3 Key Data Privacy Regulations to Master Beyond PCI and HIPAA

Compliance 1 Comment

Written by Michael Higashi

If you’ve been following our blog, then no doubt you’re aware of the importance of privacy regulations like HIPAA for the healthcare industry, GLBA and SOX for the financial services vertical, and PCI DSS for retail and any other industry dealing with consumer payment card information. The cloud data privacy implications of these U.S. regulations are critical for most enterprises, and we’ve dedicated several blogs and webinars surrounding the associated risks and implications.

3-Key-Data-Privacy-Regulations-to-MasterThese are not the only privacy regulations that are critical to businesses, however. And the increasing globalization of both business and cloud service provider (CSP) operations means that organizations must pay attention to data privacy laws around the world if they hope to avoid the consequences—including penalties and forced public breach notifications—of noncompliance. Here are three to study up on.

1. Australia: The Privacy Amendment Act

Made effective earlier this year, the Australian Privacy Amendment Act tightens up government controls on private consumer data and expands the authority of the Privacy Commissioner so that “firms can now be investigated as the Commissioner sees fit, where previously a complaint must have been made first,” according to the Business Spectator. Among the changes the Privacy Amendment Act makes from earlier data privacy laws is a broadening of the definition of “personal information” subject to protection. The new legislation also requires organizations to have a formal and regularly updated privacy policy.

2. EU: The General Data Protection Regulation

Data privacy law changes are also afoot in the European Union, which plans to adopt the new General Data Protection Regulation (GDPR) this year. The GDPR will unify privacy regulations across EU member states, simplifying compliance for businesses with European data residency concerns. Among the changes proposed are the requirement for companies of over 250 employees to “appoint data protection officers,” according to Computer Weekly and the requirement for organizations “to notify the national data protection authority and all individuals affected by a data breach within 24 hours.”

3. Hong Kong: The DPP of the PCPD

In Hong Kong, meanwhile, data privacy is regulated by the Office of the Privacy Commissioner for Personal Data (PCPD), whose Personal Data (Privacy) Ordinance lists six Data Protection Principles (DPP) that apply to the collection, storage, use, and erasure of protected personal data. For our customers, the most relevant of the six DPPs is DPP4, which mandates that “all practicable steps shall be taken to ensure that personal data are protected against unauthorized or accidental access, processing or erasure,” according to the PCPD website.

The need to comply with privacy laws that vary by country and region can cause headaches for your legal, compliance, and security teams, but protecting data privacy in the cloud is a necessity. Luckily, all regions’ privacy laws have some basics in common that can simplify your task. The most important thing to remember is that these laws exist to protect consumers from the consequences of both accidental and intentional disclosure of their private data. No matter where you are, the strategy will remain the same. Know what data you’re holding, where it resides and where it goes. Implement strict access controls so that only authorized personnel can view the data. And apply encryption and tokenization as appropriate, based on your policies, while keeping your encryption keys maintained and controlled by  your organization.

What other privacy regulations do companies need to master? Tell us your thoughts in the comments.

Comments 1

Leave a Reply

Your email address will not be published. Required fields are marked *