Customer Data Security Part 1: Common Privacy Regulations for Consumers
[Estimated read time: 6 minutes]
All you have to do is pick up the newspaper or look at your favorite news site to get an idea of how serious the game has gotten when it comes to security and compliance. After a banner year of break-ins and system compromises in 2015 and an almost surreal series of information thefts throughout 2016, you don’t have to look far to get a clear picture of both the scale and scope of our current situation.
Add to this a plethora of new privacy regulations and ever-increasing security requirements for business transactions, and you have a recipe for confusion, cost, and complexity. During this series of articles, we’ll explore the factors involved and how they relate to you and your business.
There are four main topics that we’ll discuss in the series, ranging from the current regulatory climate to strategies for protecting yourself and your customers.
- Part One: Common Privacy Regulations for Consumers
- Part Two: What You Need to Know about PCI Compliance
- Part Three: EU Privacy Shield and Engaging European Consumers
- Part Four: Consumer Privacy and You: The Shared Responsibility Model
Common Privacy Regulations for Consumers
Over the last decade, a number of government and industry groups have formalized their positions regarding the protection of consumer privacy and personal identity protection. Some initiatives originated in the realm of overall consumer protection, while others were meant to combat fraud and financial risk. Regardless, most of these regulations have a certain common elements.
Most privacy programs focus on governing the Who, What, Where, When, How and Why of consumer privacy. Each of these common elements are defined below:
- Data Integrity
- Purpose Limitation
- Data Types
The consumer, also referred to as the “data subject,” needs to be informed and aware of what they are getting into when they contact your organization. When it comes to data security, notice is defined as when and how you need to communicate to the subject about what you are collecting, what you will do with the information, with whom you may share it, etc. You’ll need to communicate this information when it is collected or when you make a change in how the information is being used.
You must give the subject the ability to opt out during the collection process and in most cases, any time after as well. This can be in the form of selective opt-in or opt-out. For example, you might ask, “1) Can we collect your data? and 2) Can we share this data with our partners?” It can also be in the form of “all or nothing.” In these cases, the subject may opt-out by refusing service if the information is required to provide the service. Think ordering a pizza but not providing a name and address for delivery. (Pick-up only for you, buddy!)
In recent years, privacy regulations have formalized enforcement policies and penalties in order to give more “teeth” to the principle of accountability. We are seeing common themes of non-repudiation, chain of custody, auditing, and formal judicial processes.
All regulatory and compliance programs require some form of “reasonable” or “best practices” security planning and implementation. This usually ranges from policy and education to technical and physical controls put in place to protect subjects’ privacy.
Most programs require information to be correct, complete, and/or current. This means that you are not only protecting the information from being tampered with, but that you are also providing a means for the subject to update their information when necessary.
As mentioned in our discussion of notice, you must limit your use of the subject’s information to that which you communicated in your initial contact (or later communications to the subject about any changes in the use of the information).
Most privacy regulations require some form of recourse for the data subject. Typically, this is a contact within your organization with whom they can air grievances. But in some cases, there may be a regulatory body or third party arbiter that may be contacted if the subject has not received satisfaction after contacting your organization with a complaint.
Nearly all regulations provide for certain exceptions. These can range from being very specific to somewhat ambiguous in nature. In nearly all cases, exceptions are made for law enforcement or national security. However, there are other common themes such as when the information is needed for the benefit of the subject in an emergency medical situation. In addition, most privacy programs also provide for the fact that certain information must be used to carry out the service being requested by the subject.
As I’m sure you know, not all data is equal. For example, your Social Security number is given different consideration than, perhaps, your home phone number. This is the case with most regulatory requirements, as well. In most cases, personally identifiable information (PII) such as national IDs, financial information and medical information are given special protections. The degree of protection and flexibility in use varies from case to case, but nearly all regulations related to privacy highlight these categories of data. In some cases, information about the subject’s religion, race, political affiliation, etc. are also given special protection. However, these types of data differ from one regulatory body to another.
What does this mean for you?
The important takeaway is understanding the most common elements of consumer privacy, and learning that incorporating this knowledge into your compliance strategy will make you more effective in your approach. Once you understand what individual compliance programs have in common, you can start to group policies, procedures, security technology, and training according to how they address each compliance regulation that you’ll need to consider across all of your markets.
The definitions above may seem simple; however, once you start delving into each of the different compliance regulations, you quickly see how confusing the terminology, categorization, and requirements can be. That is to say, ask a question of 10 different compliance programs and you’ll get 10 seemingly different answers.
In fact, as a response to the confusion among businesses and auditors alike, a number of recently emerging standards and auditing organizations have begun publishing documents that help align the different compliance regulations into a common set of requirements.
As you can imagine, understanding the intent of each rule can be daunting until you start to translate the requirements into a common set of terms and definitions. This is really the key in making sense of the global consumer privacy requirements landscape and in creating a compliance program that addresses the stated requirements in a way that is clear both to your team and to your auditors.
In our next article, we’ll explore the unique aspects of consumer regulations in the financial industry and how those factors will impact your organization.
For more information on how to protect your customers’ privacy, contact Astute Solutions to talk with an expert.