A growing number of privacy and data protection regulations are being put into effect in the US and around the world. While these standards are often industry and country-specific, a set of standardized controls, policies and procedures can map across these laws to in an apply-once, comply-many solution.
Truvantis can assist your organization in complying with privacy standards by evaluating your environment and applications end-to-end, and designing a risk-based, actionable roadmap of steps to achieve privacy compliance.
Learn more about our privacy consulting services and explore the most common privacy standards that may apply to you below.
The California Consumer Privacy Act or CCPA is a California state law affecting most large business that have California consumers as customers, it has passed into law and will be fully enforced no later than July 1, 2020.
All California Residents are “consumers” under this regulation, scope includes all personal data including browsing and purchase history, IP and email address, geolocation data, employment data, inferences, habits, etc.
Right to Opt-Out of Sale: Personal Data from California Consumer who opts out cannot be sold, must place opt-out link clearly and conspicuously on a website if PI is sold.
Right to Deletion: Upon a verified request, a California Consumer’s personal data must be deleted from all records, including paper (subject to some significant exceptions).
A California Consumer also cannot be given a lower level of service or charged a higher price for a product as a result of the exercise of CCPA rights unless the difference is reasonably related to the value provided by the consumer’s data.
Other new restrictions include notifications prior to or at the point PI is collected, and restrictions of the sale of PI belonging to consumers under the age of 16.
Failure to achieve compliance on time and/or a poor execution of customer-facing capabilities is likely to result in fines (up to $7500 per violation), civil litigation (up to $750 per consumer record), and diminished brand reputation.
GDPR is a European Union regulation that was created to reform, modernize and harmonize European data protection law throughout the EU, and is fully enforceable at this time. The changes in data privacy and protection as a result of GDPR significantly impact collection, processing and storage of personal data in all European Union member states.
"Personal data" refers to any information relating to an identified or identifiable natural person ('Data Subject'); an identifiable person is one who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to physical, physiological, mental, economic, cultural or social identity. Under GDPR the definition of personal data is expanded to include persistent identifiers, pseudonymous data and restricted data such as health, race, and government information.
Transparency: Privacy policies and notices must be clear, concise, transparent and in an easily accessible form to justify the use of a data subject’s personal data, and data minimization.
Under GDPR, organizations found in breach can be fined up to 4% of their annual global turnover or €20 Million (whichever is greater). The private right of legal action for GDPR breaches enables individuals or groups (e.g. consumer advocacy groups) to sue organizations for failure to meet the requirements set forth under GDPR.
While the regulations do contain different requirements, the approaches to GDPR and CCPA compliance are very similar.
Both require that personal information subject to the regulation be identified, mapped and managed. Both regulations also require a mechanism to receive, validate, track, respond to and action upon requests made by individuals who have privacy rights under the regulation. Future state or federal privacy regulations will almost certainly also necessitate these same activities.
In order to comply with privacy regulations in a timely manner while continuing business operations and minimizing costs, many organizations will need to utilize automation, master data management, privacy tools, and enhancements of enterprise architecture.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) resulted in what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule.
The Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals' privacy rights to understand and control how their health information is used. Within HHS, the Office for Civil Rights (“OCR”) has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties.
A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high-quality health care and to protect the public's health and well being. The Rule strikes a balance that permits important uses of information while protecting the privacy of people who seek care and healing. Given that the health care marketplace is diverse, the Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed.
The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI). Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.
The Gramm-Leach-Bliley Act (GLBA) is a US law intended to protect consumer financial privacy. Its provisions limit when a "financial institution" may disclose a consumer's "nonpublic personal information" to nonaffiliated third parties. The law covers a broad range of financial institutions, including many companies not traditionally considered to be financial institutions because they engage in certain "financial activities."
Financial institutions must notify their customers about their information-sharing practices and tell consumers of their right to "opt-out" if they don't want their information shared with certain nonaffiliated third parties. In addition, any entity that receives consumer financial information from a financial institution may be restricted in its reuse and redisclosure of that information.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law intended to provide to data privacy protections to individuals in Canada. It regulates how private sector organizations collect, use and disclose personal information in the course of commercial business.
Organizations covered by PIPEDA must generally obtain an individual's consent when they collect, use or disclose that individual's personal information. People have the right to access their personal information held by an organization. They also have the right to challenge its accuracy.
Personal information can only be used for the purposes for which it was collected. If an organization is going to use it for another purpose, they must obtain consent again. Personal information must be protected by appropriate safeguards.