A Brief Look at 4 Major Data Compliance Standards: GDPR, HIPAA, PCI DSS, CCPA

Why Is Data Compliance Important?

Data can be a valuable asset, especially when they contain exclusive information. Since the old days, companies have always invested money and resources on protecting intellectual property and trade secrets from theft. But more recently, a new type of information is gaining increasing value – personally identifiable information (PII).

Compared to intellectual property, companies are less cautious about protecting PII. There are two main reasons behind it. First is that personal data of customers and employees do not require much effort (i.e. economic sacrifice) to obtain. Second is that unlike intellectual property, even if a copy of personal data gets leaked, it does not significantly devalue the original copy.

This does not mean that personal data is any less important. When PII ends up in the wrong hands, severe consequences like identity theft and financial fraud can impact thousands and even millions of people. As consumers become more aware of this danger, companies need to reassure their customers that they are safe to do business with by taking full responsibility in keeping PII safe.

This is where data privacy regulations come into play. They help companies reassure the general public that doing business (i.e. sharing data) with them is safe, but also ensures fairness in the market by punishing those who fail to meet their responsibilities.

There are plenty of data privacy laws and standards designated for a variety of industries and for different regions of the world. It is crucial to understand which laws apply to your business and how to comply with them.

The good news is that most of these regulations are very similar, thus adopting a certain set of security standards would help you comply with all of them.

Here we introduce four most influential data privacy regulations in the world: GDPR, HIPAA, PCI DSS, and CCPA. Once you meet their requirements, you would likely be fine with all the rest.

 

GDPR (General Data Protection Regulation)

Country of origin: European Union

Established by: European Parliament and Council of the European Union

Effective since: May 25, 2018

Main purpose:

  • To obtain consent before collecting personal data
  • To keep stored personal data at a minimum
  • To protect stored personal data with adequate measures

What is considered “personal data”?

  • “Any information related to a natural person that can be used to directly or indirectly identify that person”

Who must comply?

  • Any business entity that does business in the EU
  • Any business entity that monitors, collects, or stores personal data of EU residents

Overview:

As one of the strictest data privacy laws in the world, the European Union’s General Data Protection Regulation guards personal data from the collection process. Businesses are only allowed to collect personal data if there is a legitimate reason for doing so, and are required to inform the data subject on how their data would be processed.

Companies are also required to implement privacy by design for all new systems and processes, meaning that adequate cybersecurity measures should be implemented at all times, including having PII encrypted. When necessary, GDPR recommends businesses to assign a data protection officer to handle GDPR compliance.

Penalties and fines:

GDPR outlines two tiers of fines. Tier 1 applies to all kinds of failure in having proper database security measures in place, usually revealed following a data breach. The maximum tier 1 fine is set at 2% of a company’s global revenue or 10 million euros, whichever is greater.

Tier 2 is related to data collection and usage, punishing companies who fail to obtain consent before collecting and processing personal data. The maximum tier 2 fine is 4% of a company’s global revenue or 20 million euros, whichever is greater.

 

HIPAA (Health Insurance Portability and Accountability Act) Privacy Rule

Country of origin: United States

Established by: 104th United States Congress

Effective since: April 14, 2003

Main purpose:

  • To keep protected health information (PHI) and medical records safe
  • To obtain patient authorization on the use and disclosure of PHI
  • To give patients rights over their PHI, including right to obtain copies

What is considered “protected health information (PHI)”?

  • Any information regarding a person’s health status, healthcare provisions, or healthcare payments that can be used to identify that person

Who must comply?

  • Any “covered entity” (i.e. health plans, healthcare providers, healthcare clearinghouses, and insurance providers) that collects and stores PHI of United States citizens

Overview:

The HIPAA Privacy Rule strictly limits when and how an individual’s PHI may be used or disclosed by the covered entities. To list a few, the PHI could only be used for providing information to the individual, providing treatments and payments, providing information for research activities of public interest, etc.

Since PHI is highly sensitive, all covered entities must keep any PII safely encrypted at all times. Especially during the current COVID-19 pandemic, where healthcare data have become the most popular target for cybercriminals, healthcare and insurance providers must be extra cautious when handling data.

Penalties and fines: 

For those who violate the Privacy Rule, a fine of $100 to $50,000 or more will be applied per violation and up to $1,500,000 can be applied per year.

 

PCI DSS (Payment Card Industry Data Security Standard)

Country of origin: International

Established by: Payment Card Industry Security Standards Council (PCI SSC)

Effective since: December 15, 2004

Main purpose:

  • To secure payment card transactions against data theft and fraud

Who must comply?

  • Any business entity that processes debit or credit card transactions
  • No legal body to enforce compliance, but PCI DSS certification is widely regarded as a must

Overview:

Established by five major credit card schemes – Visa, MasterCard, American Express, Discover, and JCB, the PCI Data Security Standard is a security standard for payment card transactions, safeguarding transactions from data theft and fraud. 

To comply with the standard, businesses that handle card payment transactions must strictly control access to the personal and financial information of the cardholder, as well as monitoring unauthorized access to the corporate network. Some of the recommended security measures include installing web application firewalls to protect online payment forms and encrypting the transmissions of financial data.

Compliance levels:

Based on the number of payment card transactions a business processes, PCI DSS is divided into four levels. The lower the level, the stricter the requirements are.

  • Level 4: less than 20,000 transactions per year
  • Level 3: between 20,000 and 1,000,000 transactions per year
  • Level 2: between 1,000,000 and 6,000,000 transactions per year
  • Level 1: above 6,000,000 transactions per year

Penalties and fines:

Due to the nonexistence of any legal authority that enforces compliance, there is no direct penalty or fine for not complying. However, PCI DSS certification is widely demanded by consumers. Having the certification tells your customers that they can feel safe transacting with your company. Moreover, when a data breach of personal and financial information results in financial losses, your company could be sued on an individual basis, leading to severe financial and reputational losses.

 

CCPA (California Consumer Privacy Act)

Country of origin: California, United States

Established by: California State Legislature

Effective since: January 1, 2020

Main purpose:

  • To obtain consent before collecting personal data
  • To give consumers the right to know what personal data are stored by a business entity
  • To give consumers the right to delete their personal data stored by a business entity
  • To give consumers the right to opt-out of the sale of their personal data
  • To protect stored personal data with adequate measures

What is considered “personal information”?

  • “Any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer of household”

Who must comply?

  • Any business entity that does business in California that either:
    • have a gross annual revenue of over $25 million;
    • buy, receive, or sell the personal data of 50,000 or more California residents, households, or devices; or
    • derive 50% or more of their annual revenue from selling personal information of California residents

Overview:

The California Consumer Privacy Act belongs to a wave of new data privacy regulations inspired by GDPR. It is similar to GDPR in that compliance is not limited to any specific industry. Every business, regardless of its business area, needs to comply. Despite having only 40 million residents – compared to 450 million in the EU – California’s $3.2 trillion economic output makes it the fifth largest economy in the world were it to be a country. Almost every major company sells in California. This is why CCPA’s span of influence cannot be neglected.

Compared to GDPR, CCPA is slightly lenient towards businesses. Where GDPR requires all organizations to comply regardless of their size and activity, CCPA only applies to businesses that pass an annual revenue threshold, or those that process a certain amount of personal information.

The general requirements are somewhat identical to GDPR, with a few minor differences in practice. For instance, businesses must give their customers the right to opt-out from selling their personal information, and must always have a button on their homepage that reads “DO NOT SELL MY PERSONAL INFORMATION”, so that users can easily opt-out. Moreover, the users who choose to opt-out must be offered the same products and services at the same price as the rest and must not be discriminated against in any way.

Penalties and fines:

CCPA fines are based on a per-consumer basis, ranging between $100 and $750 per consumer per violation. If the cost of actual damage is higher, companies are also responsible to cover the cost of these damages.

Speaking of damages, another major difference between CCPA and GDPR is that CCPA grants consumers the right to sue the business if an unauthorized third party gains access to their personal information. Consumers can also qualify for statutory damages if their personal information is compromised due to a lack of reasonable security measures, such as a lack of encryption.

 

D’Amo, From Encryption to Data Compliance

Note that all these data privacy regulations have a common core requirement: to adopt reasonable security measures in protecting data from unauthorized access. This means that simply by having all PIIs safely encrypted, you are halfway done. The rest are mostly rules on what not to do. 

D’Amo is an encryption solution designed to meet compliance with these four data privacy standards, safely protecting PIIs and critical enterprise data assets. Apart from businesses, it has been chosen by some of the largest financial institutions and healthcare providers in many parts of the world.

From encryption to key management, along with access control and auditing, D’Amo provides a centralized management tool to simplify data security management.

D’Amo offers three lines of encryption products, with each securing the application, system, and network layer. It uses a wide selection of encryption algorithms tailored to each specific environment, so that clients can enjoy customized protection with the least inconvenience.

For more information on D’Amo, click here.

 

Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Database Encryption: D’Amo

Identity and Access Management: ISign+ 

Car, Energy, Factory, City Solutions: Penta IoT Security