Many companies are under the misconception that keeping sensitive data secure from cyber criminals will protect the end-users and will make them compliant as per the rules of the governing body. In reality that is incorrect data security and data privacy are two different concepts.
What is compliance and why is it important?
Data is traversed in an encrypted format to avoid eavesdropping, but that doesn’t make an organization compliant. When we deal with any software that deals with the PII data of an individual law need to be followed. There are regulations at an industry level that define what you have to comply with as per the nature of your business and its geography. For example, HIPAA, GDPR, and PIPEDA. Regulations define how to deal with sensitive personal data and how to make it more secure. Being compliant will help an organization to clear the audit of the IT processes, workflows, and software. Also, a lot of organizations have a condition to work with vendors who follow similar security and compliance mechanisms. Heavy fines will be levied in case of non-compliance.
What is personal data?
PII (Personally Identifiable Information), any data that is related to identifying factors such as name, surname, school or work information, address, phone number, government ID numbers, customer code (created by the company processing the data), browser cookies, IP address, race, sexuality, religion, financial background information or physical identifiers. PHI (Protected Health Information) is any personal health information that can potentially identify an individual, which might be created, used, or collected in the course of providing healthcare services during diagnosis or treatment.
What is data processing?
Processing is the approach by which these organizations collect personal information. When we talk about PII-specific data we need to ensure that the approved mandate is followed right from data collection, processing, storage, and deletion. It is mandatory to get consent from the individual before we collect their data. The level of consent depends upon how an organization is collecting the data. For example, if you just visit a website then you are presented with a disclaimer that pops up with an accept or deny button but in the case of customer loyalty programs or employment, a lot of data is collected by organizations.
If you are transferring data from one country to another then also you need to make sure that first of all the transfer is allowed. The bottom line is to make sure that the local governments have approved the transfer of data.
GDPR: A breakthrough in the world of privacy law
GDPR applies to all Eu residents and any organization that is dealing with data of EU residents has to comply with it. The scope of GDPR is not limited to the EU only it extends to organizations anywhere in the world that deal with EU state residents. The law stipulates that organizations can only collect personal data that is required for business purposes that have a well-defined objective but if they collect data for any commercial purpose like customer profiling then it will lead to non-compliance.
Privacy laws around the world
• The California Consumer Privacy Act (CCPA) in California (US)
• The Protection of Personal Information Act (POPI) in South Africa
• The Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada
• LGPD, the General Data Protection Act in Brazil
• The Data Protection Act of 2018 in the United Kingdom(GDPR)
• Caribbean Data Protection Regulations (CDPR)
• Various privacy laws in effect in Australia
Fig: Privacy law comparison
While dealing with any sort of software application that is collecting user data it is mandatory to have security precautions in place. Although the organizations can choose the kind of security mechanism they need to have which can differ from a zero trust security mechanism or securing the data through multi-factor authentication, firewalls, routers, etc.
Best practices for data security:
1. Make sure that you have an incident response plan ready
2. Patch update software and applications regularly
3. Use multifactor authentication
4. Keep backup of your data
5. Secure your cloud services
6. Outsource IT services if you do not have the capability
7. Implement access control and authorization
8. Use secure websites (HTTPS)
9. Configure device security
10. Educate your employees on security and provide them awareness training.
The Bottom Line
Whenever we deploy our applications onto the cloud, we need to think of data privacy and security. A strong cloud management system is one that not only gives strong security to the organization but it also fulfills privacy needs. Ultimately a complaint organization will get more customers and will have a better market reputation. A robust IT policy not only fulfills the customers' demand but also protects and safeguards the details of their employees.
How to get more free content
If you like this article and would like to read more of our content for cybersecurity insights, tips and tricks feel free to follow us on Oppos social media. If you’re a struggling business owner who needs help in assessing their business’s cybersecurity posture feel free to take advantage of our free introductory assessment and we’ll help you figure out a game plan for keeping your company safe.