Navigating modern data privacy: A review of regulatory requirements

This is the first in a two part series on modern data privacy from Slalom Denver consultant Dirk Kappel. Dirk has spent the last two years highly focused on security and compliance in regulated industries, and he recently completed his Amazon Web Services (AWS) security certification.

When I read 1984 by George Orwell in high school, it seemed so far-fetched that we would ever live in a society where we are aware and accepting of monitoring devices that are listening in 24 hours a day. The book is a cautionary tale that warns us about what life could be like if we lose control of all privacy. As naïve as I was in 1990, I figured the worst future we might face would involve the government wiretapping and spying in our homes to listen in on the intimate details of our lives. The American people would never stand for a violation like that unless it was forced upon us by a malevolent government, right? Well, we are now living in a world where we accept a smart listening device eavesdropping in on our conversations, a search engine that documents every question we have, and we don’t think twice to give up personal details while completing a survey that promises a $5 gift card to Jack in the Box.

Nevertheless, the dystopia of 1984 still seems pretty far off. High profile breaches in the recent past have forced people and organizations to wake up to our new reality and pushed governments to recognize that companies are not always the best stewards of collecting and distributing personal information. People are beginning to question why they lost control of their personal data and what it is being used for. As a result, companies must recognize and prioritize data privacy or risk the varied consequences of non-compliance. And, while the onus is on each business to maintain compliance, it’s easy to get lost in the quagmire of international, national, and state regulations.

Part I of this series will provide an overview of the current regulatory frameworks that exist to give individuals control, ownership, and security of personal identifiable information (PII), and the implications of such regulations on organizations in control of this PII. Part II will present several practical methods and tools for organizations to stay compliant with data privacy regulations.

Part I: Regulatory Requirements and Related Implications

Data privacy legislation has been evolving and developing recently. We need to think not only of what governs us today but what will govern us in the future. Organizations need to look inward and define their company culture regarding the collection of PII. How should they protect this data and who will they share it with? It is particularly important to consider the regulatory frameworks for both healthcare companies and financial institutions as both industries capture highly sensitive private data of individuals. Additionally, other key regulations include the GDPR which governs data privacy in the European Union and new state laws in the United States, such as CCPA, which are evolving to protect consumers.

Healthcare

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the adoption of the Privacy Rule in 2000 established into law how protected health information (PHI) can be collected and shared. The rule seeks to balance the collection of PHI that is used to help in the healing of patients and create an authoritative limitation on who and how this data may be shared. The days when our local doctor’s office stores medical records in a manila folder with tab fasteners are numbered, if not over. The flow of this medical data is now much more complex since it can be stored in local and cloud databases and then forwarded to business associates for additional processing.

Organizations need to start with an awareness of why they are collecting PHI and ask if this is only the minimum amount of information needed to successfully treat the patient. Patients should be informed about what their information may be used for and the rights that they retain over this data. Subcontractors that are given PHI need to be vetted and comprehensive guidelines on how it may be used must be contained in the signed contracts and agreements. HIPAA mandates that the flow of all PHI be fastidiously followed for the organization to maintain control of the data.

Financial Institutions

The Gramm-Leach-Bliley Act (GLBA), passed in 1999, is another set of data privacy regulations that determines how the financial industry can disclose personal information. It requires that financial institutions provide notification to their clients when they initially gather personal information. The notification must include how private data will be used and provide an opportunity for individuals to opt out of the sharing of their data with third parties. The GLBA was one of the first set of regulations to establish responsibilities for organizations when personal data is collected. Banks, mortgage lenders, loan brokers, and more are now required by federal law to adhere to a minimum standard of data privacy. Since the focus of GLBA was targeted only towards financial institutions, there was not a significant impact outside of this industry on data privacy.

Privacy Regulations in the European Union

Recent groundbreaking regulations went into effect in the EU in 2018 in the form of the General Data Protection Regulation (GDPR). While this is a European regulation, it has far-reaching impacts to any organization that a) does business in the European Union or b) collects personal information on citizens of the EU. GDPR defines a data subject as any person whose personal data is being collected, held, or processed. Under GDPR, organizations collecting private data must now first obtain consent from the data subject before PII may be collected.

GDPR also allows an individual to request their data be forgotten and purged. After the erasure request is received, the burden of removing the PII now falls on the collecting organization to delete the data fully “without undue delay”. Organizations are required to also give notice within 72 hours to the appropriate supervisory authority any time a breach of their data is discovered. Data protection officers must now be employed by every organization that comply with GDPR. This forms the need to establish a best practice design of data storage environment so that the flow, location, and monitoring of collected PII is always known and performed. Workforce members will now need to be provided additional training on how to comply with the rule. GDPR is backed with the ability to levy fines for non-compliance that can reach the higher of €20 million or 4% of annual worldwide revenue.

California Consumer Privacy Act

The California Consumer Privacy Act (CCPA) went into effect this year and affects those doing business in California or collecting data on California residents. CCPA contains similarities to GDPR in its focus on granting the right to privacy for consumers that have provided PII to collecting organizations. CCPA allows the individual the ability to opt out of having their data sold to a third party. The law will protect Californians’ right “to equal service and price, even if they exercise their privacy rights.”. CCPA aims to provide transparency to the consumer on how the data is used and who it is being disclosed to by obligating the collecting organization to provide written notification of the limitations on the use of their personal data. As with GDPR, it also has a provision that allows a consumer the right to have their data deleted.

Although CCPA is the most well-known of state privacy laws, it is not the only one. Multiple states have signed similar legislation with more currently in process. This trend towards consumer protection in the US is expected to continue and all organizations that collect PII must anticipate they will be affected by similar regulations in the future — if they are not already.

Regulations are written into law to give consumers the right to data privacy. It is paramount that an organization understand which laws apply and how they plan to meet the obligations of potentially multiple laws. While there are unique differences between privacy regulations, it is a common theme that consumers be notified how the collected data is to be used and be allowed to demand that their data is removed from the system of the collecting agency. Also, modern data privacy regulations will require an organization to appoint a data privacy officer to oversee the program.

In Part II, I will discuss the methods and tools that an organization can employ to begin to meet the expectations of existing regulatory requirements. I will also take a glimpse into the future of data privacy and touch on what changes can be expected and how stronger privacy laws will affect the way organizations care for and regard the data that is collected on individuals.