This is the second post in a data protection blog series that addresses how organizations can better protect their sensitive data. This blog post addresses data privacy laws, frameworks, and how organizations can create their own data security strategies and frameworks to achieve compliance with today’s data privacy laws and standards.
Cyber security and privacy frameworks are both integral. Cyber security and privacy frameworks provide methods, processes, and best practices that can help companies achieve better compliance with security standards and data privacy laws. Cyber security frameworks help reduce the risks associated with loss of confidentiality, integrity, or availability; privacy frameworks help reduce risks associated with unintended consequences of data processing. Both are needed in order to reduce the risk of privacy breaches. U.S. cyber security frameworks include the Cybersecurity Framework and Privacy Framework, which provide voluntary guidelines based on existing standards, guidelines, and practices to help organizations better manage and reduce their cyber security risk and individuals’ privacy risk. The National Institute of Standards and Technology (NIST) encourages organizations in various market sectors to adhere to these frameworks according to their unique risks, situations, and needs, as they are meant to serve as guidelines.
More specifically, FISMA update NIST 800-37 recommends the use of “automated security tools to continuously diagnose and improve security,” with one of the goals being to ensure that security controls are integrated into an organization’s enterprise architecture and system development life cycle. In addition, NIST 800-53 includes new security and privacy controls, as well as guidelines to cover areas like mobile and cloud computing, insider threats, application security, and supply chain security for U.S. federal information systems.
PCI Data Security Standard (PCI DSS) is a data security standard that applies to all entities that store, process, or transmit cardholder data. There are specific requirements for software developers and manufacturers of applications and devices used in those transactions. These security controls and processes are essential for protecting all payment card account data, including the primary account number printed on the front of a payment card.
The European Union (EU) Data Protection Directive (DPD) regulates the processing and free movement of personal data within the EU. Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) regulates the consent and use of personal data. These were among the first privacy laws to be enacted. But the General Data Privacy Regulation (GDPR) from the EU, which protects consumer data of EU residents, is the law that attracted the most international attention.
Since these laws were enacted, many other countries are putting in place their own additional privacy laws. Here are just a few examples:
The GDPR covers data protection and privacy in the European Union and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA. It provides guidelines for data transparency, purpose limitation, data minimization, accuracy, storage time limitations, integrity and confidentiality, and accountability by a data controller or data protection officer. The GDPR essentially creates a privacy framework. For example, to comply with Article 25 of GDPR, companies must implement “privacy by design” principles, which state privacy should be considered at every point in the process. The GDPR imposes fines on organizations that don’t adhere to its data protection and privacy laws
The CCPA received a lot of attention because it’s the first strong privacy regulation in the U.S. It ensures several privacy rights to consumers who live in California, and it affects organizations worldwide that serve California residents. Its main goal is to give California residents control of their personal information and how it is used. To achieve this, it introduces five fundamental rights: The right to disclosure, to deletion, to access, to opt-out, and to nondiscrimination. In addition, CCPA introduces significant fines and sanctions for noncompliance, and is applicable to businesses based in California, and potentially any business offering services to California residents.
Organizations must start by creating a data strategy and framework that meets their business needs. This is especially true for companies that leverage user data as part of their business strategy. This requires coordinating and establishing key corporate metrics and goals for regulatory compliance, data security governance, supporting IT strategy, and tolerance for risk.
Organizations must then do data discovery and data classification, determine access policy, and manage datasets over their entire life cycle within their organization. Data classification requires noting the sensitivity level of files, databases, and emails, and access policy involves indicating which groups or individuals are granted access. Similarly, applications should be classified according to the criticality of the data that resides within them, and whether they are external-facing, internal, or cloud-hosted.
Defining comprehensive data security policies and adequate implementation resources should be done by a variety of teams within an organization and approved by executive management. After defining the strategy, an organization should select and implement security tools, products, and services that help ensure data and application security.