In the digital age data privacy & protection is a huge concern for company of all sizes. In part, because data breaches are happening daily, exposing personal data of millions of people.
A direct consequence of a breach – individuals whose data is exposed can suffer identity theft/financial loss; and companies risk financial costs, loss of credibility in the marketplace, damage to public, investors and customer trust. And, significant penalties are levied by regulatory authorities and companies incur significant cost to remedy the breached systems/processes.
Let’s take a comprehensive look at understanding data privacy and protection world:
What is Data Privacy Regulation – Rules on how companies can collect, store & use personal data.
What is Data Protection –Security controls that provide confidentiality, integrity and availability of data.
Objectives for both are same – safeguard sensitive information from data breach, cyberattacks and accidental/intentional data loss.
Types of data commonly considered sensitive data – Most commonly considered sensitive information, both by the general public and by legal mandates:
- Personally identifiable information (PII) – Data that can identify, contact or locate an individual or distinguish one person from another
- Personal health information (PHI) – An individual’s medical history, insurance information and other private data collected by healthcare providers
- Personally identifiable financial information (PIFI) – An individual’s credit card, bank account numbers, or personal finances
- Student records – An individual’s grades, transcripts, billing details, etc.
Personal data protection and privacy regulations: Governments across the world are framing and adopting privacy data protection laws that regulate how personal data can be collected, used, stored and/or disclosed. Below are common privacy laws that restrict companies the amount of data collected & used. Several US states have passed or in the process of framing their own privacy frameworks:
- Health Insurance Portability and Accountability Act (HIPAA) / Health Information Technology for Economic and Clinical Health Act (HITECH) – Protects personal health information
- General Data Protection Regulation (GDPR) –EU’s data privacy regulation
- California Consumer Privacy Act (CCPA) – California data privacy regulation
- Gramm–Leach–Bliley Act (GLBA) – Limited to financial information
- Family Educational Rights and Privacy Act (FERPA) – Protects students’ personal information
Most common pitfalls to achieving compliance / data privacy regulation –
- Assumption – current controls, policies & procedures are adequate
- Lack of clear understanding of the required industry guidelines
- Lack of proper policies & procedures for internal users & external vendors
- Neglecting physical security
How your company can ensure safeguarding & protecting consumer data from the hands of attackers?
While your business may require you to adopt industry specific security and/or compliance frameworks, that alone may not guarantee data protection. Accorian has successfully helped clients (across several industries) to adopt best practices and achieve industry specific regulatory compliance.
Best practices to consider:
- Security Risk Assessment (SRA) – Conduct a comprehensive SRA to identify gaps
- Know your data – Understand data at rest and data in transit; where sensitive information is being collected, how it is used and if it is being shared/sold to 3rd parties.
- Understand how data is stored and backups – Are your end-users storing customer information on their devices? Trace data storage and access mechanism. Develop data use & retention policies and minimize personal data according to its value and risk.
- Standard Policies & Procedures – Our industry and privacy regulation, compliance specific policy & procedure templates, for you to build upon for your needs
- Protect unauthorized access – Implement and periodically monitor access logs, monitor systems for suspicious/unintentional access attempts. Ensure adequate access controls, encryption, antivirus and endpoint protection are instituted.
- Perform Risk Assessment – Conduct period assessment and ensure the compliance frameworks are adopted by across people, process & technology.
- Security Training – Provide security training to end-users as well as technology team across the organization
The days of uncontrolled collection & sharing of personal data are gone. Our experienced SMEs can guide you every step of the way to adequately protect consumer information and adhere to compliance frameworks. Organizations must store and use financial, health and other personal information with proper customer consent and controls. Using our best practices and approach you can implement the needed privacy policies & procedures across your organization.
Our industry experts will provide most apt strategy towards business, systems and data security for your needs.