Enterprise IT security news and advice

Data Privacy Laws

The primary purpose of data privacy laws is to protect information about private individuals from abuse and unauthorised disclosures. Data privacy laws vary in severity around the world, both in terms of the standards of protection that organisations need to provide and the penalties levied against individuals and organisations who violate these laws. Many countries around the world have adopted comprehensive data privacy laws; most notably, the EU introduced the General Data Protection Regulations (GDPR) in May 2018. Comprehensive data privacy laws act to protect nearly all types of personal information, held in both digital and analogue formats, held by either private organisations or public bodies. Over 100 countries in the world have adopted such comprehensive privacy laws. The US is notable for lacking any legislation of this kind. Instead, it has limited sectoral laws in some areas, such as the Health Insurance Portability and Accountability Act (HIPAA) covering healthcare information or the Gramm-Leach-Bliley Act (GLBA) in the finance industry.

In this article, we will be discussing some of the most prominent data security laws from Europe and the US.

General Data Protection Regulations (GDPR)

The General Data Protection Regulations (GDPR) hit the headlines earlier this year as they were introduced into EU law on May 25th 2018. GDPR has been cited as the biggest change to EU personal data laws since 1995. The regulations were designed to give individuals in the EU control over their data by changing how the data can be collected, used, and stored by those who handle the information. While the regulations are a part of EU law, their jurisdiction stretches to any organisation which handles data which has been collected within the EU, regardless of the location of their headquarters. In this global society, GDPR’s impact has been felt around the world.

Most of the public are only aware of the GDPR due to emails from businesses asking them to reconfirm that their data may be used by them for reasons such as marketing new products. This influx of emails was caused by one of the biggest changes that GDPR introduced; new data-collecting procedures that ensure that customers give informed consent regarding the collection and use of their data. Organisations both inside and outside of the EU may need to redesign their consent forms to fit the new requirements. GDPR stipulates that consenting to data exchange is required to be a separate act to consenting to other criteria, such as general terms and conditions. Furthermore, giving consent must be a deliberate act, so pre-checked consent boxes are no longer permitted. If consent had been acquired this way previously, then it must be reacquired if the organisation still wants to use the data-hence all of the emails.

The penalties for non-compliance are huge; either a fine of €20 million (around $23 million), or 4% of the company’s annual turnover-whichever is higher.

Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act (HIPAA) is one of the most important pieces of legislation in the American healthcare industry. Enacted by Congress in 1996 and signed into law by President Bill Clinton, HIPAA was originally designed to address the issue of health insurance coverage for people who were between jobs. Without HIPAA, individuals who found themselves in these circumstances would be left without health insurance, and potentially unable to pay for critical healthcare.

However, HIPAA is now much more famous for its secondary role; the protection of private healthcare information of US citizens. HIPAA introduced important changes in how patient data is stored, transmitted, and handled by individuals in the healthcare industry. It is not just healthcare professionals that must comply with the Act, health plans, healthcare clearinghouses, and business associates of HIPAA-covered entities.

For example, HIPAA’s Privacy Rule was introduced in 2000 to introduce restrictions on the allowable uses and disclosures of protected health information (PHI). The Rule stipulates that only authorised individuals may access PHI. Therefore, organisations must have appropriate procedures and safeguards in place to ensure that no unauthorised disclosures, whether accidental or through a deliberate attempt such as hacking, takes place.

Importantly, HIPAA gave patients an unprecedented number of rights over their data. The Privacy Rule allows patients to authorise who can see their medical information, and the ability to access their data on request.

In addition to improving the rights of healthcare patients in the US and creating a nationwide standard of healthcare data protection, HIPAA ’s creators incorporated several procedures and protocols to improve the efficiency of the healthcare industry. For example, to assist with efficient data transfer between healthcare organisations, code sets had to be used along with patient identifiers, which helped pave the way for the efficient transfer of healthcare data between healthcare organisations and insurers.

HIPAA is controversial; its detractors state that it adds new levels of bureaucracy to an already strained healthcare system, and unnecessary financial burdens on smaller businesses as they struggle to comply with all its regulations. Although its merits appear debatable, its effect on the US healthcare industry is undeniable.

Graham-Leach-Bliley Act (GLBA)

Also known as the Financial Services Modernisation Act of 1999, GLBA included a Financial Privacy Rule that required financial institutions to provide each of their customers with a notice when their business relationship was established, explaining what information about the consumer is collected, with whom the information is shared, for what purposes the information has been collected and the safeguards implemented to ensure that the data is protected. A privacy note of this nature must be sent annually to the consumer. The note must inform the consumer of their right to opt out of their information being shared with other parties, under the Fair Credit Reporting Act. The Fair Credit Reporting Act does not allow clients to opt out of:

  • information which is deemed legally required
  • product or service marketing from the financial institution in question
  • information shared with those providing a service to the financial institution

GLBA’s Safeguard Rules require financial institutions to have adequate safeguards in place to ensure that their client information is kept secure. Furthermore, they are responsible for ensuring that their affiliates and service providers have similar security measures in place.