With the ever-evolving data privacy landscape and a growing number of state and international privacy laws, it can be very cumbersome to identify which of these apply to your organization and furthermore how your organization must comply. Dependent on your organization’s business model, industry and many other factors, you will likely need to comply with at least one and potentially more of the data privacy regulations listed below, which is not an exhaustive list. We have helped organizations across industries, both domestically and globally, to both prepare for and achieve compliance with these data privacy regulations:
The General Data Protection Regulation (GDPR)
The GDPR is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018 to protect and empower all EU citizens with respect to data privacy, reshaping the way organizations across the globe approach data privacy. The GDPR can levy harsh fines against those who violate its privacy and security standards, with penalties equivalent to the greater of €20m or 4% of total revenue.
California Privacy Rights Act (CPRA)
In November 2020, over 9.3 million Californians voted to approve the CPRA of 2020 with the passage of Proposition 24. The CPRA is the strongest consumer privacy law ever enacted in the United States and achieves broad general parity with the most comprehensive laws in other jurisdictions including the GDPR.
CPRA builds on existing California law passed in 2018 (the California Consumer Privacy Act (CCPA)) and applies to personal information collected after January 1, 2022 which will be enforced January 1, 2023. CPRA builds upon CCPA, in a number of ways:
California Consumer Privacy Act (CCPA)
The CCPA gives consumers more control over the personal information that businesses collect about them. This law secures new privacy rights for California consumers, including
The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
HIPAA was developed to protect the privacy and security of certain health information. To fulfill this requirement, the U.S. Department of Health & Human Services (HHS) published the HIPAA Privacy and Security Rules. The Privacy Rule establishes national standards for the protection of certain health information.
The Security Rule establishes a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalized the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals “electronically protected health information” (e-PHI).
The Privacy Rule is to protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. Given that the health care marketplace is diverse, the Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ e-PHI. Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.
Gramm-Leach-Bliley Act (GLBA)
The GLBA is a Federal law, known as the Financial Modernization Act of 1999, which applies to financial institutions, including higher-education institutions. The intent of GLBA is to protect the security, confidentiality and integrity of customer information, where customer information is any record containing non-public personal information…about a customer of a financial institution, whether in paper, electronic, or other forms that are handled or maintained by or on behalf of the institution.
A critical component to understanding how an organization’s data (oftentimes consumer data) travels throughout its lifecycle is to develop business processes and data flow diagrams. Learn More
Regardless of whether your data privacy program was recently established or tenured, it’s important to assess its ongoing effectiveness in today’s ever-evolving technological world. Learn More
A Data Protection Impact Assessment (DPIA) is a process to help identify and minimize data protection risks to an organization. Learn More
The NIST Privacy Framework is intended to be leveraged as a foundation to help organizations identify and manage privacy risk to build innovative products and services while protecting individuals’ privacy. Learn More
Our approach to Privacy by Design ensures that privacy and security controls are aligned with an organization’s tolerance for risk, its compliance with regulations, and its commitment to building a sustainable privacy-minded culture. Learn More
At Schneider Downs, our IT Risk Advisory Practice has a team of professionals who specialize in data privacy. Our team not only understands the evolving data privacy regulations but also the technologies that allow for opportunities to enable controls in the effort of reducing and protecting the data footprint and ongoing risks of non-compliance.
p: 614.621.4060 f: 614.621.4062