Data Regulations and Standards where Anonymization is Critical

Are you in compliance with the data regulations and standards that govern your geographic region, industry, company or types of data you handle?

Assessing which rules and regulations apply is not easy.  Often times an organization needs to comply with multiple, overlapping regulations and standards. These regulations can also vary depending on the type of data that you are working with.

To play in today’s digital world, it is important to understand and play by the rules.

Compliance with data regulations gets you onto the playing field– it is the minimal standard for doing business in the data economy. However, the consequences of non-compliance can be severe and run the gamut from damage to a brand’s reputation, significant legal and remediation costs, and fines into the tens of millions.

Different countries, regions and states have different regulations that govern how personally identifiable data can be collected, shared and stored.  These government regulations are designed to provide guidelines and best practices based on a variety of factors.  Some of these types of regulations include CCPA, GDPR, HIPAA, APPI and LGDP.

There are also sets of standards that apply to transactions like financial or healthcare data.  These standards are different from government regulations in that many do not include fines for noncompliance.  For example, PCI-DSS (Payment Card Industry Data Security Standard) is for companies handling credit card information and compliance is recommended and voluntary. Companies that understand the importance of information security with credit cards follow the standards.

Specific domains have mandates like HIPAA (Health Insurance Portability and Accountability Act) and HITECH Omnibus Rule for healthcare which applies to any organization that handles healthcare data.

Data Regulations and Standards Driving Privacy Compliance

 

1. CCPA (California Consumer Privacy Act)

July, 2020 was the official start to legal enforcement of CCPA, the California Consumer Privacy Act. It has national, and even international implications, since it is the largest state economy in the US and ranks 5th in the world (behind Germany and ahead of India). CCPA became the first major privacy law in the US that gives consumers control over their personal information, closely aligning with GDPR (General Data Protection Regulation) in Europe.

Businesses that market, sell or collect personal data on California residents are subject to the law, regardless of where they are located. This includes tracking information on a website via the use of cookies and other marketing analytics activities. CCPA compliance might seem like it’s only for big businesses flush with data, but in fact, small, local businesses like restaurants, retailers, auto shops, salons, and professional service providers may be liable under CCPA, as well.

Generally, the CCPA applies to your company if:

  1. You “do business” in the state of California;
  2. You collect personal information from California residents or have data collected on your behalf;
  3. You make decisions regarding how that data is collected, used, or shared; and
  4. You satisfy at least one of these conditions:
    1. you make over $25M in annual gross revenue;
    2. you collect, buy, or share data from over 50,000 California residents annually; or
    3. you make 50% or more of your annual revenue selling personal information.

On the heels of the beginning of enforcement, Californians approved a follow-up act, the CPRA.

CPRA isn’t a different law, but is an expansion of the current law, which strengthens protections for consumers and clarifies some of the more unclear compliance questions for organizations.

It also creates a new government agency dedicated to handling enforcement and compliance with the new privacy regulations. It is likely to further influence and strengthen models being formalized by federal and local laws around the country

 

2. GDPR (General Data Protection Regulation)

Europe’s data privacy and security law is often considered the most thorough privacy and security law in the world. It covers data collected in the European Union (EU), but imposes obligations onto organizations doing business in the EU or handling the data of a citizen of the EU. Since the regulation was put into effect in 2018, the GDPR levies harsh fines against those who violate its privacy and security standards.

Find the guide to GDPR privacy compliance here. A general GDPR overview is here.

 

3. HIPAA (Health Insurance Portability and Accountability)

This US law provides privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals and other health care providers.  This is sometimes referred to as ePHI (electronic Protected Health Information)

Developed by the Department of Health and Human Services, these standards provide patients with access to their medical records and more control over how their personal health information is used and disclosed. HIPAA represents a uniform, federal floor of privacy protections for consumers across the country. State laws providing additional protections to consumers are not affected by this new rule. HIPAA took effect on April 14, 2003. Find government-published details here.

 

4. PCI-DSS (Payment Card Industry Data Security Standard)

This applies to a wide range of companies that deal with credit card transactions. This is not a government regulation with fines for non-compliance. It is a series of security standards that are set up for entities that store, process or transmit credit cardholder data.  The act consists of twelve recommendations designed to reduce fraud and protect customer credit card information.Its ‘Protect Cardholder Data’ requirements benefit from anonymization tools as an easier way to protect stored cardholder data and more safely transmit cardholder data across open, public networks.

Summary

The key to complying with data regulation and privacy mandates is to know what the data regulations and standards are and have resources in place to

  1. inventory your data collection,
  2. identify where PII or ePHI is collected, stored and shared and
  3. put in place resources to standardize and assist the process of eliminating or managing PII.  Having a scalable, automated technology process is critical for companies of all sizes to meet the current and future data regulation mandates.

As you play in this world filled with millions of data points of PI, de-identification and anonymization are tools that can be seamlessly integrated in your processes to assist with compliance while maintaining operational efficiency.  The Pangea Masker, an AI-driven anonymization platform, de-identifies different types of data and the degree of identifiability can be adjusted to match the requirements of the data regulations and standards.