A Guide to Data Compliance Regulations
As with data resources and platforms, data regulations must constantly evolve to suit the most current data use cases for today’s organizations. Following the wide-reaching application of laws like the General Data Protection Regulation (GDPR) in 2018, the number of data compliance regulations have snowballed.
In fact, 157 countries enacted some form of data privacy law through the first half of 2022, most inspired and/or influenced by the prevalence of GDPR. When an organization is trying to optimize its data use and make use of the power of the cloud, keeping up with these regulations can become difficult.
Many data compliance regulations are also being developed and employed at the state level. These laws will have implications for how organizations store and protect consumers’ data. What do these data compliance laws and regulations mean for data security and utility? Let’s take a closer look.
What Are Data Compliance Regulations and Why Are They Important?
Data use compliance refers to the standards that regulate how companies and government organizations keep data secure, private, and safe from breaches or damaging use. Taking the form of laws, international agreements, contractual measures, and internal standards, contemporary data security compliance laws and regulations effectively dictate how data must be handled in various circumstances. These regulations can apply to all types of data, whether sourced from consumers, employees, financial records, health information, or more. If sensitive data is involved, you can be certain that compliance regulations are applicable.
While they can often be viewed as additional hoops for data teams and users to jump through, these measures are created and enforced with benevolent intentions. For one, the standards they set are meant to help organizations keep their data protected from malicious actors. This not only strengthens data security at the organizational level, but it also allows for the subjects of that data–whether consumer, employee, or otherwise–to be even safer. In addition, they create a level of consistent accountability that spans organizations rather than applying piecemeal on a case-by-case basis.
When an organization ignores or defies compliance regulations, they can risk penalties like monetary fines, legal consequences, and overall customer breach of trust. Creating structures to maintain compliance with regulatory requirements provides businesses and agencies with an additional layer of confidence that their data practices are as safe as possible.
Noteworthy Data Compliance Regulations
As these laws continue to proliferate, there are a number of existing data compliance regulations that organizations should be aware of when securing and protecting their data. While not an exhaustive list of every data compliance regulation, the following laws are broadly applicable and worth paying close attention to:
General Data Protection Regulation (GDPR)
Enacted: April 14, 2016
Effective: May 25, 2018
The General Data Protection Regulation (GDPR) became directly applicable within the whole European Union in 2018, specifying a range of standards for any organization that processes data within the EU and/or targets individuals located in the EU. Due to this, the GDPR applies to not only European companies, but a broad swath of U.S. organizations as well. A landmark for major contemporary data protection laws, GDPR has provided both inspiration and a foundation for those that have followed.
The GDPR requires companies to process personal data in a way that guards against unauthorized data collection, processing, loss, damage, or destruction. The regulation provides individuals located in the EU with rights to be informed, to access, to rectify, to erase, to restrict processing, to data portability, to object, and not to be subject to automated decision making in certain circumstances. It also takes a minimization approach, requiring organizations to not collect any more data than is required to for defined purposes. Beyond this, consistent monitoring of data activity and use is required to maintain GDPR compliance.
The fines for failing to comply with GDPR are significant – some organizations can be fined as much as 4% of their annual revenue or €20 million, whichever is higher. In 2022, social media giant Meta was fined a whopping €405 million for breaching GDPR compliance. You can learn more about why GDPR compliance is important here.
Health Insurance Portability and Accountability Act (HIPAA)
Enacted: March 18, 1996
Effective: August 21, 1996
Developed for an industry that works almost entirely with sensitive data, the Health Insurance Portability and Accountability Act (HIPAA) was created and enacted in the late 1990s. This act applies to “all health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form.” HIPAA primarily covers protected health information (PHI), which includes sensitive data about patients and their medical statuses.
HIPAA calls for healthcare and life sciences (HLS) organizations to enforce healthcare data security by following its compliance standards. These include ensuring the confidentiality, integrity, and availability of PHI, as well as actively protecting against any reasonable threats to this data. It requires effective data access control implementation, auditing capabilities, and secure sharing in order to achieve these protective goals.
There are four tiers of penalty for those who violate HIPAA requirements, each tied to the severity and level of neglect associated with a given violation. These tiers include maximum annual fines ranging from roughly $30,000 for lower-tiered offenses to about $1.9 million for the most serious violations. Regardless of tier and amount, these fines can quickly add up for those who don’t focus on compliance.
California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)
CCPA Enacted: January 3, 2018
CCPA Effective: June 28, 2018
CPRA Enacted: November 3, 2020
CPRA Effective: January 1, 2023
The original California Consumer Privacy Act (CCPA) was passed and signed into law by the California legislature on June 28, 2018. The purpose of this act was to provide Californian consumers with enhanced control over their personal data. It applies to organizations that have a revenue at or above $25 million, annually buy/sell/share the personal information of 100,000+ consumers or households, or derive 50% or more of their annual revenue from selling or sharing the personal information of consumers. The law gave consumers the rights to:
- Know what personal data an organization was collecting and how that data was used and shared.
- Request the deletion of their personal data from an organization’s data storage.
- Opt out of their personal data being sold by an organization.
- Non-discrimination for exercising these rights.
Ultimately, CCPA required organizations to provide individuals with more autonomy in how their information was being used. Notably, this law applies to any entity doing business in the state of California, not just to organizations that are in the state. This means that a company based in Delaware would still need to comply with CCPA when it came to any Californian whose data they collected and stored.
In 2020, the CCPA was amended and updated by the passing of the California Privacy Rights Act (CPRA). The CPRA augmented the CCPA with a set of key principles (minimization, privacy by design) and gave residents additional rights regarding sharing personal data, correcting inaccurate personal data, and limiting businesses’ usage of their “sensitive personal information.”
Federal Information Security Management Act of 2002 (FISMA)
Effective: December 17, 2002
The Federal Information Security Management Act of 2002 (FISMA) affects all U.S. federal agencies, their subcontractors, and their service providers, as well as any organizations operating IT systems for a federal agency.
FISMA requires that these organizations categorize the data they collect and store by how negatively impactful it would be if hacked, breached, or compromised. In addition, these organizations must conduct regular risk assessments to reduce risk to an ‘acceptable level’ through proper data security controls. Organizations that fail to meet FISMA standards can be penalized with reduced budgets, enhanced bureaucratic oversight, and limited capabilities.
Sarbanes-Oxley Act of 2002 (SOX)
Effective: July 30, 2002
The Sarbanes-Oxley Act of 2002 (SOX) increased the number of requirements that public companies must meet to make accurate and reliable corporate disclosures. Designed to protect both investors and the general public, SOX was enacted by the SEC in direct response to the financial scandals of the early 2000s like Enron and WorldCom. The overall aim is to ensure that company management cannot interfere with independent financial auditing and reporting.
All publicly-traded companies in the United States, as well as management and public accounting firms and subsidiaries/foreign companies that are publicly traded and do business in the United States, must follow the regulations outlined in SOX. These rules include requirements for how businesses must record and store information, and how long they must retain certain records. Any organization found to be in noncompliance with SOX can face penalties including monetary fines, removal from listings on public stock exchanges, and invalidation of directors’ and officers’ liability insurance policies.
Payment Card Industry Data Security Standard (PCI DSS)
Effective: December 15, 2004
The Payment Card Industry Data Security Standard (PCI DSS) was created in 2004. It applies to all entities that store, process, or transmit cardholder data (CHD), sensitive authentication data (SAD), or could impact the security of the cardholder data environment (CDE). This makes it applicable to any entity that is involved in payment card processing, including merchants themselves, processors, issuers, acquirers, and any other service providers.
Any of these groups could be subject to PCI DSS at the discretion of those who manage compliance programs, like payment brands and/or acquirers. Organizations subject to the PCI DSS must create a secure network, implement effective access controls for cardholder data, and keep up a regularly tested security system and vulnerability management program. Any organization that violates PCI DSS standards can be fined up to $100,000 per month during which they are out of compliance, and they can even lose the right to accept cards.
Virginia Consumer Data Protection Act (VCDPA)
Enacted: March 2, 2021
Effective: January 1, 2023
The Virginia Consumer Data Protection Act takes a similar approach to consumer protection as the CCPA. The VCDPA provides Virginia residents with the rights to know and access their personal data held by an organization, request its deletion and/or correction, and opt out of the processing, selling, or profiling of it. The law also requires data portability, as well as time-bound constraints that limit companies to only hold consumer data as long as is necessary to achieve a specific purpose.
This regulation applies to organizations that either a) control the personal data of at least 100,000 Virginia residents or b) control the data of at least 25,000 Virginia residents and derive more than 50% of their gross revenue from selling that data.
Colorado Senate Bill 21-190 for the Colorado Privacy Act (CPA)
Enacted: July 8, 2021
Effective: July 1, 2023
The Colorado Privacy Act was the third state data privacy law to be passed in the U.S., following California and Virginia. Like its predecessors, the CPA provides Colorado residents with the rights to access, correction, deletion, and portability of their personal information. It also provides the same rights to opt out of targeted advertising and the sale of personal data.
Interestingly, the CPA’s implementation has one significant difference from the VCDPA and CCPA. While it still applies to organizations that control or process the data of either 100,000 consumers in a calendar year or derive revenue from the data of at least 25,000 consumers, there is no revenue threshold that must be met. This allows for a broader application of the law since organizations are not required to meet a minimum revenue requirement.
Connecticut Act Concerning Personal Data Privacy and Online Monitoring
Enacted: May 10, 2022
Effective: July 1, 2023
This law, also known as the Connecticut Data Privacy Act (CTDPA), recognizes the same consumer privacy, access, portability, and deletion rights as the aforementioned regulations. It also sets a slightly different revenue threshold for businesses, applying to organizations that collect the personal data of 25,000 or more Connecticut residents and derive 25% of their gross revenue from selling this data.
Utah Consumer Privacy Act (UCPA)
Enacted: March 24, 2022
Effective: December 31, 2023
The Utah Consumer Privacy Act is the most recent of the state-specific privacy regulations to be passed in the United States. Therefore, it has also drawn most of its policy specifications from the regulations that have preceded it. However, there are a couple of notable differences that organizations should know.
For one, the right to correct or adjust consumer data for accuracy is not included in the UCPA. This means that organizations are not required to field data adjustment requests from consumers in Utah. It will also not require consumers to opt in to data collection, only providing them the rights to opt out if desired. While nuanced, this gives individuals a bit less direct control over how and when their data is being collected. Overall, the UCPA is more narrowly focused than the U.S. laws that have come before it.
Keeping Up with Data Compliance Regulations
So, how should contemporary businesses and agencies be expected to maintain the standards of a growing list of data compliance regulations? Here are three tips for any compliant organization:
1. Understand Your Organization’s Data
First, it’s important to know what type(s) of sensitive data you’re dealing with. Are you at a healthcare company working regularly with patient records, or a business operating with payment information? Ultimately, the type of data you collect and store determines which information security standards and data security laws you’re subject to. By being aware of your data, you can know which regulations must be addressed.
2. Create a Compliance Plan
Compliance doesn’t happen on its own. Every organization needs to have an explicit plan that outlines its compliance requirements and how to achieve them consistently. Increasingly, businesses are partnering with third party data security platforms to help achieve and maintain data security compliance. Leveraging a platform that provides flexible attribute-based access control helps make stakeholder collaboration a much smoother process. When policies are written and understood plainly, it gives non-technical and compliance-focused users more insight into their purpose and application.
3. Regularly Assess Your Data
Many organizations meet compliance standards once and assume they are finished. But the goalposts shift over time, new regulations emerge, and consumer data standards change. Meanwhile, any standards you’ve established within your company may become outdated, forgotten, or ineffective.
That’s why it’s important to perform regular data assessments that help determine where you stand, identify areas to improve compliance and security, and optimize your data security processes.
By following these best practices and keeping abreast of new and developing data compliance regulations, any modern organization can ensure that its data use can proceed in a secure and compliant manner.
For more on how data compliance regulations are likely to impact how organizations handle their data, check out Data Localization: A Complete Overview and The Complete Guide to Data Security Compliance Laws and Regulations.