Misunderstandings about Data Privacy
In the amorphous field of cybersecurity, data privacy is a pretty hot topic, especially in the HPE NonStop space considering the vast amount of personal, sensitive data processed on NonStop solutions across the globe.
Often, terms such as “regulation,” “standard,” “governance,” and “compliance” get thrown into the discussions about data privacy as though they all mean relatively the same thing. However, nuanced distinctions between these and other associated terms mean that misunderstandings about data privacy get perpetuated. And data privacy is one area where you really don’t want to have a misunderstanding! So let’s clear up some of these terms to achieve a better understanding of data privacy.
What’s In a Word?
The meanings of words really are important, especially where legalisms come into play. So what does data privacy mean? In the simplest sense, it means keeping peoples’ personal and sensitive information safe from public exposure or compromise. Data privacy also pertains to the way that an organization collects, processes, handles, and stores data throughout the act of keeping peoples’ sensitive information private.
So whose rules are these as they relate to data privacy, how are they issued and policed (governed), and what motivations are set forward to encourage everybody to abide by data privacy rules? Perhaps the best way to proceed is to go ahead and provide fairly standard definitions for the most relevant concepts we’ll be discussing.
A piece of legislation spelling out one or more governing rules deliberated on and passed by a legal jurisdiction’s legislative body.
Representatives of a legal jurisdiction (a state, a country) who meet and deliberate on proposed governing rules, and then determine whether to enact those into law.
A rule or a law that is prescribed by a legal entity and then monitored for compliance or non-compliance by a sanctioned agency. A regulation usually spells out the conditions of compliance and non-compliance.
A governmental agency that oversees a domain and ensures that all laws and regulations related to that domain are monitored and enforced.
A rule or set of rules by which organizations need to conform to comply. Standards do not have the force of law and can be voluntary though also highly encouraged to meet a certain level of performance. A standard may also be the determining factor in doing business within the industry. Furthermore, contractual obligations and “cost of doing business” might make them mandatory and enforceable.
Conforming to a law, regulation, standard, or policy by meeting the component conditions. Depending on the situation, compliance may be a voluntary or mandatory act.
A policy is an organization’s formal and articulated rules and restrictions as well as best practices.
Hopefully, these common-sense definitions give you the backdrop knowledge you need for us now to look at data privacy through the lens of different types of mandates. We’ll focus on data privacy as it relates to laws/regulations, industry standards, and organizational policies.
Data Privacy Laws and Regulations
According to our definition above, a law requires multiple ingredients: a legitimate governing body, a jurisdiction over which it governs, a rule being considered, and a final yes/no vote to issue the law into practice. Once a law becomes effective, acting contrary to that law is committing an illegal action. However, who enforces that law?
Generally, laws are enforced by other legal entities so that legislators can get back to the good work of passing more laws (or sometimes revoking them). These other entities are usually regulatory agencies whose purpose is to oversee a domain (think securities exchange, or environmental protection) and enforce statutory law passed along by the governing legislation. Their codified rules concerning how to enforce a law are called regulations. In a perfect world, that’s all that is required: act according to this regulation, and we’ll all be happy.
However, it’s not a perfect world, and not every company or organization is duly conscientious. This is precisely the reason that regulations have “teeth,” meaning the ability to exact punishment for not obeying the regulation in question. Mostly, these are in the form of fines or possibly sanctions, but they could also include jail time or other such punishment depending on the circumstance and regulation. As we will see later, other punitive measures can accompany non-compliance that aren’t even instituted by the regulatory agency itself.
Because this piece is about data privacy, let’s assemble all this into a coherent view of data privacy laws and regulations, and what they mean for businesses and other organizations.
With the seemingly exponential growth of all sorts of digital transactions—from buying socks to buying cars and houses online—an unfathomable amount of personal data, much of it related to financial information (account data) but also other private and sensitive data (names, addresses, social security numbers), circulates around the Internet.
Think of all this data as millions and millions of tiny fish all swimming around. Well, in the ocean, where we have enormous schools of fish, we have something else. Predators. Like sharks gliding into a buffet of smaller fish, hackers and other predatory threat actors are salivating to consume as much private (and financial) information as possible for their own gain.
Because of this reality, data privacy is now a thing, and governing bodies are realizing that organizations that collect and process peoples’ sensitive data must be held to a minimum standard of behavior in keeping sensitive data out of the hands of threat actors.
The end result? You got it: data privacy laws issued by various jurisdictions (countries, states, the European Union) that instruct regulatory agencies to codify regulations and then enforce them upon anybody or any entity engaged in handling peoples’ personal and sensitive data.
While we can’t focus on every single jurisdiction (that would fill a book), it might help to take a glance at a few data privacy regulations and what they mean to various companies and other entities.
In May of 2018, the European Union put into effect the General Data Protection Regulation. Passed by the EU parliament in 2016, GDPR codifies how people, companies, and organizations must handle an individual’s private, sensitive data, which is in keeping with the EU’s stated human right of individual privacy guarantees.
Who is affected? Those who are most affected (positively) are the citizens of the European Union whose right it is to have their sensitive and private data treated very carefully by any entity collecting or processing it. If you process EU citizens’ personal data, or even offer goods and services to them, then you are subject to this regulation.
What does it codify? GDPR spells out the data protection principles that data processors must observe, such as fairness and transparency, legitimacy of the purpose of processing, minimization, accuracy, storage limitations, confidentiality, and accountability (for a more in-depth treatment of these concepts, go to gdpr.eu).
Basically, if you (or your business) are subject to GDPR, then you must abide by the specified data protection principles, show accountability through demonstrated compliance, implement data security measures (such as in applications that collect personal information as part of the workflow), and consent in obtaining permission to collect and process personal data in the first place.
What are the penalties? As with any punitive measure, the implementation of GDPR fines is intended to make compliance the preferable route, regardless of the cost of compliance. GDPR has two tiers of fines: for less severe non-compliance, fines can range up to €10M or 2% of the entity’s global annual revenue based on the previous year. More serious infringements can result in up to €20M or 4% of global revenues.
No matter your business situation, these types of fines can make a severe dent in your bottom line.
Regulations don’t originate just from national jurisdictions. In the United States, for example, each state’s legislature has the right and opportunity to pass laws that provide structure for regulations to protect its citizens, too. Various state departments and agencies oversee everything from agriculture to the environment as well as to commerce and consumer-related issues. In 2018, California passed the California Consumer Privacy Act, which like GDPR seeks to protect individuals’ personal and sensitive information within the state. As you might have guessed, CCPA shares some similarities with GDPR, but key differences exist too.
Who is affected? CCPA first and foremost affects any person who qualifies as a resident of California. Even if the person is temporarily physically outside the state, that person is covered by CCPA if he or she is a legal resident. Like GDPR, it also affects the entities (located either in-state or out of state) which collect and process personal information about California citizens. CCPA is more lenient than GDPR, though, in that it only applies to corporations with annual gross revenue over $25M, handling information for over 50,000 consumers, and receives at least 50% of annual revenues from selling residents’ personal information.
What does it codify? CCPA attempts to give consumers more direct control over their personal information (information that identifies them) by stipulating how businesses may collect and use that data. California residents have the right to know that a business is collecting information and using it. They also have a right to delete that personal information if it has been collected. An opt-out feature means that consumers may opt-out of the sale of their personal information. On top of all this, a business cannot use this exercise of rights against the consumer.
What are the penalties? Fines associated with non-compliance of CCPA are less severe than those stipulated by GDPR. A fine for violation can range from $2,500 to $7,500, and from $100 to $750 per consumer per incident in the wake of civil action. In another distinction between the two, CCPA gives businesses a 30-day grace period to mitigate violations and inform consumers; GDPR does not provide for this type of grace period.
The Point of Data Privacy Regulations
Many other countries and jurisdictions are rushing to pass data privacy laws to promote regulations and proper enforcement of those regulations. Brazil’s just took effect, and India is deliberating on their version of national data privacy regulation. Why this tidal wave of national or state-level push toward regulating data privacy? Governments do want to protect their own citizens and consumers to create a more stable and risk-free digital economy. They also want to provide constructive guardrails for businesses and other organizations to head off conflict between consumers and businesses. Overall, data privacy regulations seek to benefit both the consumer’s and the corporation’s interests.
The main point to note about data privacy regulations is that they are, by definition, regulations. As such, they are not optional. If you or your organization meets the requirements as spelled out in the data privacy regulation, then you have to comply. To wit, regulations demand and force compliance through the punitive measures they define. Carrot or stick? In this case, regulations are the stick.
Data Privacy Standards
As defined earlier, an industry standard can establish rules of process, implementation, and action in the same way that regulations do, even concerning the same concept such as data privacy. Two major differences exist, though:
- Industry standards do not have the force of law, so punitive measures are exacted by the industry, not the government. Regulations have the force of law and are enforced by governing agencies or departments.
- Industry standards can, in many cases, be optional, but organizations adopt them to help meet minimum requirements and then showcase that compliance. Regulations are not optional—compliance is mandatory if the organization meets the regulatory requirements.
In the case of data privacy, both regulations and industry standards establish rules, guard rails, and penalties. Often, the issue comes down to scope. The payment card industry has established data security standards (PCI DSS) that more narrowly define what adherents must do to meet minimum requirements when transacting with the major credit card brands.
Who is affected? The PCI Security Standards Council (consisting of representatives from the major credit card brands such as Visa and Mastercard) established standard guidelines for all businesses transacting with credit cards. These guidelines address how to handle consumer credit card information safely, keeping this data private between the transacting entities and the consumer. If you are a vendor and accept credit cards as payment, then you are affected by PCI DSS.
What does it codify? PCI DSS is laser-focused on data security as one aspect of data privacy. In other words, it codifies how to keep credit card data secure, so that threat actors don’t compromise consumers’ payment card information.
If you take a look at a credit card, you will see the majority of data fields that must be secured, such as the credit card number, expiration date, and CVV. During the payment process, PCI-compliant vendors must protect this information, usually through security measures, so that the information cannot be intercepted and stolen.
Also, stored data must be secured, too, to avoid data breaches or mitigate them in case of intrusion.
What are the penalties? Credit card companies and other stakeholders can ensure that non-compliance is painful. Financial organizations can assess steep fines, from a few thousand dollars to hundreds of thousands monthly. Data breaches can increase these penalties. However, other repercussions include time-consuming and costly lawsuits, as well as losing the ability to transact with credit cards.
A Word About Repercussions
You can clearly see that most of the negative repercussions stemming from not adhering to data privacy regulations and industry standards are in the form of fines, fees, and potential lawsuits. Basically, it hurts the offending entity where it usually stings the most—the bottom line. Usually, the fear of losing money from corporate coffers is enough to coax compliance.
However, let’s consider another repercussion—one potentially, even more, damaging than fees, fines, and lawsuits—which can arise when an organization is careless and mishandles peoples’ personal and/or financial data.
Reputational damage is often the most devastating outcome of all. Most businesses thrive because customers have brand loyalty, and brand loyalty indicates trust. If a business fails its customer base by mishandling personal data and allowing a data breach, then customers lose faith. Trust in the company withers, and brand loyalty diminishes. Lose your reputation in the market and you can lose your market share. This can be a much more expensive and harmful repercussion to non-compliance in the long run.
Data privacy is a very broad concept, addressed by many different entities, both governmental and corporate. As a matter of fact, regulations and standards are intertwined, each one reinforcing the other—complying with GDPR helps you meet PCI DSS standards, and vice versa. Understanding your obligations, both moral to maintain the trust of your customers as well as obligatory to maintain compliance with regulations and industry standards, can very much be a positive thing.
Compliance is a way to keep on the right side of the law, regulatory agencies, and the industry in which you do business. However, it’s a great way to build a fantastic relationship with existing and new customers.
Do you want to read more about cross-regulatory compliance?
If you are keen to know what you can do to get your HPE NonStop environment PCI DSS compliant, download the ebook.