Most CISOs or CCOs live in fear of the announcement of a routine audit from a compliance organization, or even worse – a data breach or incident where they need to disclose information to the relevant authorities, or notify customers. To help you keep your obligations straight, here’s a handy guide to what you need to know for some of the top data privacy compliance mandates.
First and foremost, it should be easy for customers to request, obtain and amend the information you hold about them, plus ask for you to stop processing their data and delete all previous records.You need to respond to these requests within one calendar month, usually 30 days. You must be able to encrypt, pseudonymize or anonymize personal data where possible, and have a process in place to carry out a data protection impact assessment.
GDPR requires that PII (Personally Identifiable Information) data on EU customers must be stored in servers located in the EU even if you are a US-based company.
In case of a data breach, you’ll need a process in place to notify the authorities and the users impacted in the event of an incident involving their data.
, so you don’t have much time to get your ducks in a row. Remember, GDPR is an EU regulation, therefore covers organizations working from European countries, and it’s relevant for data from customers and users who live in European countries.
CCPA mandates that you establish a way for users to opt out of having their personal information (PII) sold, and establish different methods for requests for access, change and deletion of user data. For regular requests, organizations need to respond to consumers within 45 days and prove that they have followed up on the request. There is no obligation to allow users to rectify incomplete or incorrect data, or to stop processing it. Unlike GDPR, CCPA includes any household or device data, while GDPR sticks to individual’s information.
In case of a breach, the CCPA allows businesses a 30 day cure period for noticed violations, allowing them to act quickly and avoid penalties. The State of California can charge penalties of between $2,500 and $7,500, while consumers can seek damages between $100 and $750, too. These can stack up fast if an incident occurs, so it’s important to have a system in place ahead of time to classify and label any information that is in the scope of CCPA.
SOC 2 covers any service provider handling data in the cloud providing services to US companies. If you are a service provider or a service organization which stores, processes or transmits any kind of information as in SaaS companies, you may need to be compliant if you want to be competitive in the US market.
Getting certified can take anywhere from 4 weeks – 18 months.
You need to have a process in place for monitoring unusual activity, both known and unknown attack patterns. Your alert system should quickly let you know if files are moved, modified or accessed out of the norm. In case of an audit, these will be tested against common criteria 7 or Systems Operations.
There are no specific breach notification rules for SOC 2 in terms of timelines, but all SOC incidents that are the result of a data breach need to be disclosed in the SOC 2 report. This should include what happened, when it happened, and the effect it had on your organization and its users. Without SOC 2 compliance, you may find that organizations are wary to work with you, or partner when they hold sensitive PI data.
Unsurprisingly, healthcare information is among the most heavily guarded and regulated. For HIPAA, which sets standards for sensitive patient data protection in the US, organizations need to have access control in place, as well as activity logs and audit controls over their PHI. This PHI can be any identifiable healthcare information that is stored, maintained or transmitted. If an individual makes a HIPAA request, the organization must reply within 60 days, and has 90 days to complete the request.
HIPAA is a little more complex than its competitors in terms of breach notification. If the incident impacts more than 500 individuals, you have 60 days to report it.
This may include letting a relevant media entity know what’s happened. If it’s less than 500 individuals, you can report it annually. If you as an individual believe that a data breach has occurred, you have 180 days from when it happened to report it.
The manual effort involved in identifying, classifying and labeling each type of personally identifiable information (PII), and recognizing if and when a data breach has impacted these files, is huge. And yet organizations sometimes have as little as 72 hours to disclose an event, alongside specific information like who has been impacted, and what was the extent of the breach. Similarly, what sounds like a simple request by a customer – to have his PII data deleted from the organization – can take months and becomes very costly.
Regulatory compliance isn’t something you can do once, and then check off your to-do list. It’s an ongoing project with grave significance. It involves having x-ray vision into where your PI customer or patient data is being used and stored
Technology is the only way to manage this growing effort effectively, using automation and AI in the form of a data protection platform like MinerEye. MinerEye enables organizations to overcome the difficulties in regulatory compliance. It automatically scans, indexes, analyzes, categorizes, and virtually labels every piece of unstructured and dark data contained in an organization’s data repositories. With proprietary Interpretive AI™, machine learning, and computer vision, MinerEye locates relevant files out of the billions that are stored, accurately evaluates them, qualifies them by significance and purpose, and automatically sends alerts with next best action recommendation in cases of conflict, duplication or potential violations. In this way, data discovery is profoundly enhanced while risk and operational costs are contained.