kras99 - stock.adobe.com
Data privacy laws are multiplying as concerns about how information is sent and stored continue to grow.
Many IT professionals are familiar with international and domestic standards for data security and privacy, among them ISO/IEC 27001, Information security, cybersecurity and privacy protection -- Information security management systems -- Requirements; ISO/IEC 27002, Information security, cybersecurity and privacy protection -- Information security controls; and NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations.
But these standards only represent a fragment of the regulations and legislation governing data privacy and security. Let's take a look at some of the most important ones.
What are data privacy laws and regulations?
Consider how much data is generated every hour and how much of that data contains personal information and other elements that, by their nature and criticality, must be secured from unauthorized access and kept from the general public. To that end, confidentiality, integrity and availability of data must be protected.
As a result, laws and regulations govern how data is collected, processed and stored. Among the guidelines, these provisions are meant to do the following:
- Ensure that unauthorized access to personal and private data is prohibited.
- Protect against activities that may alter data without the owner's knowledge or approval.
- Establish access processes that prevent access to personal data other than by the owner(s).
- Ensure this access also makes it possible for owners to examine their data.
- Provide permission for personal data to be collected.
- Prevent the selling or release of data to outside third parties without owner consent.
- Ensure owners can review their data to validate that it is correct.
- Permit owners to have data about them deleted.
- Ensure owners are notified if a security breach has compromised their data.
By complying with these guidelines, companies minimize the chance they'll be sued or fined and help reduce effects created by negative customer fallout and reputational damage.
International privacy legislation
Among the most significant international data privacy laws is GDPR. It was developed by the EU and European Economic Area and went into effect in May 2018. Any organization -- regardless of where it's headquartered -- that targets or collects data from people and businesses in EU member nations must comply with the law.
GDPR compliance can be a challenge, and companies that run afoul of the law can be fined and penalized. GDPR is specific in how it defines personal data and any related activities involving data, such as how data is processed and who controls that mechanism.
GDPR is only one regulation. Currently, more than 100 countries worldwide have enacted data privacy laws. Each addresses the fundamental issues concerning data creation and processing, data ownership and other criteria. The requirements of each country may differ, as do compliance requirements, but the message is clear: Protecting personal data is a must.
Domestic privacy legislation
The United States does not have a national data privacy law. Two important acts do cover privacy, however:
- The Privacy Act of 1974 (5 U.S.C. § 552a) was designed primarily for federal government agencies. It established a code of fair information practices to govern the collection, processing, management, dissemination and destruction of personally identifiable information.
- HIPAA, enacted in 1996, has two key sections: the Security Rule and Privacy Rule. These rules give protected health information providers and processers flexibility in how they protect user data. In addition, HIPAA is an important audit document. Compliance with the law and its many provisions is essential to avoid penalties and possible fines.
While no national legislation exists, a growing number of states have enacted their own data privacy laws. California, Colorado, Connecticut, Utah and Virginia have detailed and wide-ranging data privacy laws in force. Before doing business in any of these states, be sure to read and fully understand their laws.
Another dozen states or so have less comprehensive legislation. Expect more state legislatures to pass laws in the coming years.
The leader in data privacy legislation, California has enacted more laws than any other state. The following are two key examples:
- California Consumer Privacy Act (CCPA). Key in this legislation is that residents may ask businesses to disclose the type of information they collect, why they are collecting the information and the source of the data.
- California Privacy Rights Act (CPRA). CPRA, which took effect Jan. 1, 2023, builds on CCPA. It gives residents the ability to prevent businesses from sharing their personal data, request that inaccuracies in their personal data be corrected and prevent companies from using sensitive data, such as race and sexual preference.
The Colorado Privacy Act, which will go into effect July 1, 2023, augments the existing Colorado Consumer Protection Act by adding specific provisions regarding the collection, processing and dissemination of personal data, as well as how the law will be enforced.
The Connecticut Personal Data Privacy and Online Monitoring Act will be effective July 1, 2023. It governs how personal data privacy is protected and how data is collected and processed, as well as spells out penalties for noncompliance.
Connecticut also has an existing law, General Statute § 42-471, that safeguards how personal data is used, stored and distributed.
The Utah Consumer Privacy Act, which goes into effect Dec. 31, 2023, will protect the collection, processing and distribution of personal data.
The Virginia Consumer Data Protection Act, effective Jan. 1, 2023, provides guidelines and penalties regarding how personal data is collected, processed and distributed. It affects both government and nongovernment organizations that annually process specific quantities of personal data.
Given the importance of data privacy and protection, expect more states to enact data privacy laws, most likely built on the foundation laid by California and other states that have been at the forefront of consumer protection.
Congress, meanwhile, is assessing national legislation via the American Data Privacy and Protection Act. If the act passes, companies will likely have to follow both national and state legislation to ensure they are processing personal data correctly.
Regardless of the outcome of possible congressional and local legislation, complying with federal, state and international data privacy laws and regulations will be an increasingly important requirement for organizations and their IT departments.