This section covers the following topics:
data protection regulations in commerce;
understand the difference between geographic and sectoral regulations;
determining which regulations apply to your organisation;
asking questions in the forum.
Before we dig in, let’s open with a case study from an administrative enforcement levied upon a U.S. entity that did not comply with healthcare regulations, resulting in an administrative fine.
Whilst most businesses would have been tempted to close for the day, not in Boston; Bostonians are no strangers to cold temperatures and snowfall. And besides, the onsite meeting was taking place at a hospital, and hospitals remain open despite all forms of inclement weather.
Once onsite at the University of Massachusetts Hospital (UMass Amherst), the staff was busy discussing the headlines published in the day’s newspapers: the $650,000 fine for non-compliance with governmental regulations, in this case healthcare regulations of the United States. Malware was found installed on a workstation PC, and that workstation had access to healthcare records of 1,670 individuals. The malware was a remote access Trojan, meaning it was possible that healthcare information could have been accessed, but not proven it had been accessed.
In the course of the investigation, it was discovered that UMass Hospital failed to comply with regulations, such as conducting a risk assessment; and UMass had failed to implement technical security measures to protect the Center’s network. The fine would have been even higher, but the OCR’s Director Jocelyn Samuels took the university’s finances into account. Besides being ordered to pay $650,000 as a settlement fee, UMass also had to adopt a corrective action plan (CAP) to ensure policies and procedures are brought in line with standards, and they had to hire a third party to validate compliance over the next several years.
Failure to comply with regulations, in most any nation, is grounds for punishment through financial penalties. But it can also result in reputational damage, legal costs, and ongoing monitoring.
Business and Regulatory Compliance
Often times, I hear individuals complain about data protection and regulatory compliance. “The laws are overreaching,” I've been told. But in reply, I disagree; the identity data of an individual does not belong to businesses processing a person’s personal data. Said differently, the data subject owns their data which has been entrusted to your business for safeguarding. For instance, customers, partners, and employees have entrusted their data to your organisation; the data could be collected from various sources, criminal background checks, applications, copies of insurance, financial information, sexual orientation and gender, and much more.
In today’s wired world, it’s possible—with enough information—to apply for loans online using the data subject’s information, and within minutes get approved or declined. It’s possible to open an Amazon account, or purchase a new smartphone with service, and so on.
Because of today’s electronic reach and instant access to services, regulations are necessary in order for law enforcement to prosecute wrongdoers. But wrongdoers are not only those that remotely hack and steal identity; wrongdoers are those to whom data has been entrusted yet fail to provide adequate levels of protection to that information. Businesses, being data controllers and processors, are obligated ethically and legally to protect data, and more than 100+ countries now have regulations that require various degrees of protection be given identity information regarding data subjects.
It's important that we are responsible with the information entrusted to us. We should realise any data protection regulations that are expected from our organisation. Regulations were designed to protect individuals and their identity. We should not only pursue compliance with these regulations, but we should want to pursue compliance in data protection regulations. This starts with knowing what laws apply, and what they require.
Main Types of Regulations
While there are many types of regulations, we will be discussing two types here that may apply to your business locations:
Geographical regulations, meaning those regulations that apply to a territory, such as the country of Australia, or the canton of Vaud in Switzerland, or the European Union, or even the city of Chicago. Some examples of geographic regulations are Switzerland’s DPA & DPO, the European Union’s GDPR, Brazil’s LGPD, Canada’s PIPEDA, the UK’s DPA 2018, Hong Kong’s Cap. 486, India’s PDP Bill 2018, and on and on it goes.
Sectoral regulations, meaning those regulations that apply to an industry or sector such as financial or healthcare laws where especially sensitive information warrants additional protections. Some examples include HIPAA for medical information in the United States, Australia’s Spam Act of 2003 regarding unsolicited emails, Sweden’s Marketing Action (2008:486, Marknadsföringslagen) regulating the use of personal data in advertising and marketing activities, and many more sectoral regulations around the world.
Data protection regulations are being updated around the world monthly! So staying updated is best accomplished by working with a data protection firm who will inform you when regulations change that affect your organisation.
Which Regulations Apply to Your Business?
Where you process the data: For instance, “processing data” means collecting, accessing, viewing, storing, changing, or deleting personal data. If your business accesses data from your operating location, but stores it in a cloud service, you’re processing data in two geographies and will be subject to those two geographies. For instance, if your operation location is located in Norway but you store the data in the United States, you’ll be subjected to regulations in those two territories. Your campus should also validate it has a legal right to export the data from Norway into the United States (cross-border data transfer). See the section about EU Model Clauses in that regard.
The individual's homeland: Sometimes, residents of a geography are afforded protections based upon their territory of residence, regardless of where the information may be processed. For instance, if an individual from Europe entrusts your business with their personal data, your organisation is accountable to follow the European Union’s GDPR. Other geographies have similar regulations, such as California or Brazil, where residents of those geographies have rights that follow them to your organisation.
Sectoral regulations: In some cases, healthcare regulations such as those in the United States (HIPAA) apply when healthcare data is collected and stored.
At Allendevaux & Company, we perform a discovery of all the regulations that apply to your organisation or may apply to your organisation based on anticipated data subjects. Thereafter, we create a matrix of requirements that must be followed, and those principles are written into policies and procedures (and reflected on website privacy notices) to ensure they’re being followed.
Of course, policies and procedures are of no value if employees are not aware of the practices required, so awareness and training are always part of any organisation’s culture, both initially and ongoing.
Getting Further Help
If you need guidance understanding the information above, contact the Allendevaux & Company Service Desk. You will be assigned to a certified privacy professional accredited by ISO, IBITGQ or the IAPP with experience in privacy law and compliance. You’ll also find contact information at the bottom of this page for telephone, and email.
We need your consent to receive your information and contact you. By pressing the 'Send' button below, you are providing that consent. You have the right to withdraw your consent at any time. To withdraw your consent, please email us here. For more information about what we do with your personal data and how we protect it, see our privacy notice.