Cybrain - Fotolia
Even at times when business leaders’ attention is elsewhere, compliance is hugely important.
Enterprises need to comply with a growing suite of data protection, privacy and industry-specific rules and regulations, including laws drafted overseas.
Chief among these are the EU’s General Data Protection Regulation (GDPR) and the UK’s Data Protection Act. These are joined by the Privacy and Electronic Communications Regulations or PECR.
Firms that handle card payments continue to be governed by the PCI-DSS regulations, and businesses that trade with the United States could fall under the scope of the California Consumer Protection Act.
Its scope is wide, and penalties harsh and can run to up to 4% of global turnover. “GDPR regulates the processing of personal data,” says Nigel Miller, partner at law firm Fox Williams. “This means data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
“In addition to this, GDPR requires data to be minimised, meaning data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.”
Read more about regulatory compliance
- SME compliance: We look at the key data compliance regulations that affect smaller companies – such as GDPR, the Data Protection Act, PCI-DSS and PECR – and some key industry-specific frameworks.
- Podcast: Covid-19, remote access, storage and compliance. We talk to Mathieu Gorge, CEO of Vigitrust, about ensuring access and compliance for organisations that need to ramp up remote working during coronavirus social distancing.
For business’s data storage this means only keeping information that is necessary and for as short a period as possible, although the regulation does not define any timescales. This includes archives and off-site backups.
Data also has to be secured, and for most enterprises this means it has to be encrypted.
But firms also need to know where their data is, and how it is used. GDPR sets out a right to be forgotten – to have all data erased – as well as allowing individuals to opt out of automated decision making and profiling. Without good knowledge of all data assets this will be hard to do.
Subject access requests and e-discovery will also impact the timescale for retrieving customer records, and in turn, service level agreements.
“Organisations need to find data within 30 days in order to respond to Subject Access Requests,” says Simon Cole, CEO at Automated Intelligence, a cloud-based data management supplier.
“Too much uncontrolled data hampers this and has led to inertia, putting organisations at increasing risk with each year that passes.”
UK Data Protection Act
“The Data Protection Act sits alongside GDPR in UK law by providing UK exceptions to GDPR requirements,” says Miller. These include special categories of data, including health and employment.
There are also differences that affect law enforcement data, as these are not covered by GDPR.
Another key difference is in dealing with children. The GDPR says a minor can consent to data processing at the age of 16. The DPA sets that at 13.
Actions for storage and data managers to comply with the DPA will be similar to those for GDPR. However, they will need to segment systems and data where UK-specific rules apply, such as for health and law enforcement.
Privacy and Electronic Communications Regulations
The PECR regulates cookies, tracking, and regulates marketing and other “unsolicited” electronic communications.
Although the PECR is often known as the “cookie law”, it stretches further than that. It is based on the EU’s e-Privacy Directive, and covers the security of any electronic communications offered to the public, as well as privacy around billing and location information on communications networks.
The PECR was updated in 2019 to incorporate GDPR’s definition of consent. The rules are set to change again under the EU’s upcoming ePrivacy Regulation.
“Since the introduction of GDPR, organisations now need to ensure compliance with PECR and the GDPR when considering their marketing strategies,” says Gareth Oldale, partner and head of data privacy and cybersecurity at law firm TLT.
A set of industry regulations rather than a law, PCI-DSS governs any credit or debit card payment information, including how it is acquired, transmitted and stored. As a practical set of rules, PCI-DSS is a good proxy for protecting personal and financial information.
“The standard requires merchants to demonstrate a secure IT network that protects card holder data, maintain a vulnerability management programme, implement access control measures and regularly test their networks,” says Mike Kiersey, principal technologist at Boomi, a cloud services and data management firm.
Steps for CIOs include encrypting any card information, on the move and at rest, endpoint protection, including point-of-sale equipment, network security, and policies governing who can access sensitive data.
Firms must also ensure card data is deleted once it is no longer needed for a transaction and this has to be factored into the design of backup and archiving tools.
One to watch: California Consumer Privacy Act
The CCPA came into force on 1 January 2020. However, the state’s Attorney General is not expected to issue guidelines until June. There is growing pressure in California for this to be delayed, given the uncertainty caused by the global pandemic, according to Mathieu Gorge, CEO at Vigitrust.
CCPA is similar in scope and intent to GDPR. CCPA will set out rules for selling data, opt out, deletion and subject access rights and ages of consent for data processing (16, or 13 with parental permission). The CCPA will affect businesses with a turnover of more than US$25m; firms will need to ensure their systems comply with the CCPA and GDPR.
Don’t forget the cloud
More businesses are moving data to the cloud, and processing it there. But they must ensure that in-house technology and cloud service are compliant.
A business can outsource data management, but will always hold the risk. The large cloud providers have improved their regulatory transparency over the past few years, but CIOs should still be asking hard questions – as well as ensuring data is secure moving from local systems to the cloud and, potentially, between cloud providers.
“Moving data to a cloud poses specific practical security risks that need to be appropriately mitigated, as well as issues with dealing with confidentiality, secrecy, privacy and data location issues from a legal perspective,” says Georgina Kon, TMT/IP partner at law firm Linklaters.
“Depending on the sector, organisations may also have to consider regulatory guidance on cloud. This can make the use of some standard cloud offerings very challenging.”