What data regulations should I follow?

With the world becoming more heavily regulated and the list of regulations becoming more complex, setting up a data management system, data protections, backups and archives is increasingly becoming more complex. What data regulations are in effect, and what should you pay attention to when designing your organization’s systems?

41% of small businesses don’t have a comprehensive data management policy in place. For these organizations, a good place to start is making a list of what the largest relevant regulations are, what they entail, and which ones they need to take into account when building their data management posture.

Here is a list of the most important regulations, what they entail, and what regions they affect:

General Data Protection Regulation

This law, which went into effect in 2018, gives consumers rights over their own personal data. The General Data Protection Regulation (GDPR) is an European based set of rules and one of the strictest regulations in the world.

The GDPR protects personally identifiable information of customers and employees. That is a broad category that can include anything that might identify a person, like:

  • Names
  • Biometric data like fingerprints and facial recognition
  • Identification numbers like passport numbers, tax identifiers, and national identification numbers
  • IP addresses
  • Locations
  • Telephone numbers

Being one of the strictest regulations in play, it’s generally a good move to align with it even if your primary customers are not in the EU. This is especially true considering that multiple national-level regulations will increasingly take their cues from the GDPR going forward.

Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act (HIPAA) is an American federal rule protecting Americans’ personal data — in this case, medical records and personal health information.

While unlike the GDPR it is more tightly focused, it remains a going concern. Healthcare data breaches remain one of the most common cyberattacks in the last years, and healthcare data tends to contain a vast quantity of key personal details including social security numbers, addresses and names.

Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act (GLB), much like HIPAA, is more tightly focused. This American federal data protection law applies to financial institutions and financial service providers in the U.S. — banks, lenders, brokerage firms, debt collectors, and investment advisors.

Digital Operational Resilience Act

The Digital Operational Resilience Act (DORA) is an European equivalent to the GLB, also tightly focused on resilience in the financial sector. Unlike the GLB Act, however, it is not concerned with data protection – rather, DORA brings harmonization of the rules relating to operational resilience for the financial sector applying to 20 different types of financial entities and ICT third-party service providers. The main focuses that it regulates are:

  • Risk-management software
  • Resilience testing
  • Incident reporting
  • Information sharing
  • Third-party provider oversight

Network and Information Security Directive

The Network and Information Security Directive (NIS2) is a continuation and expansion of the previous EU cybersecurity directives. While it does not touch on data management (this being the realm of GDPR), it does require certain measures with regards to cybersecurity, these including the presence of data protection systems like backups or archives.

Considerations about system recovery must necessarily include designing internal systems to more easily bounce back from incidents that led to data loss or encryption. Beyond this, NIS2 also mandates multifactor authentication, reporting, training and other improvements to cybersecurity posture.

California Consumer Privacy Act

The California Consumer Privacy Act (CCPA) is a California-specific guarantee of rights over personal data. It gives California residents the right to:

  • Know what information a company collects and how it’s used
  • Opt-out or opt-in to the sale of their data
  • Delete the information that has been collected
  • Non-discrimination
  • Correct inaccurate records
  • Limit the usage of their information
  • Sue a company for a data breach

Companies even outside of California may choose to follow the regulations in the CCPA for the same reasons they might adopt GDPR standards: This law is likely to become a template for other states that want to protect residents’ privacy, and it is easier to overprepare than to react in the event you pick up customers affected by the regulation.

Which ones are relevant to me?

It may seem that the list of regulations to follow is straightforward – identify which ones impact your region or industry and adhere to those. However, there is some nuance involved. When identifying what data regulations you should follow, it’s key to understand that these regulations sometimes come into play when your customers come from an impacted region, even if your company is not necessarily based there or focused on it.

A good example of this is Microsoft’s legal wrangling with the EU regarding European regulations; while Microsoft’s European branches usually adhered to European law, it was found not all data flows through the use of Microsoft 365 exclusively used European data centers and as such, European customer data occasionally ended up overseas and thus in breach.

Consequently, it is in some ways simpler to ensure your data management is largely in compliance even with policies that may not fully impact you simply to cover your bases going forward. While this may become easier as the USA and EU come closer to hammering out an agreement on how to harmonize their data regulations, China’s Personal Information Protection Law and others like it will continue to present a complex network of intersecting laws to navigate.

Ensure compliance with proper systems

With a bewildering array of regulations, organizations that ask themselves “which data regulation should I follow” immediately follow this up with “how do I ensure my compliance in the first place?”

One of the integral parts in ensuring regulatory compliance is to set up internal data systems – protections like backups, retention through archives and supplementary data management systems – which help maintain compliance with relevant laws. A well-prepared purpose-built software makes compliance easier and less effort-intensive for your team and ensures you can remain in compliance going forward.

With a long history in the archive and backup market, TECH-ARROW stands prepared to help you meet any and all needs and requirements. If you’re prepared to bring your company into the future, contact us and schedule a free consultation with our team.

 

Archive smarter – with TECH-ARROW

by Matúš Koronthály