Data privacy and compliance is a crucial subject for every company working with user data. Depending on your company, how you work with data, and who you collect data on, you will need to be compliant with a range of different data privacy frameworks. These range from local laws (such as California’s CCPA), to country-wide laws (e.g. Canada’s PIPEDA), to those that cover entire continents (GDPR).
There is also a close relationship, as we will see below, between data privacy and data security. Most data privacy legislation will require that you have a data security platform in place, and that you follow the best practice guidelines for ensuring cybersecurity.
Get the Free Essential Guide to US Data Protection Compliance and Regulations
Here at Varonis, we’ve been helping firms hit their compliance goals for more than a decade. Over that time, we’ve produced many resources on how to make sure you are compliant with all of the relevant data privacy and protection regulations. In this guide, we’ll bring all of these resources together, so you can quickly find all the information you need to ensure data privacy.
Additional Chapters on Data Privacy
For quick reference, here are the data privacy and compliance guides we’ve published before, arranged by the topic:
Multiple Legislations and Comparisons
- CCPA Guide
- CMMC Compliance
- GDPR Requirements in Plain English
- GDPR Takeaways
- HIPAA Compliance
- ISO 27001 Compliance
- PCI Compliance
- SOX Compliance
What Does Being Compliant Mean?
Data compliance is a catch-all term for the managerial and technical tools, processes, and strategies that companies use to ensure they are following legislation that covers the way they collect, store, and use consumer data.
The different data compliance standards and legislation frameworks define “personal data” slightly differently, and they all pertain to different users. Some of this legislation – and notably the GDPR – is extremely broad in scope, and covers everything from user consent to secure file sharing practices to protecting your data from hackers.
Data Privacy Considerations
The first step in ensuring data privacy is to assess which regulations apply to the data you hold and process. Some of the most widely applicable regulations include:
- HIPAA applies to any organization that holds Protected Health Information (PHI) on any citizen in the USA. The Safe Harbor Rule identifies what kind of data is covered under the act, and the data you must remove to declassify PHI.
- PCI-DSS applies to any organization that works with credit card information, and is an international standard established back in 2006.
- The GDPR covers the data of all citizens of the European Union (EU), even for companies based outside of the region. If there is even a small chance that you will collect data on EU citizens, you need to make sure you are compliant.
- The CCPA applies to every citizen of California, even where the company collecting data is not based in the state.
Each of these sets of regulations defines “personal data” separately, and contains different requirements on how you are able to store, process, and share this information. Below are some high-level principles involved in ensuring data privacy with each set of regulations:
- Recognize that the majority of these regulations define your cloud services provider as a “business partner” (or similar terminology). This means that you need to ensure that your vendors are compliant as well as your own organization.
- Be aware that achieving data privacy also requires that managerial processes, access policies, and responses to customer requests also follow strict guidelines (in addition to technical tools and systems). It’s therefore imperative that IT teams work closely with management in working toward compliance.
In reality, the only way to achieve compliance is to have a detailed understanding of all of the data systems you are using, and then make sure that each is using data in a legal way.
Why is Compliance Important?
The most imminent reason why compliance is important is that you risk huge fines and a damaged reputation if you are found to be non-compliant. HIPAA fines alone cost ten companies $28.7 million in 2018, which broke the previous 2016 record for HIPAA fines by 22%. That’s only 10 HIPAA cases resolved out of 25,912 complaints and 431 data breach investigations.
Statistics on cybersecurity and data breaches also indicate that where firms have taken the time and invested the resources to ensure compliance, they are also less vulnerable to attack. Even if data privacy legislation did not exist, the types of audits and enhanced control that the compliance process requires can significantly improve your level of cybersecurity.
Which Data is Used?
Each of the data privacy and compliance frameworks define “personal data” differently, and so it is difficult to give a general idea of the data that are covered in data compliance. However, a good rule of thumb is that if you are collecting ANY information on users, even if this is just the IP addresses that visit your website, you will need to check that you are compliant with legislation.
What are Data Privacy Standards and How to Meet Them?
Each law imposes different standards on companies working with user data. There are, however, some high-level similarities between these laws:
- Most contain some standard for consent, in which you must declare which data you are collecting, and seek consent to do so.
- Most data privacy frameworks also mandate that the information you collect is stored securely, and that you take reasonable measures to prevent it from being stolen or leaked.
- Finally, most legislative frameworks also contain standards on what you can do with the data you collect, and in particular limit the ability of companies to sell these data onto third parties.
Data Privacy Laws and Regulations
In this section, we’ll quickly run through a few of the major pieces of privacy legislation. We’ll also tell you how to find further resources on each piece of legislation. Many of the foundational principles in these laws will apply to the long tail of privacy laws you’ll encounter.
The European Union’s General Data Protection Regulation (GDPR) took effect back in May 2018, and to date is the most complex and rigorous piece of privacy legislation in force anywhere in the world.
The GDPR imposed new rules on companies, government agencies, non-profits, and other organizations that serve people in the European Union (EU), or that collect and analyze data tied to EU residents. No matter where your company is based, you need to ensure that you are GDPR compliant if you are collecting data on EU citizens.
The full text of GDPR is extremely long, running to 99 individual articles. A practical way for most organizations to achieve compliance is to rely on templates and reference architectures for their systems that have been assessed to be GDPR compliant. See Article 5 of the legislation, which gives details on how people’s data can be handled.
In addition, over the past few years we’ve produced many guides on how to achieve GDPR compliance for your various systems. Here they are:
- GDPR Requirements in Plain English
- GDPR Takeaways
- CCPA vs. GDPR
- A Practical Guide to GDPR [White Paper]
- EU GDPR Spotlight
- EU GDPR Breach Notification Rule
- Differences Between the GDPR and Privacy Directive
The California Consumer Privacy Act (CCPA) is the first act of its kind in the USA: it aims to protect the privacy of the citizens of California by providing them with rights as to how companies can store, process, and sell personal information. The regulation only applies to companies doing business in California which satisfy one or more of the following:
- Have a gross annual revenue of more than $25 million, or
- Derive more than 50% of their annual income from the sale of California consumer personal information, or
- Buy, sell or share the personal information of more than 50,000 California consumers annually.
If the CCPA applies to your business, you will need to be compliant by July 1, 2020 (though the CCPA came into force on January 1 2020).
These rights can be summarized as follows. As an organization working with personal data, you need to have the ability to:
- Provide disclosures to consumers regarding the categories, purposes of collection and how those categories are sold or transferred to other entities.
- Enable DSR rights of access, deletion, and portability for the specific pieces of personal information that has been collected by you.
- Permit consumers to opt out of the sale of the consumer’s data.
- Enable an opt-in process so that no sale of a minor’s (under 16) personal information can occur without actively opting-in to the sale.
- Ensure that consumers are not discriminated against for exercising their rights.
The Health Insurance Portability and Accountability Act (HIPAA) is a US healthcare regulation. It contains requirements for the use, disclosure, and safeguarding of individually identifiable health information, which that act defines as Protected Health Information (PHI).
The act applies to a huge range of entities. These include doctors’ offices, hospitals, health insurers, and other healthcare companies. Any organization with access to PHI, as well as to business associates, such as cloud service and IT providers, that process PHI on their behalf, need to ensure that they are HIPAA compliant.
Even after entering into a Business Associate Agreement (BAA) with Microsoft, you will need to ensure that you use and manage your system in a way that keeps it compliant with HIPAA. The key process controls you need to have in place can be found in our detailed HIPAA compliance guide.
Beyond these basic procedures, you will also need to have in place a system for responding to customer requests for data, and for responding to breaches.
To learn more about HIPAA compliance and how to achieve it, you can work through the following guides and resources:
- HIPAA Compliance
- What is HIPAA?
- HIPAA Compliance Software
- Office 365 and HIPAA
- Data Classification Guide
The Payment Card Industry Data Security Standards (PCI DSS) is a set of standards and guidelines that set out how businesses can keep credit card information safe and secure. They were developed back in 2006 by major credit card companies – Visa, Mastercard, and American Express. The primary focus of these guidelines was to prevent credit card fraud by ensuring that data relating to credit cards is not stolen.
Organizations of all sizes must follow PCI DSS standards if they accept payment cards from the four major credit card brands mentioned above and the Japan Credit Bureau (JCB). Compliance with PCI DSS is required for any organization that stores, processes, or transmits payment and cardholder data.
PCI DDS Requirements
Review resources from the PCI Security Standards Council they’ve published a quick reference guide for merchants and others involved in payment card processing. The guide explains how the PCI DSS can help protect a payment card transaction environment, and how to apply it.
This blueprint contains reference architectures, deployment guidance, control implementation mappings, automated scripts and more. See the 12-step plan to protect customer data:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Protect all systems against malware and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Identify and authenticate access to system components
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
The way in which you meet these requirements will depend on your business, and on your data architecture.
Other Data Privacy Frameworks: ISO 27001, SOX and CMMC
In addition to the major frameworks above, there are a number of more specific frameworks that you will need to be aware of.
ISO 27001 is the leading international standard for information security, and is published by the International Organization for Standardization (ISO), in partnership with the International Electrotechnical Commission (IEC). Both are leading international organizations that develop international standards.
ISO-27001 is part of a set of standards developed to handle information security: the ISO/IEC 27000 series. The standard has been developed to help organizations, of any size or any industry, to protect their information in a systematic and cost-effective way, through the adoption of an Information Security Management System (ISMS).
For more information on how to implement the ISO 27001 standard, you can read our:
In 2002, the United States Congress passed the Sarbanes-Oxley Act (SOX) to protect shareholders and the general public from accounting errors and fraudulent practices in enterprises, and to improve the accuracy of corporate disclosures. The act has the goal of improving corporate governance and accountability, in light of the financial scandals that occurred at Enron, WorldCom, and Tyco, among others.
All public companies now must comply with SOX, both on the financial side and on the IT side.
In January 2020, the Cybersecurity Maturity Model Certification (CMMC) version 1.0 was released under the collaborative efforts of Federally Funded Research and Development Centers, University Affiliated Research Centers, and industry. This compliance standard was designed to implement a certification process for Department of Defense (DoD) contractors to protect sensitive data.
The enforcement of the standards will be rolled out in phases. It becomes part of the RFI process (June 2020), RFP process (September 2020) and will be required for contractors to acquire new work (October 2020). Learn more about how to prepare in our built-out compliance guide:
Data Privacy Roundup
In this section, we’ll bring together all of the resources we’ve shown you above, so you can quickly find the guide that you need to ensure compliance.
|GDPR Requirements in Plain English||Basic description of the GDPR|
|CCPA vs. GDPR||The differences between the GDPR and the CCPA|
|EU GDPR Spotlight||A look at the impacts of the GDPR|
|EU GDPR Breach Notification Rule||More detail on breach notifications in the GDPR|
|Differences Between the GDPR and Privacy Directive||A more detailed look at EU privacy legislation|
|GDPR American Style||American attempts to replicate the GDPR|
|EU GDPR Spotlight||A focus on the largest impacts of the GDPR|
|GDPR Effect Review||Looking in more detail at the effects of the GDPR|
|What is the EU General Data Protection Regulation||A beginner’s guide to the GDPR|
|GDPR Data Protection Authority Supervisory Listing||More detail on the DPA listing aspect of the GDPR|
|Right Forgotten AI||More detail on the right to be forgotten, a critical part of the GDPR|
|GDPR and Dataprivilege API||The way that you can use the Dataprivilege API to work with the GDPR|
|EU GDPR Spotlight Protection by Design and Default||The approach that underpins the GDPR|
|EU GDPR Infographic||More statistics on the GDPR|
|EU GDPR Data Rights and Security Obligations||What you need to be aware of when seeking GDPR compliance|
|Security and Privacy Lessons from Recent GDPR Fines||Lessons that can be learned from recent GDPR activity|
|GDPR FAQ||The answers to common questions about the GDPR|
|Right to Be Forgotten||More detail on the right to be forgotten|
|CCPA vs GDPR||More detail on the differences between the CCPA and the GDPR|
|US Privacy Laws||A roundup of privacy legislation in the US|
|California Consumer Privacy Act CCPA and the Future of Data Security Standards||Will the CCPA be copied across the US?|
|CCPA Classification||Looking at data classification, a crucial component in CCPA compliance|
|What is HIPAA and Why Should You Care||A high-level look at the HIPAA|
|HIPAA Compliance Software||Software that can help you get HIPAA compliant|
|Office 365 HIPAA||Working with Office 365 and the HIPAA|
|Is Browsing Facebook While in the Hospital a HIPAA Violation||A commonly asked question, answered|
|Data Classification||Looking at data classification, a crucial component in HIPAA compliance|
|HHS to Investigate Smaller HIPAA Privacy Breaches||Lessons to be learned from recent HIPAA fines|
|HIPAA Case Files, Jail Time and Access Rights||The consequences of not being HIPAA compliant|
|PCI Compliance||A general guide to PCI compliance|
|PCI DDS Explained New White Paper Decodes Complexity||A more detailed look at the current thinking on the PCI|
|A Guide to PCI DSS||A more practical guide to achieving PCI compliance|
|ISO 27001 Compliance||A detailed guide to compliance with the ISO 27001 standard|
|SOX Compliance||How to achieve SOX compliance|
A Final Word
Data privacy and compliance is crucial for every company that works with consumer data for a few reasons. The first, and most imminent, is that if you are not compliant you risk being fined. More generally, the process of achieving compliance, and the inherently close relationship between data security and privacy, means that compliant systems are also those that are better hardened against cyberattack.
Achieving compliance can be complicated, but by using the resources we’ve given you above, and by using a quality data security platform alongside your compliance processes, you can ensure that all your data is protected, and that you are not at risk of being fined.