Data compliance is a critical component of any company’s data management efforts, but it suffers from an image problem. Compliance is often seen as dull and boring, a long list of rules to check off simply to satisfy a control group. But data compliance is so much more than this. Done right, data compliance will both reduce risk in your business and potentially differentiate you from your competitors.
In this post, we’ll briefly review the core components of data compliance. Then, we’ll explore in more detail three standards you must be aware of.
What Is Data Compliance?
At its core, a business demonstrates data compliance when it proves it can meet an agreed-upon standard for handling, processing, and storing data. The standard is a floor that must be met. There are three chief sources of data compliance standards.
Laws and Regulations
Countries you do business in may have laws or regulations that mandate certain practices. If you’re subject to them, you must follow them and show compliance as required. If not, the business can consequently be subject to fines, and in extreme cases, executives risk jail time.
Industry Standards
There are two kinds of industry standards. One applies to a business’ domain, such as healthcare. The second applies to a business function, such as technology. There is some overlap with laws and regulations, which can affect whether it is optional or required.
Internal Policy
Every company sets and maintains policies to govern business processes and staff. Typically, the owner of these policies is identified by executive leadership, and leadership ratifies them to put them into effect. Some examples of such policies include privacy, harassment and misconduct, and anti-corruption. For example, if you’ve ever taken a mandatory course on these or similar topics, your attendance was to comply with internal policies on those topics.
Now that we understand the core components of data compliance, we’ll review several critical standards in more detail.
Payment Card Industry
Purpose
The goal of the Payment Card Industry Data Security Standard (PCI-DSS) is to secure the data associated with credit cards and their account holders.
Who Must Comply
You must comply with the PCI-DSS if you handle credit card data for any of the major credit cards (Visa, MasterCard, Discover, or American Express). The credit card issuers require PCI-DSS compliance, but they rely on the PCI organization to handle compliance.
The key term for PCI-DSS compliance is “handle.” But what does it mean to handle credit card data? You handle credit card data if at any point, credit card data passes through any computer system you own. In other words, it doesn’t matter if you store the data, only that it goes through your system. Here’s one common example. First, your website takes in customer credit card details. Then, your website submits the details to your back-end application, which transmits them to a payment gateway. As a result, your website and application handle the credit card data and are in scope for PCI-DSS.
What Is Card Data?
Card data is the credit card number, the expiration date, data in the card’s magnetic strip, data embedded in the card chip, and the authorization number.
What Does Compliance Look Like?
PCI outlines 12 requirements for a secure system that you must account for to be compliant. Some of these include deploying firewalls to protect network traffic, encrypting card data during transmission, and controlling staff’s access to cardholder data. PCI compliance impacts technology practices from information security to software development to network and system engineering.
How Do You Demonstrate Compliance?
It depends on the volume of credit card transactions. At low volumes, a self-administrated questionnaire documents activities and compliance. However, for companies at a higher volume, a qualified external PCI auditor or a specially trained internal staff member performs a full audit.
What’s the Penalty for Noncompliance?
Standard penalties include higher fees, fines, and providing free credit monitoring to customers. It’s possible your bank or credit card processor could terminate your contract (and thus your ability to take credit cards at all).
Suggestions
Most likely, you’re taking credit cards as payment for goods or services you sell, so the chances you must deal with PCI are high. Here are a few suggestions for PCI compliance:
- Use a service provider to handle card data for you to minimize your exposure. Then, require the service provider to maintain its compliance.
- Create a cross-functional team to support the yearly audit and provide in-house expertise to business units.
- Ensure that IT governance processes account for PCI requirements as necessary.
General Data Protection Regulation
Purpose
The European Union’s General Data Protection Regulation (GDPR) gives consumers control over their personal data. This control requires companies to collect a consumer’s consent to data collection, provide the consumer with a list of all his or her data upon request, and delete the data when asked.
Who Must Comply
You must comply with GDPR if you collect data from EU residents or you process data on EU residents. GDPR applies even if your company is not based in the EU. GDPR focuses on personal data, which is any data that relates to an identifiable person. This is more than just data that can identify an individual. Instead, it’s any data that can be traced to an identifiable person. In most cases, that’s all the data you have about your customers.
What Does Compliance Look Like?
Complying with GDPR requires process and system adjustments to support the necessary GDPR rights. Here are four common ones:
- Publish a privacy statement on your website that outlines what data you’re collecting about your customers and how it’s used.
- Collect consent from users before collecting data about them (including web analytics).
- Give customers a way to request the data you have on them.
- Build a process to delete customer data on request.
How Do You Demonstrate Compliance?
You must provide evidence of compliance with the entirety of GDPR when requested. To ensure that such is possible, you should treat GDPR compliance as you would any other yearly internal audit.
What’s the Penalty for Noncompliance?
The penalty is fines—notably, as much as 4% of your company’s global annual revenue. The EU is not messing around with this.
Suggestions
Much of GDPR is vague or open to interpretation, and this vagueness is intended to give EU regulators maximum flexibility to assess and impose penalties for breaches and violations. Consequently, this vagueness is a risk for your business, and you must treat GDPR with the appropriate seriousness. So, here are some suggestions to get you started with GDPR:
- Ensure that executive leadership understands the business risk of GDPR. Complying with GDPR will require significant resources. Make sure company executives understand the impacts of GDPR so compliance can be resourced properly.
- Implement privacy-by-design practices. GDPR has ramifications in all business processes. So, to prevent ugly surprises, incorporate data privacy efforts within business process design, including technology design and governance.
- Hire a GDPR consultant to shore up expertise. GDPR requires that you name a data protection officer. Depending on your current staff and organizational structure, the right candidate may not have the GDPR expertise you’ll need to navigate it. So, hire an external GDPR consultant to provide the extra knowledge if and when you need it.
Health Insurance Portability and Accountability Act
Purpose
The goal of the U.S. Health Insurance Portability and Accountability Act (HIPAA) is to modernize the flow of healthcare data and to make sure it’s properly protected. The HIPAA Privacy Rule outlines protected healthcare information. The Security Rule is a subset of the Privacy Rule and covers security standards for storing and transmitting health information electronically.
Who Must Comply
HIPAA covers medical providers, insurers, health plans, and health clearinghouses. But read expansively, it applies to any company handling, storing, or transmitting healthcare information about U.S. citizens.
What Does Compliance Look Like?
The Security Rule outlines three categories of safeguards: administrative, physical, and technical. It also contains both organizational requirements along with policies, procedures, and documentation requirements. HIPAA categorizes a given practice or safeguard as either required or addressable. Addressable practices are left to the judgment of the complying organization, but are still required if applicable. HIPAA is written broadly to give Health and Human Services (HHS) regulators flexibility in applying penalties in the event of breaches.
The intent of the safeguards is to allow access to only those individuals who need it to provide services or care. This intent is enforced and monitored via controls that, for example:
- Limit access by job title, workstation, and department (physical)
- Restrict methods for copying, transmitting, and disposing of healthcare data (technical)
- Track all user access of healthcare data (technical)
How Do You Demonstrate Compliance?
HIPAA compliance will be truly necessary only in the event that you come under HHS scrutiny, such as from a breach. If that occurs, you’ll be required to furnish evidence of your HIPAA compliance. There are two ways to approach HIPAA compliance to ensure that you have the right evidence to present.
Self Assessed
First of all, you can conduct your own HIPAA audit on a recurring basis. Typically, for an audit to have any real validity, the auditor must be independent of the function being audited. Either way, you’d assess the state of your company’s controls and remedy any shortcomings.
External Assessment
The second way is to hire an external firm to perform an HIPAA audit for you. Such a firm typically has deep HIPAA expertise and can provide insight into your practices and safeguards, especially as they pertain to required versus addressable practices. If your company lacks sufficient HIPAA expertise, this can be a cost-effective option given the risk of noncompliance.
What’s the Penalty for Noncompliance?
The most common penalty is fines for the offending company. Notably, extreme violations for willingly and knowingly violating HIPAA carry jail time.
Suggestions
If you’re subject to HIPAA, I hope this post isn’t the first time you’ve thought of compliance. That said, here are some suggestions I’d make:
- Ensure that executive leadership understands the business risk of HIPAA. Hopefully, they’re already well aware of HIPAA if you’re in the healthcare industry. However, compliance will be expensive and affect most groups or departments in the company. You must make sure executives are aware of the business risk of HIPAA and resource staff training and compliance properly.
- Build compliance into IT governance. Because the Security Rule is almost solely about IT controls, make sure IT governance is guaranteeing compliance “by design.”
- Train staff on HIPAA’s requirements. It’s easy for staff to misunderstand these requirements or view them as a waste of their time. Instead, invest the necessary time in training so staff can work for your compliance efforts and not against them.
Wrap Up
In this post, we reviewed the core components of data compliance and then looked at three key data compliance standards: PCI-DSS, GDPR, and HIPAA. Don’t stop here, though! Above all, compliance is an ongoing process, not a one-time event. So, check out What Is Data Security Management? An Introductory Guide to learn more about the data security elements you’ll need as part of your compliance efforts. And, since companies handling data on your behalf are part of your compliance responsibility, check out Why Audit a Data Center? 5 Checks to Ask About for more guidance on extending your compliance efforts to your partners.
This post was written by Daniel Longest. With over a decade in the software field, Daniel has worked in basically every possible role, from tester to project manager to development manager to enterprise architect. He has deep technical experience in .NET and database application development. And after several experiences with agile transformations and years spent coaching and mentoring developers, he’s passionate about how organizational design, engineering fundamentals, and continuous improvement can be united in modern software development.