Data compliance is the formal governance structure in place to ensure that an organization complies with the laws, regulations and standards relating to its data. The process regulates the possession, organization, storage and management of digital assets or data to prevent their loss, theft, misuse or compromise. The stipulated regulations and standards determine what data must be protected and the most suitable processes.
In other words, data compliance refers to all the regulations a business must follow to ensure that the sensitive digital assets it owns (usually personally identifiable information and financial details) are protected from loss, theft and misuse. These rules come in several forms. They can be industry standards, state or federal laws, or even supranational regulations like GDPR. Still, they typically specify what data types must be protected, what penalties will be for businesses that fail to comply with rules and what processes will be acceptable under the legislation.
Below are the data compliance standards and how to meet them
GDPR: One of the newest and broadest standards, the General Data Protection Regulation (GDPR) of the European Union, has been hard to ignore over the past year. Going into effect on May 25, 2018, this sets out a set of rules relating to people’s right to know what data companies have about them, how companies should treat this data, and tougher rules around reporting breaches.
Health Insurance Portability and Accountability Act (HIPAA): HIPAA dictates how US organizations that deal with people’s health and medical records must ensure the security and confidentiality of these records. Because these details are some of the most sensitive records, an organization will keep, the penalties for failing to protect this information can be severe. In 2018, for example, insurance company Anthem agreed to pay a $16 million fine after a hacking attack exposed the health information of nearly 79 million people.
Payment Card Industry Data Security Standard (PCI DSS): For businesses that deal with customers’ financial information, the PCI DSS is a vital part of any compliance process, setting the rules for how businesses handle and protect the data of cardholders, such as credit card numbers. Unlike the others on this list, PCI DSS is not a government-mandated set of rules but an industry. However, that doesn’t make it any less important, as any business found non-compliant with its rules can face hefty fines or even break relationships with banks or payment processors, making it very difficult for businesses to accept card payments.
Sarbanes-Oxley Act of 2002 (SOX): SOX is meant to protect against any repeat corporate accounting scandals that engulfed companies like Enron a few years ago. As such, it’s more about financial reporting than data protection, so IT professionals may consider it less important than some of the other regulations they face.
California Consumer Privacy Act (CCPA): CCPA was passed in 2018 and came into effect on January 1, 2020. This is one of the toughest consumer protections many US-based businesses will face. It has been described as the Californian equivalent of the GDPR. While it is not as demanding as the GDPR in reporting requirements, it is in some respects even stricter than its European counterpart.