What is data compliance?
Data compliance is a process that identifies the applicable governance for data protection, security, storage and other activities and establishes policies, procedures and protocols ensuring data is fully protected from unauthorized access and use, malware and other cybersecurity threats.
Data is typically generated, managed, stored, secured, accessed, used, modified and destroyed. Standards and regulations define how to ensure that data is securely managed in all phases of its existence. Compliance with the many different standards, regulations, frameworks, legislation and practices is critical, and governance is essential.
Why is data compliance important?
Public and private sector organizations have a fiduciary responsibility to protect the information they use to manage their businesses. Availability of relevant standards, regulations, and other governance rules and practices that deal with the security, privacy and protection of data ensures that data can be securely managed and protected.
These activities are important in the IT security audit process, which devotes a lot of time examining all aspects of how data is managed. Failure to demonstrate compliance with the relevant data governance procedures can result in unsatisfactory audit findings that have to be corrected.
This article is part of
What is data security? The ultimate guide
Senior management in public or private sector organizations may be held accountable for audit findings that indicate failure to comply with data governance requirements. More likely, IT department leaders will be required to correct those findings so they're data-compliant and meet with the satisfaction of auditors and senior company management.
Benefits of data compliance
Compliance with data standards, regulations, and other governance rules and practices helps ensure that the confidentiality, integrity and availability of an organization's data, databases and other relevant information are protected. Unauthorized access to mission-critical data could result in damage to the organization's reputation, loss of revenue and loss of business. However, compliance can be achieved with the help of dozens of available resources, like security technologies, antivirus software and anti-ransomware software to protect all forms of data.
Data compliance standards, regulations and legal requirements
The data compliance governance most often used includes domestic and global standards, regulations, frameworks, programs and legislation. Following are some of the key data compliance governance requirements:
National Institute of Standards and Technology (NIST). This physical sciences laboratory and nonregulatory agency of the U.S. Department of Commerce develops and distributes standards primarily for government use, but they're widely used by private industry.
- NIST SP 800-53 Rev. 5 (2020), Assessing Security and Privacy Controls in Information Systems and Organizations is a widely used standard for information system and data compliance.
- NIST Cybersecurity Framework, or CSF, is a voluntary framework primarily intended for critical infrastructure organizations to manage and mitigate cybersecurity risks to data based on existing best practices.
International Organization for Standardization (ISO). This international organization develops global standards for different kinds of systems and technologies.
- ISO/International Electrotechnical Commission (IEC) 27001:2013, Information technology -- Security techniques -- Information security management systems -- Requirements is one of the principal global information security standards, provides the framework and guidance for creating an information security management system, and is a key standard for data compliance.
- ISO/IEC 27002: 2013, Information technology -- Security techniques -- Code of practice for information security controls, the companion standard to ISO 27001, supports and facilitates ISO 27001 implementation by providing best practices guidance on applying data security controls listed in ISO 27001.
Payment Card Industry Digital Security Standard. PCI DSS is a set of security standards and applies to organizations that process, store or transmit credit cardholder information.
General Data Protection Regulation. GDPR is the primary global data protection regulation developed by the European Union. It addresses the need for a broad range of data protection activities and applies to any organization collecting personal information of people in the EU.
California Consumer Privacy Act. CCPA is state legislation that applies to any organization doing business in California and collecting consumers' personal data. It provides residents several data protection rights, including transparency, accessibility and privacy.
Health Insurance Portability and Accountability Act, or HIPAA, Security Rule (45 Code of Federal Regulations Part 160 and Subparts A and C of Part 164). Used as an audit and assessment standard for healthcare and nonhealthcare institutions, Part 164 includes requirements for protecting the security and integrity of electronic protected health information, or ePHI, as well as all other forms of sensitive data.
Federal Risk and Authorization Management Program. FedRAMP provides standardized guidelines to help federal agencies and the private sector evaluate cyber threats and risks to data within technology infrastructure platforms.
Federal Information Security Management Act. FISMA is a framework of guidelines defining security actions that government agencies can use to enhance their cybersecurity posture by protecting critical information systems from different types of attacks.
ISACA. This international organization addresses information assurance, governance and security for audit professionals. ISACA's Control Objectives for Information and Related Technology, or COBIT, is a widely used control framework for IT management, governance, security and data compliance.
Limitations of data compliance regulations
Standards and regulations typically provide broad guidance on achieving data protection and security, and some can focus exclusively on specific situations, such as cybersecurity and cloud-based technology. While all standards and related governance documents are highly valuable, the key is to select the standards most applicable to the organization and build a program to achieve regulatory compliance with those specific requirements.
How to achieve data compliance
Once the governance documents have been selected, organizations can then implement controls, policies, protocols and procedures to achieve the criteria defined in standards. An important aspect of this process is to secure senior management support and funding for data compliance initiatives.
It's also important to establish ongoing data compliance activities; schedule periodic tests, documentation reviews and audits of data compliance activities; and regularly brief senior management on compliance efforts. Validation of data compliance is typically performed with impartial internal and external audits of compliance-related activities.