personal information. POPI applies to all South African companies, though it is aimed specifically at entities that handle vast amounts of consumer information such as banks, medical organizations, and insurance companies. The law not only protects individuals but extends to any legally recognized entity, including companies and communities.
LGPD (The Brazilian General Data Protection Act)
LGPD not only intended to protect personal data but to strengthen Brazil’s economy by aligning with international compliance standards set by GDPR. LGPD regulates any organization, be it a small business or a multinational corporation that collects Brazilians’ personal information. Data protected encompasses both that of an identifiable individual as well as anonymous data from which identity can be inferred, or used in behavioral profiling.
HIPAA Software’s Reviewing Platform for Advanced Compliance
Getting a handle on everything to do with HIPAA compliance can be complicated. With so many rules and regulations to follow, it can be difficult to determine whether your company is really HIPAA compliant.
Since HIPAA Software provides reliable HIPAA consultancy, nothing gets overlooked. It’s never been easier to stay compliant with the reviewing platform ensuring every reviewed software meets industry standards.
