Data is among the most valuable assets that must be protected at all costs. But in the digital business world, cybercrime is rampant, making data protection and data privacy a major focal point. The increasing use of technology and the increasing exposure to evolving cyber threats has led to a major change in the field of data security and privacy. For these reasons, international regulators around the world have created strict data privacy laws for companies to meet.
Data privacy laws aim to secure individuals’ data while also giving them control over their data. With so many data privacy regulations in place, companies now have to meet data privacy laws and ensure compliance with the requirements. For an organization to better accommodate these regulations, it is important to be aware of some of the common international data privacy laws that exist globally. The need for a global vision is imperative by the global presence of all companies doing business online. Also, many regulations are built on precedents of those set in other countries.
International data privacy laws
Data privacy has become a high priority, especially after many global regulators and governing bodies have created and enforced various data privacy laws. These laws are designed to regulate and secure the data processing activities of organizations that handle personal data. Currently, 128 countries have data security and data privacy legislation in place to protect personal data. Some of these well-known things include the following:
- EU General Data Protection Regulation The EU General Data Protection Regulation is one of the most common and comprehensive international data privacy laws. It governs the processing of personal data of EU citizens. Organizations that process personal data of EU citizens must comply with the EU’s General Data Protection Regulation (GDPR). The regulation protects the data privacy rights of individuals in the European Union.
- UK General Data Protection Regulation The UK General Data Protection Regulation Act is a relatively new law introduced recently for data privacy in the UK. After Brexit, the UK GDPR regulation came into effect on January 1, 2021. Under the new law, organizations that process personal data of UK citizens are required to comply with the UK GDPR . It is a data privacy law that mirrors the EU General Data Protection Regulation with some modifications to UK requirements.
- CCPA The California Consumer Privacy Act seeks to protect the personal data of California residents. It is a unique law in the United States that regulates the processing of consumer data and gives consumers complete control over the use of their data.
- HIPAA The Health Insurance Portability and Accountability Act (HIPAA) is designed to protect sensitive patient health information (PHI). Organizations that process protected health information must be HIPAA compliant. It is a data protection law that organizations must comply with by implementing the necessary administrative, technical and physical safeguards to protect PHI and PHI electronic data.
- PIPEDA The Personal Information Protection Electronic Documents Act (PIPEDA) is the Canadian data privacy law that protects the way private sector organizations handle personal information. Commercial processing activity is governed by the law, and it applies to all private sector organizations in Canada that process personal data of citizens for commercial use.
- PDPA (Singapore) The primary objective of Singapore’s Personal Data Protection Act (PDPA) is to “regulate the collection, use and disclosure of personal data by organizations in a manner that recognizes the right of individuals to protect their personal data and the need for organizations to collect, use or disclose personal data for purposes that a reasonable person may deem appropriate in their under these conditions.”
- PDPA Malaysia Malaysia’s Personal Data Protection Act (PDPA) regulates the processing of personal data by businesses for business. The law entered into force on November 15, 2013, and was implemented to ensure compliance with certain data privacy obligations and to protect the rights to grant personal data to the data subject. The law enhances data protection and privacy practices, thus enabling data owners to have control over their data.
- privacy law in australia The Privacy Act is the legislation of Australia. Created to protect the personal information of Australian citizens, it is among the oldest global privacy legislation. The law, enacted in 1988, governs the way private and government organizations handle personal information. The law, which has undergone constant revisions since its original enactment, enhances the security and privacy of individuals, and regulates the way organizations handle personal information.
- New Zealand Privacy AcR The often overlooked privacy legislation is the New Zealand Privacy Act. What makes this law worth noting is that it contains a peculiar section that allows the agency to retain a “decision not to confirm or deny personal information.” This is somewhat unusual when compared to all other privacy legislation.
Data Protection Technologies
Organizations around the world are expected to comply with the various data privacy regulations that fall within their scope. Failure to comply with these laws may result in fines, penalties, financial loss and possible loss of reputation. Organizations must adopt advanced technologies and solutions to maximize data protection. Implementing technologies can help a company restrict and monitor access while also responding to threats. To prevent such incidents and ensure data protection, the following measures should be implemented:
- Data Loss Prevention (DLP) Data Loss Prevention is software that detects, tracks and monitors activities related to sensitive data. The advanced technology can prevent critical incidents such as data breach, accidental data deletion and data mining.
- Identity and Access Management (IAM) – IAM is a way to check credentials and permissions for all logins on selected systems. Technology ensures that the correct entity obtains privileged access based on role-based access controls. This technology facilitates flexible and multi-factor authentication processes as well as security, session logging and management, and similar features that prevent unauthorized access.
- encryption Encryption is a data security method that ensures that only a user who has the correct encryption key decrypts the data. In this way, the data is protected from disclosure. It is one of the most secure ways to protect and ensure data privacy, because even in the event of data theft, the information is unreadable to an unauthorized user.
- coding Encoding is a technique that involves replacing sensitive data with random strings of characters, known as tokens. Without a token vault, the user cannot reverse or access the data. This is another way sensitive data is secured against unauthorized access.
- End Point Protection Platform (EPP) Endpoint protection software is deployed on devices to prevent vulnerabilities such as malware, hacking, data loss, and other malicious activities. The software helps detect and prevent threats at endpoints such as servers, networks, desktops, mobile devices, printers, routers, and connected devices. Network ports can also be protected. EPP monitors the network perimeter and filters the traffic for maximum security.
- firewalls Firewalls are network objects that may consist of hardware and software. They are designed to monitor incoming and outgoing network traffic as well as filter it according to the applicable set of rules.
- data erasing software Data Erase is software that can be used to delete electronic data from any storage device in such a way as to make it unrecoverable. Once the data is deemed irrelevant, it can be eliminated using this technology. In this way, organizations will remove the responsibility for storing unnecessary data. In fact, data deletion is a requirement in many data privacy regulations.
Best practices for ensuring data privacy
Data privacy and security is about adopting and implementing best practices. Following best practices can help an organization streamline its processes to implement best data privacy measures. Some of the industry best practices include:
Data Privacy Policies
Data privacy policies are important documents in the compliance journey. It is a legal document that directs the employees of the organization to follow specific rules and guidelines in line with the various legislations. The organization should clearly define the scope of its policy as well as establish clear rules to facilitate data privacy and security. This includes identifying processes and practices that ensure effective implementation.
Minimal data collection
The best way to ensure data security and privacy is to limit data collection. Organizations must ensure that only data necessary to carry out business is collected and stored until such time as it is no longer necessary. Next, the organization must ensure the safe disposal of the data. Reducing data collection can also reduce storage costs and reduce the scope for compliance.
Customers always value transparency when it comes to how their data is processed and stored. Therefore, it is important to ensure that customers are included and provide their consent in the privacy process including consent, notification and options available to them to modify their data collection choices. This includes an opportunity for customers to opt out of data collection.
One way to ensure data privacy is to create an inventory and categorize data based on its sensitivity. Once an organization understands the data in its custody, how it is handled, and how it is stored, it becomes easier to implement security and privacy measures around it. Policies can be defined based on how information is collected, stored, and processed to create maximum security.
Privacy by design
Data privacy by design is critical to ensuring that systems and processes comply with data privacy and security standards and regulations. Privacy by design should be the foundation upon which the development lifecycle or business operations are based. The organization should strive to include privacy as an essential element in every stage of its development and process.
Training and Awareness
Data privacy and security must be embedded in the business culture and business process. To this end, each employee must have adequate training on industry best practices, prevalent cyber threats, data privacy requirements, guidelines, and relevant data security principles. Furthermore, employees must be familiar with business practices, and be responsible for recognizing internal security policies and best cybersecurity practices in the organization.
Data privacy is essential, not only from a compliance perspective but also in terms of supporting consumer rights. In a data-driven world, the priority of data privacy is often recognized and valued by consumers. It enhances their confidence in the business and their business process regarding their personal data. Establishing privacy as a fundamental pillar of business operations and policies will help organizations successfully achieve data privacy requirements in line with various industry standards and regulations.
About the author: Narendra Sahu (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is founder and director VISTA InfoSec, a global information security consulting firm based in the United States, Singapore and India. Mr. Sahu has over 25 years of experience in the IT industry with experience in information risk consulting, assessment and compliance services. VISTA InfoSec specializes in information security auditing, consulting and certification services which include GDPR, HIPAAand CCPA, NESA, MAS-TRM, PCI DSS Compliance and Audit, PCI PIN, SOC2, PDPA and PDPB, to name a few. Since 1994, VISTA InfoSec has worked with organizations around the world to address regulatory and information security challenges in their industry. VISTA InfoSec has played an instrumental role in helping multinational companies achieve compliance and secure their IT infrastructure.
Editor’s note: The opinions expressed in the guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.