9 Data Compliance Standards and How to Meet Them

Today's businesses hold more data than ever before, and with this comes a raft of responsibilities related to how this information is stored, shared, protected and used.

The recent scandals plaguing firms such as Facebook and Cambridge Analytica clearly illustrate what can happen if data is misused, so it's clear that any firm can suffer severe reputational damage if they fail to look after confidential information.

But there is also the prospect of financial penalties should companies be found to have acted carelessly or unethically. Indeed, in the last few years, the number and complexity of regulations that businesses are required to comply with has increased significantly as authorities seek to take back control of the huge amounts of data now stored on servers and in the cloud around the world. The value of fines that have been issued in light of breaches have also increased, making this more important than ever.

As well as key general data protection rules that every company must be aware of, there are also a range of industry-specific compliance issues that firms will have to take into account.

What is data compliance?

Data compliance refers to any regulations that a business must follow in order to ensure the sensitive digital assets it possesses - usually personally identifiable information and financial details - are guarded against loss, theft and misuse.

These rules come in a number of forms. They may be industry standards, state or federal-level laws or even supra-national regulations such as GDPR, but they will typically spell out what types of data need to be protected, what processes will be considered acceptable under the legislation, and what the penalties will be for firms that fail to follow the rules.

It's important not to confuse data compliance with data security. These two processes are often bundled together and referred to as though they are interchangeable, but this isn’t the case. While they have the same goals - to minimize and manage the risks businesses are exposed to - compliance only ensures you meet legally-mandated minimum standards. Data security, on the other hand, covers all the processes, procedures and technologies that define how you look after sensitive data and guard against breaches.

Just because you're compliant, doesn't mean you're secure, and while doing the bare minimum may give you some legal protection in the event of a data breach, it won't save you from the many other consequences of a security incident, such as financial losses and reputational damage.

1. General Data Protection Regulation (GDPR)

One of the newest and most-wide-ranging standards, it's been hard to ignore the European Union's General Data Protection Regulation (GDPR) over the last year. Coming into force on May 25th 2018, this lays out a range of rules regarding people's right to know what data businesses have on them, how companies should go about processing this data, and tighter rules on the reporting of breaches.

It doesn't just apply to firms based in Europe either. If you do business with any individual subject to the EU's jurisdiction, you're required to abide by GDPR's provisions. While there are many rules within the regulation, the majority can essentially be boiled down to three basic principles; obtaining consent, minimizing the amount of data you hold, and ensuring the rights of data subjects.

It can seem like a big task, but the first step any company needs to take to ensure it is following GDPR is to assign someone to oversee its activities. This individual, the data protection officer, is mandatory in certain organizations that use large amounts of data, and their job is to overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.

Learn more: The Data Protection Implications of COVID-19

2. Health Insurance Portability and Accountability Act (HIPAA)

HIPAA, or more formally the Health Insurance Portability and Accountability Act of 1996, sets out how US organizations that deal with individuals' healthcare and medical data need to ensure the safety and confidentiality of these records.

As these details are some of the more sensitive records an organization will hold, the penalties for failing to protect this information can be severe. In 2018, for example, insurance provider Anthem agreed to pay a fine of $16 million after a hacking attack exposed the health information of almost 79 million people.

HIPAA requires that all electronic health records are restricted only to those with valid reasons for viewing them, so encryption and strong access controls are a must. The standards not only apply to records when they are within the database, but also when they are being shared, so steps must also be taken to ensure activities such as emails and file transfers are fully monitored, protected and controlled.

A key feature of HIPAA is its requirement for full audit trails that detail every interaction someone has with this data. This means that event log management software is an essential tool for IT staff looking to ensure compliance with these regulations. This ensures that full records are automatically kept every time a file is accessed or changed, and can also help alert organizations to any potential security breaches as soon as they occur.

3. Payment Card Industry Data Security Standard (PCI DSS)

For businesses dealing with customers' financial information, the Payment Card Industry Data Security Standard (PCI DSS) is a vital part of any compliance process, as it sets out rules regarding how companies handle and protect cardholder data such as credit card numbers.

Unlike the others on this list, PCI DSS isn't a government-mandated set of rules, but an industry one. However, this doesn’t make it less important, as any company found to be non-compliant with its rules may face heavy fines, or even have relationships with banks or payment processors terminated, making it very difficult for companies to accept card payments.

Even if firms use third-party services for handling card payments, which is the case for many businesses both large and small, it is still the merchant's responsibility to ensure the safety of any credit or debit card data it gathers, transmits or stores, is secure.

The exact steps firms will have to take vary depending on how many transactions they actually process - those with bigger customer bases will face much more stringent requirements - but ultimately, PCI DSS standards require businesses to ensure a certain level of security.

Fortunately, the Payment Card Industry Security Standards Council sets out a series of steps detailing what firms must do to meet these standards. The 12 essential requirements range from having an adequate firewall in place to protect cardholder data (requirement one) to regularly testing systems and processes (requirement 11), so there should be no excuse for not having a clear plan in place for meeting these standards.

4. Sarbanes-Oxley Act (SOX)

The Sarbanes-Oxley Act of 2002 (SOX) is intended to protect against any repeat of the corporate accounting scandals that engulfed the likes of Enron a few years ago. As such, it's more about financial reporting than data protection, so IT professionals may dismiss it as less important than some of the other regulations they have to deal with.

However, this is not the case, and IT departments do have clear roles to play in ensuring these requirements are met. For starters, they need to provide assistance to the CEO and CFO by ensuring they receive real-time reporting on the firm's financials. This means putting systems in place to automate reporting and setting up alerts that can be triggered when key events occur that will require closer attention.

IT teams also need to ensure all records are being properly retained. Therefore, effective timely backups of key information and document management systems is essential in remaining compliant with these regulations. However, they must also ensure they have full visibility into every part of their firm's digital estate in order for this to be effective.

Spreadsheets, emails, IMs, recorded phone calls and financial transactions will all need to be preserved for at least five years in case auditors require them, so it's essential the right management systems are in place.

Ultimately, the job of IT pros when complying with SOX is to ensure recordkeeping and auditing go as smoothly as possible. Tools to automate workflows, manage and monitor data flow and archive and retrieve information quickly will all have key roles to play in this.

5. California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act, or CCPA, was passed into law in 2018 and comes into force from January 1st 2020. This is one of the toughest consumer protections many US-based businesses will face. It has been described as California's equivalent of GDPR and, while not as demanding as GDPR in areas such as reporting requirements, it is in some respects even tougher than its European counterpart.

For example, it takes a broader view of what is defined as private data, including any information from which inferences can be drawn to create a customer profile that reflects a person's "preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitudes".

CCPA compliance won't be necessary for every business. It only applies to companies that have gross annual revenues above $25 million; those that buy, receive, or sell the personal information of 50,000 or more consumers, households, or devices; or businesses that derive 50% or more of their annual revenue from selling consumers' personal information.

While that puts many smaller firms out of its scope, it means almost any medium or large organization interacting with customers based in California will be covered. This may make it more relevant to many US firms than GDPR, as while some organizations opted to stop doing business in Europe altogether to avoid this regulation, it may be much harder for them to bypass the CCPA, as they don’t have to be based in California, or even have a physical presence in the state, to fall under its provisions.

Potential fines for data breaches are as high as $7,500 per record - and considering many large data breaches in recent years have compromised of tens or even hundreds of millions of records, the cost of non-compliance could quickly add up.

6. ISO 27001

ISO 27001, also known as ISO/IEC 27001, is an international standard for information security management systems (ISMS). Issued by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), it provides a framework for organizations to manage and protect their information assets.

The purpose of ISO 27001 is to help organizations establish, implement, maintain, and continually improve an ISMS. This standard applies to any organization, regardless of its size or the nature of its business. It is especially relevant for organizations that manage high volumes of data, such as financial institutions, IT companies, and government entities.

A significant part of ISO 27001 is about identifying and assessing potential risks to information security. Organizations are expected to systematically examine their information security risks, taking into account the threats, vulnerabilities, and impacts. They also need to design and implement a coherent and comprehensive suite of information security controls to address those risks deemed unacceptable.

To become ISO 27001 certified, an organization must meet all requirements outlined in the standard and pass an audit by an accredited certification body. The certification process includes an initial review of the organization's ISMS, a formal compliance audit, and ongoing surveillance audits to ensure continued compliance.

7. Federal Information Security Management Act (FISMA)

FISMA is a United States federal law enacted in 2002 as part of the E-Government Act. Its main aim is to bolster computer and network security within the federal government and affiliated parties (such as government contractors) by establishing a comprehensive framework to protect government information, operations and assets against natural or man-made threats.

It requires federal agencies to develop, document, and implement an information security program to protect their information and information systems, including those provided or managed by another agency, contractor, or other sources. This program includes:

1. Risk Assessment: Identifying and assessing risks to agency operations, assets, or individuals.
2. System Security Plan: Implementing security controls and documenting the system's security settings and configurations.
3. Security Controls: Implementing suitable controls to reduce risk to an acceptable level.
4. Continuous Monitoring: Monitoring the security controls in organizational information systems on an ongoing basis.

The National Institute of Standards and Technology (NIST) plays a key role in FISMA compliance. NIST develops and promotes necessary standards, guidelines, tests, and validation programs. It also provides the guidelines for categorizing information and information systems, selecting and implementing suitable controls, and monitoring their effectiveness.

Compliance with FISMA is mandatory for federal agencies and the companies that do business with them. It requires an annual review of information security programs to determine their effectiveness. This includes testing the security controls in information systems and developing a risk-based, cost-effective security strategy.

FISMA compliance can be a complex process, but it significantly enhances the security of federal information systems. Non-compliance can result in budgeting sanctions, and reputational damage, which can have significant effects on an agency's ability to fulfill its mission.

8. The Privacy Act

The Privacy Act is a piece of legislation that aims to protect the privacy rights of individuals by regulating how personal information is handled. In the United States, the Privacy Act of 1974 is a federal law that governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies.

In Australia, the Privacy Act 1988 and the Privacy Amendment (Enhancing Privacy Protection) Act 2012 are key laws that protect personal information. The Act stipulates that entities must collect, store, use, and disclose personal information in a manner that respects individual privacy. This includes collecting personal information directly from individuals, and in some cases, from third parties.

9. Personal Information Protection and Electronic Documents Act (PIPEDA)

The Personal Information Protection and Electronic Documents Act, also known as PIPEDA, is Canada's primary privacy law for the private sector. It regulates how businesses collect, use, and disclose personal information in the course of commercial business.

PIPEDA mandates organizations to inform individuals about their data collection and usage practices and to seek their consent. It also safeguards individuals' rights by enabling them to access and correct their personal information held by these organizations.

Compliance with PIPEDA is critical for all private sector organizations operating in Canada. Failure to comply can result in fines of up to $80,000 and legal actions.

To comply with PIPEDA, organizations must adhere to the 10 fair information principles, which include:

1. Accountability: An organization is responsible for personal information under its control and shall designate an individual who is accountable for the organization's compliance with the principles.

2. Identifying purposes: The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.

3. Consent: The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

4. Limiting collection: The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization.

5. Limiting use, disclosure, and retention: Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.

6. Accuracy: Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

7. Safeguards: Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

8. Openness: An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.

9. Individual access: Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

10. Challenging compliance: An individual shall be able to challenge an organization's compliance with the above principles. An organization's response to such a challenge must be managed in accordance with the PIPEDA complaint handling procedures[1][2][3].

Why is data compliance important?

Data compliance is of paramount importance for several reasons. Not only does it enhance a company's image, as adhering to laws and regulations concerning data showcases a company's commitment to ethical business practices, but it also fosters customer loyalty, as consumers increasingly value companies that respect their privacy and protect their data.

Having a robust data compliance structure in place can attract high-caliber employees who value working in a responsible and ethical environment. Compliance also ensures businesses stay in line with evolving regulations, preventing legal implications and potential fines. This is especially important as data breaches can significantly damage a company's reputation and lead to costly lawsuits.