-
Introduction to Data Security
-
Chapter 1
Developing your Data Security Policy
-
Chapter 2
Understanding Data Security Compliance Laws
-
Chapter 3
Classifying Data by Sensitivity
-
Chapter 4
Building a Security Strategy on Identity
-
Chapter 5
Working with a Trusted ETL Partner
-
Chapter 6
Essential Cloud ETL Data Security Features
-
Chapter 7
6 Security Questions to Ask Your ETL Vendor
- How can your platform help protect our PII, PHI, and other sensitive data?
- What examples can you share of how you have helped other clients with their data security?
- What features does your platform have to maintain compliance with regulations such as GDPR, CCPA, HIPAA?
- How can your data security team assist with our data security strategy and implementation?
- How do you remove/encrypt sensitive data in Europe for GDPR before moving data to the U.S. or elsewhere for centralized analysis?
- Does your platform support field-level encryption for sensitive data fields?
-
Conclusion
Chapter 2
Understanding Data Security Compliance Laws
Data security practices are closely related to the legal concept of data protection. Under data protection rules, organizations have an obligation to protect individual confidentiality. This means that you have to keep data safe, prevent unauthorized access and only use data for legitimate purposes.
Data protection laws vary across countries and even between states. However, many laws have an extra-territorial effect, which means that authorities will punish foreign companies for breaches.
Main data security compliance laws
1
General Data Protection Regulation (GDPR)
| Primary jurisdiction: | European Union |
| Data covered: | Any data that could potentially identify an E.U. citizen |
| Website: | https://gdpr-info.eu/ |
| Notes: | GDPR is one of the most stringent data protection regimes in the world. Companies must allow users to opt out of data collection, and they can only capture PII for essential business purposes. Organizations face severe restrictions on transporting PII out of Europe, even when using a third party service. The E.U. has successfully fined a number of American firms for GDPR breaches, including Google 5. |
2
Bundesdatenschutzgesetz (BDSG)
| Primary jurisdiction: | Germany |
| Data covered: | Any data that could potentially identify a German citizen |
| Website: | https://www.gesetze-im-internet.de/ englisch_bdsg/index.html |
| Notes: | E.U. member states can introduce their own laws to supplement GDPR. Germany is the only state to have done so to date, with the BDSG law that imposes stricter controls and steeper fines. German citizens can claim for non-monetary damages such as stress and suffering under BDSG. |
3
Health Insurance Portability and Accountability Act (HIPAA)
| Primary jurisdiction: | United States |
| Data covered: | Protected Health Information of Americans |
| Website: | https://www.hhs.gov/hipaa/ |
| Notes: | HIPAA refers specifically to health information about an individual, which includes medical records and biometric information. Under HIPAA, data handlers must ensure confidentiality, integrity and availability of all relevant information. They must also take steps to prevent breaches and unauthorized access. |
4
California Consumer Privacy Act (CCPA)
| Primary jurisdiction: | California |
| Data covered: | Personal Identifiable Information (PII) of Californian consumers |
| Website: | https://oag.ca.gov/privacy/ccpa |
| Notes: | CCPA grants consumers more power over their PII, including the right to know what’s on file, the right to request deletion and the right to opt out of the sale of PII. In the event of a compliance breach, consumers can directly sue the company. This law is currently unique in the U.S., but it is the template for forthcoming legislation in other states 6. |
5
Australian Privacy Act of 1988
| Primary jurisdiction: | Australia |
| Data covered: | PII of Australian citizens |
| Website: | https://www.ag.gov.au/rights-and-protections/privacy |
| Notes: | Australia amended its 1988 Privacy Act in 2017 to cover digital communications. The act takes a principles-based approach to compliance, so companies have some freedom as long as they follow the spirit of the principles. Since 2018, companies have been obliged under the Privacy Act to notify Australian authorities of data breaches that may cause harm to an individual. |
6
Lei Geral de Proteção de Dados (LGPD)
| Primary jurisdiction: | Brazil |
| Data covered: | Any data that could potentially identify a Brazilian citizen |
| Website: | https://www.serpro.gov.br/lgpd/menu/a-lgpd/o-que-muda-com-a-lgpd |
| Notes: | Brazil’s LGPD is one of the first international law to model itself on the E.U.’s GDPR. As with European law, the LGPD covers a wide range of personal information and has an extra-territorial effect on foreign companies. However, LGPD is generally less punitive in terms of fines and enforcement. |
