Privacy Legislation Compliance: Does Your Organization Do This?
5 new privacy laws went into effect in California alone this past January. The laws, one of them being changes to the encryption standard in breach notification, are designed to help strengthen data protection for the state’s residents.
Boosting data privacy and security was one of the top compliance trends in 2015, identified by intelligence provider Thomson Reuters. The company reported that over 1 billion accounts were compromised in 2014.
But here’s the thing. Every organization, regardless of size, is on its own to identify and understand all the various privacy laws in relation to its business and industry. Failure to meet rules and guidelines of legislated standards such as Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley can result in huge fines, penalties, and loss of trust.
Consider that in the U.S. there is no single privacy law that regulates the collection and use of personal data. Instead, there’s a patchwork of federal and state laws and regulations as well as self-regulatory guidelines and best practices developed by governmental agencies and industry groups.
In the U.K. and Europe, the need for better cyber security has also lead to new data protection legislation. New European Union (EU) regulations are expected this year, according to the Data Protection Laws of the World Handbook.
With the constant risk of an information security breach today, all organizations have to stay up-to-date and understand privacy law.
The following give a good indication if an organization is following best practices when it comes to compliance:
- Inventoried data: Organizations know what kind of personal data they collect, use and share with other parties (such as names, addresses, account numbers, etc.) There is a stated purpose for all data that is collected.
- Data minimization: As part of a comprehensive data management process, data is previewed regularly to determine if all of it is really needed. If not, the data is securely destroyed by a document destruction partner that has a secure chain of custody and on- or off-site shredding services. A certificate of destruction is issued after every shred for both paper documents, and e-media and hard drive destruction.
- Leadership: The organization is fully aware of what laws and regulations are applicable. There is a Chief Information Security Officer (CISO) and legal involvement. Plus, it is policy to partner with companies that understand legislated requirements (for example, a document destruction company that has compliance expertise).
- Education and training: The organization integrates a culture of privacy from the top down. Security training is on-going for all employees. Mistakes made by employees are a frequent cause of data breaches, according to the 2015 industry forecast by Experian.
- Clear safeguards: The latest technologies are in place to prevent and detect data breaches. Physical safeguards include a Clean Desk Policy, locked consoles for documents that are no longer needed, and visitor sign-in.
Is your organization in compliance with privacy laws? Take this free privacy legislation quiz to find out.