Regulatory Compliance

Resources

Topics Covered

This section covers the following topics:


  • Data regulations in commerce

  • Understanding the difference between geographic and sectoral regulations

  • Determining which regulations apply to your organization

A Case Study


Before we dig in, let's open with a case study from administrative enforcement levied upon a U.S. entity that did not comply with healthcare regulations, resulting in an administrative fine.Whilst most businesses would have been tempted to close for the day, not in Boston; Bostonians are no strangers to cold temperatures and snowfall. And besides, the onsite meeting was taking place at a hospital, and hospitals remain open despite all forms of inclement weather.Once onsite at the University of Massachusetts Hospital (UMass Amherst), the staff was busy discussing the headlines published in the day’s newspapers: the $650,000 fine for non-compliance with governmental regulations, in this case healthcare regulations of the United States. Malware was found installed on a workstation PC, and that workstation had access to healthcare records of 1,670 individuals. The malware was a remote access Trojan, meaning it was possible that healthcare information could have been accessed, but not proven it had been accessed.In the course of the investigation, it was discovered that UMass Hospital failed to comply with regulations, such as conducting a risk assessment; and UMass had failed to implement technical security measures to protect the Center’s network. The fine would have been even higher, but the OCR’s Director Jocelyn Samuels took the university’s finances into account. Besides being ordered to pay $650,000 as a settlement fee, UMass also had to adopt a corrective action plan (CAP) to ensure policies and procedures are brought in line with standards, and they had to hire a third party to validate compliance over the next several years.Failure to comply with regulations, in most any nation, is grounds for punishment through financial penalties. But it can also result in reputational damage, legal costs, and ongoing monitoring.


Business and Regulatory Compliance


Often times, I hear individuals complain about data protection and regulatory compliance. “The laws are overreaching,” I've been told. But in reply, I disagree; the identity data of an individual does not belong to businesses processing a person’s personal data. Said differently, the data subject owns their data which has been entrusted to your business for safeguarding. For instance, customers, partners, and employees have entrusted their data to your organization; the data could be collected from various sources, criminal background checks, applications, copies of insurance, financial information, sexual orientation and gender, and much more.In today’s wired world, it’s possible—with enough information—to apply for loans online using the data subject’s information, and within minutes get approved or declined. It’s possible to open an Amazon account, or purchase a new smartphone with service, and so on.Because of today’s electronic reach and instant access to services, regulations are necessary in order for law enforcement to prosecute wrongdoers. But wrongdoers are not only those that remotely hack and steal identity; wrongdoers are those to whom data has been entrusted yet fail to provide adequate levels of protection to that information. Businesses, being data controllers and processors, are obligated ethically and legally to protect data, and more than 100+ countries now have regulations that require various degrees of protection be given identity information regarding data subjects.It's important that we are responsible with the information entrusted to us. We should realise any data protection regulations that are expected from our organisation. Regulations were designed to protect individuals and their identity. We should not only pursue compliance with these regulations, but we should want to pursue compliance in data protection regulations. This starts with knowing what laws apply, and what they require.


Main Types of Regulations


While there are many types of regulations, we will be discussing two types here that may apply to your business locations:


  • Geographical regulations, meaning those regulations that apply to a territory, such as the country of Australia, or the canton of Vaud in Switzerland, or the European Union, or even the city of Chicago. Some examples of geographic regulations are Switzerland’s DPA & DPO, the European Union’s GDPR, Brazil’s LGPD, Canada’s PIPEDA, the UK’s DPA 2018, Hong Kong’s Cap. 486, India’s PDP Bill 2018, and on and on it goes.


  • Sectoral regulations, meaning those regulations that apply to an industry or sector such as financial or healthcare laws where especially sensitive information warrants additional protection. Some examples include HIPAA for medical information in the United States, Australia’s Spam Act of 2003 regarding unsolicited emails, Sweden’s Marketing Action (2008:486, Marknadsföringslagen) regulating the use of personal data in advertising and marketing activities, and many more sectoral regulations around the world.Because of today’s electronic reach and instant access to services, regulations are necessary in order for law enforcement to prosecute wrongdoers. But wrongdoers are not only those that remotely hack and steal identity; wrongdoers are those to whom data has been entrusted yet fail to provide adequate levels of protection to that information. Businesses, being data controllers and processors, are obligated ethically and legally to protect data, and more than 100+ countries now have regulations that require various degrees of protection be given identity information regarding data subjects.It's important that we are responsible for the information entrusted to us. We should realize any data protection regulations that are expected from our organization. Regulations were designed to protect individuals and their identity. We should not only pursue compliance with these regulations, but we should want to pursue compliance in data protection regulations. This starts with knowing what laws apply, and what they require.


How These Regulations Apply to Your Business


Often times, I hear individuals complain about data protection and regulatory compliance. “The laws are overreaching,” I've been told. But in reply, I disagree; the identity data of an individual does not belong to businesses processing a person’s personal data. Said differently, the data subject owns their data which has been entrusted to your business for safeguarding. For instance, customers, partners, and employees have entrusted their data to your organization; the data could be collected from various sources, criminal background checks, applications, copies of insurance, financial information, sexual orientation and gender, and much more.In today’s wired world, it’s possible—with enough information—to apply for loans online using the data subject’s information, and within minutes get approved or declined. It’s possible to open an Amazon account, or purchase a new smartphone with service, and so on.Because of today’s electronic reach and instant access to services, regulations are necessary in order for law enforcement to prosecute wrongdoers. But wrongdoers are not only those that remotely hack and steal identity; wrongdoers are those to whom data has been entrusted yet fail to provide adequate levels of protection to that information. Businesses, being data controllers and processors, are obligated ethically and legally to protect data, and more than 100+ countries now have regulations that require various degrees of protection be given identity information regarding data subjects.It's important that we are responsible with the information entrusted to us. We should realize any data protection regulations that are expected from our organization. Regulations were designed to protect individuals and their identity. We should not only pursue compliance with these regulations, but we should want to pursue compliance in data protection regulations. This starts with knowing what laws apply, and what they require.

A Brief Recap Before You Leave

  • Data that describes an individual's identity does not belong to the organisation, but to the individual.
  • There can be real damage that occurs from identity theft.
  • Yes, organisations do handle data, and they are obligated ethically and legally to protect that data.
  • Regulations were designed to protect individuals and their identity, not make business difficult.
  • Over one-hundred countries have implemented data protection regulations.
  • Different regulations will apply for not only organisation's is location, but also according to the nationality of each individual whose data you manage.

    Hey!

     

    We know there was a lot of information mentioned above. If you would like assistance with what you've read and want to put it into practice, feel free to contact us and we can discuss further details.