A look at the daily news will tell you a lot about the state of personal information. Who collects it? What do companies do with it? What happens when it falls into the wrong hands? What do we do when it’s sent around the world to places where your country’s laws might not apply?
Standards for workplace security and regulations for the use and protection of personal information are in place all over the world to govern and help protect our data. Business compliance regulations have been put in place or updated to cover both vast areas (like the entire Asia Pacific region or the European Union) and smaller populations, like California.
Whether your company has thousands of employees or you’re a one-person shop, it pays to be familiar with these regulations. We’ve compiled a short compliance guide to keep you up to speed.
Business compliance is categorized into three major buckets:
Let’s take them one at a time. We’ll explain what each law covers and what you need to do to meet the standards. This guide isn’t a substitute for legal advice; consult compliance experts to analyze your particular needs. This compliance guide is a great place to start.
Data security and privacy compliance: keeping personal information private
If this acronym sounds familiar, it’s because you probably heard about it often in the last year. GDPR covers individuals and companies within the European Union (EU), and it went into effect in May 2018. Any company that does business in the EU needs to be GDPR compliant. If you’re a data processor (any company that collects personal data), these concepts apply to you:
Get permission from individual users to collect personal data, and explain in simple language how you’ll use the data.
Respect and responsibility for personal data is Job #1. First, collect as little data as possible. Then, maintain user privacy and collect and handle the information ethically.
Do everything possible to keep personal information secure. Invest in robust security systems and do business only with other companies that adhere to GDPR standards.
Collect only the data you need, and keep it only as long as you need it.
APPI: personal information privacy for Japan
Your company may not be in Japan, but that doesn’t mean you don’t have to be in compliance with Japanese law when it comes to the personal information of Japanese citizens. APPI, or the Act on the Protection of Personal Information, was put into law in 2003 and was updated as technology became more advanced, in both 2015 and 2017. Recently, Japan and the European Union recognized each other’s data protection initiatives, so compliance between the GDPR and APPI is also in place.
In a nutshell, APPI enforces laws governing the right to control their information. To remain in compliance, companies must:
Obtain permission to collect personal data
Minimize the amount of processing that data goes through and limit it to the purpose for which you received it
Disclose the information they have gathered about consumers
Provide access to that specific data
Honor demands from anyone to stop collecting personal information about them
Respond to APPI questions within two weeks or face a lawsuit and hefty fines
CBPR secure and private personal data transfer within APAC
Since personal data information can zip around the world in seconds, it’s becoming imperative that various regions honor each other’s business compliance laws.
An example of this is the Cross Border Privacy Rules (CBPR), which manages personal information transfer between companies in the Asia Pacific (APAC). These privacy security rules apply to eight companies: Japan, Singapore, the Republic of Korea, Australia, Mexico, the USA, Canada, and Chinese Taipei. More countries will take part soon.
One aspect of the CBPR is different from every other compliance guideline is that this one is voluntary. To be considered for inclusion in the CBPR, companies must apply and meet the qualifications for certification. Compliant companies can then be included in the CBPR directory, and designate their company as CBPR-certified.
HIPAA: health information in the right hands
Another set of laws governing business compliance is HIPAA (the Health Insurance Portability and Accountability Act), and it’s probably the one most people are familiar with. HIPAA deals with privacy about our health and healthcare data.
If you collect healthcare information, including just the names of patients, patient privacy should remain at the forefront of your mind. Protected by the United States Department of Health and Human Services, penalties for HIPAA violations can range from $100 to $50,000 per incident (or per record). In addition to these fines, noncompliance with HIPAA can result in criminal charges and prison time.
If a doctor or insurance company needs to share medical information about you, the provider must:
Get patient consent
Ensure the information is used only for health purposes
Transfer electronic files with encryption
Provide a way for data stored on devices and laptops to remain secure regardless of theft or loss
Protect the security and privacy of paper records
HITECH: extending HIPAA across the healthcare ecosystem
Part of the economic stimulus package of 2009 was HITECH, the clever acronym for The Health Information Technology for Economic and Clinical Health. HITECH is meant to give HIPAA "teeth" with tougher data security requirements.
HITECH is mainly concerned with business associates of companies who are required to comply with HIPAA must now also follow HIPAA regulations as if they were healthcare organizations. That means that every organization a healthcare company touches—from banks, billing companies, and software companies—must protect personal information.
HITECH compliance reaches into some unexpected territory. Even front-desk sign in, because it contains names of visitors, must be protected. If you think about it, paper logbooks are open for anyone to see, and they’re easily lost, copied, or stolen. Visitor management systems must also be compliant.
Find out if you’re in compliance with HITECH.
CCPA: compliance at the state level
Even though California is just one state of 50, it’s in the top 5 of world economies. If you do business in or with companies in the Golden State, you’ll need to be up to speed with the California Consumer Protection Act. These laws go into effect on January 1, 2020, and they cover three essential areas:
Like the APPI, CCPA requires companies to allow consumers to learn what information businesses are collecting about you and your children. Companies must also honor requests to stop collecting information. While the CCPA does not prevent a company from selling your personal information, it does require the companies that do disclose which information they sold—and to whom.
If a person tells a company to stop collecting or selling their personal information, companies can’t retaliate by denying that person access to services, charging more, or changing the service quality.
Similar to the GDPR, privacy policies need to be easy to find and easy to understand.
Under the CCPA, companies are held accountable for safe and secure private business data. CCPA follows the example of APPI by increasing fines and penalties for violators and allows consumers to sue companies for preventable breaches.
Network security compliance: the wild world of the cloud
From personal privacy, we move into the next major category of business compliance: network security. Workplace security takes on many forms, and the integrity of a company’s networks are essential enough to be top-of-mind for every employee at every company, every day.
SOC 1 and 2:
System and Organization Controls (SOC) are regulations established by the American Institute of Certified Public Accountants (AICPA). They’re divided into two parts:
SOC 1, Type 1, which are reports that describe a company’s controls. These are useful to a company’s customers to prove that they comply with federal regulations like SOX (Sarbanes-Oxley Act).
SOC1, Type 2 audit reports add an opinion from auditors about how effective the controls in place are in combating corporate financial fraud. SOC 1 reports are only for use by management of the company, potential customers ("user entities"), and auditors.
Companies that store customer data in the cloud can be especially vulnerable, so SOC 2 was developed as a preventative measure to standardize levels of security and remain current in an ever-evolving landscape of threats.
SOC 2 takes a hard look at data security compliance around five principles: security, availability, processing integrity, confidentiality, and privacy. This is the one you always hear about on the news. Whenever you hear about security breaches and exposure of personal information like credit card numbers, social security numbers, and banking data, it’s a SOC 2 issue.
These reports monitor and measure the security and quality of:
Oversight of the organization
Vendor management programs
Internal corporate governance and risk management processes
SOC 2 Type 1 reports take a look at only security processes design at a specific point in time while SOC2 Type 2 assesses how effective those controls are by monitoring operations for six months. Learn more about SOC 2.
ISO 27001—a standard worth achieving
Having ISO 27001 certification is a little bit like having a Super Bowl ring. Recognized as the global gold standard for Information Security Management, ISO 27001 focuses on how to control data and your vendors. That may sound a lot like SOC 2, but there are some crucial differences. For starters, successful ISO 27001 audits result in a certification of compliance, which SOC does not.
Maintaining ISO 27001 compliance is often a full-time job, but the benefits of certification are enormous. It can make the difference between winning or losing a contract. ISO 27001 standards encompass controls for IT systems, processes, and intellectual property to help ensure that the company is doing everything possible to reduce or eliminate security breaches. It’s so comprehensive that certification can help companies achieve other compliance goals, like HIPAA.
Physical security: compliance with military precision
Does your company conduct business of any kind with the United States military? If it does, compliance with the International Traffic in Arms Regulations (ITAR) is mandatory. ITAR is part of a set of laws that prohibit people and companies in the United States from doing business with countries that the US has put sanctions upon and protecting national security by instituting regulations that keep military vendors safe from intellectual and physical data theft.
Whether you are a wholesaler, contractor, technology or software provider, a distributor, or even a third-party vendor, you need to register with ITAR. If the products you sell are on the US Munitions List (which includes everything from weapons to auto parts and aircraft to software), you are subject to ITAR.
Physical security at your place of business is on the list, too. Workplace security like pre-registration for visitors, ID checks, citizenship verification, visitor escorts, and identification badges with photographs are required to maintain compliance with ITAR.
There is so much to learn about business compliance, and the regulations are updated regularly to keep up with advances in technology. While it looks daunting on the surface, this compliance guide makes it clear: no matter where we are in the world, we all value our personal information safety, fiercely protect our privacy, and believe in the right to workplace security.