Every year, new regulations and compliance orders come into play that impact businesses across the world. This year the major regulation that will be implemented, is the European Union’s General Data Protection Regulation (GDPR), which takes effect on May 25, 2018. GDPR enables consumers to view, limit and control how companies collect and process their personal data.
GDPR is getting a lot of attention but there are a number of other regulations that have been newly implemented this year, and many more that have been in place for many years. Some impact specific countries while others focus on individual industries, but each regulation being enforced is an indication that companies must be more accountable when it comes to how they manage data privacy and people’s data or they risk having to pay large fines.
In the United States alone, companies across different industries have been following regulations to comply with privacy laws. For years now, Health Insurance Portability and Accountability Act (HIPAA) has required the healthcare industry to implement technical safeguards to protect all electronic protected healthcare information (ePHI), making specific reference to encryption, access controls, encryption key management, risk management, auditing and monitoring of ePHI information.
At the state level, New York's Cybersecurity Regulation came into effect on February 15, which requires that financial institutions report on their activity and take specific steps to protect the privacy of their customer data. This is designed to promote the protection of customer information as well as the information technology systems of regulated entities.
And this isn’t just happening in New York. Business Insider recently reported that “…at least 42 states introduced more than 240 bills or resolutions related to various cybersecurity issues, according to the National Conference of State Legislatures.”
Over in the APAC region, South Korea has had a regulation in place since 2011. One of the world’s strictest privacy regimes, South Korea’s Personal Information Protection Act (PIPA) places many obligations on organizations in both the public and private sectors, including mandatory data breach notification to data subjects and other authorities including the Korean Communications Commission (KCC).
Australia has a privacy act from 1988 that was updated last year to now include an amendment that states a company should disclose any breach of individual data, or face fines of up to AU$1.8 million. As of last month, the act also states that if the company has technology in place that will make the leaked data meaningless to people not authorized to have it, then it is protected and the breach notification is unnecessary. My colleague Vikram Ramesh blogs more about Australia’s privacy amendment act here.
Moving to Africa, South Africa’s Protection of Personal Information (POPI) Act will be enforced later this year, and aims to ensure that organizations operating in South Africa exercise proper care when collecting, storing or sharing personal data. While this regulation may only cover South Africa, it is worth noting that POPI applies to any company that has information on anyone who’s a South African citizen in any databases. Thales’ Jim DeLorenzo explains more about POPI in this blog post.
In Europe, GDPR isn’t the only regulation impacting the region. Just last year, The UK Ministry of Defence’s (MOD) DEFCON 658 went into effect, and aims to protect the defense supply chain from cyber threats, and applies to organizations that are suppliers or wish to become suppliers to the MOD on contracts that handle MOD Identifiable Information (MODII). Across the pond, the United States has had several supply chain mandates in place for quite some time. Jim DeLorenzo also blogs about DEFCON 658 here.
How can your company comply with these data privacy regulations? First and foremost, ensure that you know what data your company stores and identify where it is located. Whether the data sits in a server in Germany or lives in a multi-cloud environment, data needs to be protected. Thales’ Charles Goldberg’s blog about GDPR in the context of data in a multi-cloud environment provides further information.
The only true way to protect data is to encrypt it. Encryption is key when it comes to protecting data. Using encryption solutions like the solutions Thales provides, companies can encrypt their data, rendering the data unintelligible in the event of a breach. Many of the data privacy mandates state that by encrypting the data, you avoid the breach notifications requirements. This is the case with GDPR Article 34.
In addition to avoiding a costly breach notification process, this also prevents substantial reputational damage resulting from a publicized breach, as well as, protects your customers, making the data useless in the event of a breach.