Chances are, you’ve had to sign something at a doctor’s office, or you’ve made online purchases. While the digital marketplace and your local hospital may not appear to have much in common at first glance, they overlap more than you think. Almost every business has some sort of need based around compliance – a set of guidelines commonly determined by industry. These guidelines, laws and best practices are put in place to protect your business, your clients and your partners, and the critical information being shared.
There are many sets of compliance regulations – from financial, to healthcare, to things governed by location – such as GDPR. One thing is certain, for businesses of any size, failure to comply can have steep consequences. Whether the damage is purely financial, or to an organization’s reputation by losing the trust of clients, it’s always better to have preventative measures in place and take a proactive approach to compliance.
The first step? Knowing what your critical data is, and what compliance regulations you need to follow. How can you ensure the privacy of your clients, members or patients and secure critical data if you don’t know what it is, where it is and what rules you need to abide by?
As a compliance specialist, I provide training and many other services to help organizations plan for and achieve compliance. I am often asked for guidance on not only the types of compliance, but who they might affect. Here is an overview of some of the most common compliance regulations organizations may fall under, and examples of how these regulations could impact your business:
Payment Card Industry Data Security Standard, or “PCI DSS” is the standard mandated for storing, processing or transmitting cardholder data from major credit card providers to reduce fraud and secure this critical data. Businesses across many industries fall under the PCI DSS umbrella because they process credit card payments. Understanding where this data is and what safeguards need to be in place is key to preventing a data breach.
Family Educational Rights and Privacy Act, or “FERPA” protects the privacy of student education records. Does your school receive funds under an applicable program of the U.S. Department of Education? If so, the law likely applies. Get familiar with privacy requirements and parent rights to access their child’s information.
The Financial Industry Regulatory Authority, “FINRA” is a non-governmental agency overseen by the SEC, which provides regulatory services for the financial industry to protect investors and market integrity. All brokers must be licensed and registered by FINRA. Financial Examiners will perform audits on a routine basis or based on a compliant. There are hefty penalties for those who break the rules.
“GDPR,” or General Data Protection Regulation, is a law on data protection, providing certain privacy rights to residents of the European Union. If you think you are excluded from complying with this law, pay close attention to your data and business strategy. Are you marketing goods and services or monitoring behavior of EU data subjects? Do you process or store personal data of data subjects residing in the EU? If you answered yes, you should take a serious look at this law.
The Health Insurance Portability and Accountability Act, simply referred to as “HIPAA,” was enacted in 1996 and is enforced by the Office of Civil Rights to safeguard the confidentiality, integrity and availability of protected health information. HIPAA violations carry some of the most damaging fines due to the extremely sensitive nature of the data. HIPAA applies to covered entities, and a good portion of the law also applies to business associates and subcontractors. If you provide services to a covered entity where you may store or have access to protected health information, you should learn about this law and it’s related requirements.
Global and Government Standards
Organizations may choose to follow standards such as ISO 27001 to implement best practices for information security management systems or the NIST Cybersecurity Framework to implement guidance on improving the management of cybersecurity risk. In our experience, many law firms have acknowledged the need to maintain the privacy of sensitive client information and have chosen to implement ISO 27001 requirements to guide them in keeping this information secure.
State, Federal, and Industry Regulations
Many compliance standards and issues don’t fall under the above umbrellas. There could be dozens of state, federal and industry specific regulations that could impact your business. Conducting an analysis of your business, geographic location and the data you store will give insight into the requirements you must abide by. Creating a matrix of compliance standards that impact you will assist in developing an awareness of the most stringent standards and begin your journey to compliance.
Compliance is a complex subject, one that can be challenging and overwhelming to untangle. It’s not a one size fits all solution, and it’s an ongoing process – being compliant once doesn’t equal staying compliant. The best way to determine what your data and compliance needs are is to discuss it with an expert in the field. Once the critical data has been identified, work together to create a compliance strategy that will help keep your business and your clients safe.
Do you have questions? We have a team of security and compliance experts, and we’d be happy to connect with you to discuss your critical data and how you can achieve and maintain compliance.