icon-arrow-down-xplenty

Xplenty & Security

The Complete Guide to Data Security by Xplenty

Oscar sage
Chapter 2

Understanding Data Security Compliance Laws

Data security practices are closely related to the legal concept of data protection. Under data protection rules, organizations have an obligation to protect individual confidentiality. This means that you have to keep data safe, prevent unauthorized access and only use data for legitimate purposes.

Data protection laws vary across countries and even between states. However, many laws have an extra-territorial effect, which means that authorities will punish foreign companies for breaches.

Main data security compliance laws
Map
1
General Data Protection Regulation (GDPR)
Primary jurisdiction: European Union
Data covered: Any data that could potentially identify an E.U. citizen
Website: https://gdpr-info.eu/
Notes: GDPR is one of the most stringent data protection regimes in the world. Companies must allow users to opt out of data collection, and they can only capture PII for essential business purposes. Organizations face severe restrictions on transporting PII out of Europe, even when using a third party service. The E.U. has successfully fined a number of American firms for GDPR breaches, including Google 5.
2
Bundesdatenschutzgesetz (BDSG)
Primary jurisdiction: Germany
Data covered: Any data that could potentially identify a German citizen
Website: https://www.gesetze-im-internet.de/ englisch_bdsg/index.html
Notes: E.U. member states can introduce their own laws to supplement GDPR. Germany is the only state to have done so to date, with the BDSG law that imposes stricter controls and steeper fines. German citizens can claim for non-monetary damages such as stress and suffering under BDSG.
3
Health Insurance Portability and Accountability Act (HIPAA)
Primary jurisdiction: United States
Data covered: Protected Health Information of Americans
Website: https://www.hhs.gov/hipaa/
Notes: HIPAA refers specifically to health information about an individual, which includes medical records and biometric information. Under HIPAA, data handlers must ensure confidentiality, integrity and availability of all relevant information. They must also take steps to prevent breaches and unauthorized access.
4
California Consumer Privacy Act (CCPA)
Primary jurisdiction: California
Data covered: Personal Identifiable Information (PII) of Californian consumers
Website: https://oag.ca.gov/privacy/ccpa
Notes: CCPA grants consumers more power over their PII, including the right to know what’s on file, the right to request deletion and the right to opt out of the sale of PII. In the event of a compliance breach, consumers can directly sue the company. This law is currently unique in the U.S., but it is the template for forthcoming legislation in other states 6.
5
Australian Privacy Act of 1988
Primary jurisdiction: Australia
Data covered: PII of Australian citizens
Website: https://www.ag.gov.au/rights-and-protections/privacy
Notes: Australia amended its 1988 Privacy Act in 2017 to cover digital communications. The act takes a principles-based approach to compliance, so companies have some freedom as long as they follow the spirit of the principles. Since 2018, companies have been obliged under the Privacy Act to notify Australian authorities of data breaches that may cause harm to an individual.
6
Lei Geral de Proteção de Dados (LGPD)
Primary jurisdiction: Brazil
Data covered: Any data that could potentially identify a Brazilian citizen
Website: https://www.serpro.gov.br/lgpd/menu/a-lgpd/o-que-muda-com-a-lgpd
Notes: Brazil’s LGPD is one of the first international law to model itself on the E.U.’s GDPR. As with European law, the LGPD covers a wide range of personal information and has an extra-territorial effect on foreign companies. However, LGPD is generally less punitive in terms of fines and enforcement.
Continue reading
Chapter 3
Classifying Data by Sensitivity
icon-arrow-down-xplenty