4 Data Compliance Standards and How to Meet Them

Tech Insights for Professionals

Tech Insights for ProfessionalsThe latest thought leadership articles and reports for IT pros

Tuesday, May 28, 2019

There are a lot of initialisms to learn when ensuring your company meets all its data compliance requirements, but what are the key standards and how should you go about meeting them?

Article

Today's businesses hold more data than ever before, and with this comes a raft of responsibilities related to how this information is stored, shared, protected and used.

The recent scandals plaguing firms such as Facebook and Cambridge Analytica clearly illustrate what can happen if data is misused, so it's clear that any firm can suffer severe reputational damage if they fail to look after confidential information.

But there is also the prospect of financial penalties should companies be found to have acted carelessly or unethically. Indeed, in the last few years, the number and complexity of regulations that businesses are required to comply with has increased significantly as authorities seek to take back control of the huge amounts of data now stored on servers and in the cloud around the world. The value of fines that have been issued in light of breaches have also increased, making this more important than ever.

As well as key general data protection rules that every company must be aware of, there are also a range of industry-specific compliance issues that firms will have to take into account.

GDPR

One of the newest and most-wide-ranging standards, it's been hard to ignore the European Union's General Data Protection Regulation (GDPR) over the last year. Coming into force on May 25th 2018, this lays out a range of rules regarding people's right to know what data businesses have on them, how companies should go about processing this data, and tighter rules on the reporting of breaches.

It doesn't just apply to firms based in Europe either. If you do business with any individual subject to the EU's jurisdiction, you're required to abide by GDPR's provisions. While there are many rules within the regulation, the majority can essentially be boiled down to three basic principles; obtaining consent, minimizing the amount of data you hold, and ensuring the rights of data subjects.

It can seem like a big task, but the first step any company needs to take to ensure it is following GDPR is to assign someone to oversee its activities. This individual, the data protection officer, is mandatory in certain organizations that use large amounts of data, and their job is to overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.

HIPAA

HIPAA, or more formally the Health Insurance Portability and Accountability Act of 1996, sets out how US organizations that deal with individuals' healthcare and medical data need to ensure the safety and confidentiality of these records.

As these details are some of the more sensitive records an organization will hold, the penalties for failing to protect this information can be severe. In 2018, for example, insurance provider Anthem agreed to pay a fine of $16 million after a hacking attack exposed the health information of almost 79 million people.

HIPAA requires that all electronic health records are restricted only to those with valid reasons for viewing them, so encryption and strong access controls are a must. The standards not only apply to records when they are within the database, but also when they are being shared, so steps must also be taken to ensure activities such as emails and file transfers are fully monitored, protected and controlled.

A key feature of HIPAA is its requirement for full audit trails that detail every interaction someone has with this data. This means that event log management software is an essential tool for IT staff looking to ensure compliance with these regulations. This ensures that full records are automatically kept every time a file is accessed or changed, and can also help alert organizations to any potential security breaches as soon as they occur.

PCI DSS

For businesses dealing with customers' financial information, the Payment Card Industry Data Security Standard (PCI DSS) is a vital part of any compliance process, as it sets out rules regarding how companies handle and protect cardholder data such as credit card numbers.

Unlike the others on this list, PCI DSS isn't a government-mandated set of rules, but an industry one. However, this doesn’t make it less important, as any company found to be non-compliant with its rules may face heavy fines, or even have relationships with banks or payment processors terminated, making it very difficult for companies to accept card payments.

Even if firms use third-party services for handling card payments, which is the case for many businesses both large and small, it is still the merchant's responsibility to ensure the safety of any credit or debit card data it gathers, transmits or stores, is secure.

The exact steps firms will have to take vary depending on how many transactions they actually process - those with bigger customer bases will face much more stringent requirements - but ultimately, PCI DSS standards require businesses to ensure a certain level of security.

Fortunately, the Payment Card Industry Security Standards Council sets out a series of steps detailing what firms must do to meet these standards. The 12 essential requirements range from having an adequate firewall in place to protect cardholder data (requirement one) to regularly testing systems and processes (requirement 11), so there should be no excuse for not having a clear plan in place for meeting these standards.

SOX

The Sarbanes-Oxley Act of 2002 (SOX) is intended to protect against any repeat of the corporate accounting scandals that engulfed the likes of Enron a few years ago. As such, it's more about financial reporting than data protection, so IT professionals may dismiss it as less important than some of the other regulations they have to deal with.

However, this is not the case, and IT departments do have clear roles to play in ensuring these requirements are met. For starters, they need to provide assistance to the CEO and CFO by ensuring they receive real-time reporting on the firm's financials. This means putting systems in place to automate reporting and setting up alerts that can be triggered when key events occur that will require closer attention.

IT teams also need to ensure all records are being properly retained. Therefore, effective timely backups of key information and document management systems is essential in remaining compliant with these regulations. However, they must also ensure they have full visibility into every part of their firm's digital estate in order for this to be effective.

Spreadsheets, emails, IMs, recorded phone calls and financial transactions will all need to be preserved for at least five years in case auditors require them, so it's essential the right management systems are in place.

Ultimately, the job of IT pros when complying with SOX is to ensure recordkeeping and auditing go as smoothly as possible. Tools to automate workflows, manage and monitor data flow and archive and retrieve information quickly will all have key roles to play in this.

Comments

Join the conversation...

Back To The Top!