Data compliance is the practice of ensuring that sensitive data is organized and managed in such a way as to enable organizations to meet enterprise business rules along with legal and governmental regulations.
Data compliance also pertains to the privacy of people’s personal information and how organizations store and secure that sensitive data. As such, companies that work with individuals’ personal information are responsible for protecting that personal data.
Every organization has to establish a robust data security policy to help avert serious cybersecurity incidents, such as data breaches, that can put the personal information of customers and employees at risk. A solid data privacy policy also helps a company avoid investigations by government regulators and possible lawsuits relating to data security.
There are a number of governmental and industry data privacy rules and regulations organizations must comply with, including:
General Data Protection Regulation
The General Data Protection Regulation (GDPR) is a legal framework developed by the European Union (EU) that creates guidelines for the way companies that do business with the EU member states can collect and process the personal information of people living in the EU.
The GDPR, which went into effect on May 25, 2018, aims to regulate the processing of personal data of EU citizens. The GDPR includes a range of rules regarding people’s right to know what sensitive data businesses are collecting on them and how companies should store and process this sensitive data. The GDPR also offers more stringent rules on how organizations should report data breaches.
EU data protection authorities can fine organizations that don’t comply with the GDPR and don’t protect the personal information of EU citizens. The fines range from up to 10 million euros ($11.4 million) or two percent of its annual revenue, whichever is greater.
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Under HIPAA regulations, health care organizations, and their business associates must take measures to safeguard patients’ electronic health records from cybersecurity threats. Companies that handle individuals’ protected health information (PHI) must comply with HIPAA regulations covering the data security and data privacy of that sensitive data.
The HIPAA Privacy Rule established national standards to protect patients’ sensitive data or PHI. The HIPAA Security Rule established the national standards that organizations must follow to secure patients’ sensitive data that they store or transfer electronically. The penalties for failing to protect patients’ sensitive data range from $10,000 per violation to $50,000 per violation based on a tiered structure. The annual maximum penalty is $1.5 million.
Payment Card Industry Data Security Standard (PCI DSS)
Companies that deal with customers’ payment card information must comply with the PCI DSS. The PCI DSS defines the rules concerning how organizations handle, transmit, store, and secure customers’ credit, debit, and cash card sensitive data. Cardholder personal data includes the account holder’s name, address, account number, and the card’s expiration date. An organization that suffers a data breach and exposes customers’ personal information because of non-compliance could be fined from between $5,000 and $100,000 a month until it achieves PCI compliance requirements.
Thank you for subscribing to the Risk Insiders newsletter!
Why sign up for the Risk Insiders newsletter?
To stay in the know! Get new blogs, resources, CPE opportunities, industry research & more — direct to your inbox.