As modern organizations continue to move towards cloud-based infrastructures, business systems have evolved to support larger volumes of information sharing. Part of this evolution has been focused on creating higher efficiencies when accessing and collaborating on data, while other strides have been made to create strict regulations around how information is collected, shared, and protected.
In the last year alone, various new developments in enterprise security have surfaced along with regulatory compliance standards that govern it. As a business operating in a digital space, it’s your responsibility to make sure you’re aware of these requirements as they come into effect and ensure your business stays compliant at all times.
Below we’ll consider four of the most important security compliance laws in 2019 and what they mean for your business.
GDPR (General Data Protection Regulation)
The GDPR stands for “General Data Protection Regulation” and was designed to give all individuals in the European Union better control over their personal data.
When did it go Into Effect?
GDPR came into effect on May 25, 2018, and all applicable business are expected to be in full compliance as of then.
What are the Compliance Requirements?
GDPR compliance standards are designed to create better transparency over how customer data is being used. In line with this understanding, “customer consent” is of utmost importance, and companies need to request and document accepted permissions to collect and use customer information.
As information is collected and shared, organizations take direct accountability over how data is transferred and protected once in their care. In the event of personal data breaches, subjects need to be informed within 72 hours of the breach, and the company needs to take the necessary steps to mitigate any future security risks.
What are the Non-Compliance Consequences?
Failure to comply with GDPR standards can result in the temporary or permanent ban of data processing as well as a result in one of two tiers of administrative fines. Depending on the severity of non-compliance, companies can be fined up to 10 million euros, or 2% annual global turnover, or up to 20 million euros, or 4% annual global turnover.
CCPA (California Consumer Privacy Act)
CCPA stands for “California Consumer Privacy Act,” and was designed to introduce new rights for residents of California, ensuring businesses implement necessary structural changes of privacy programs.
When does it go Into Effect?
CCPA is set to come into effect on January 1, 2020, and be actively enforced six months later on July 1, 2020.
What are the Compliance Requirements?
CCPA sets out regulations to ensure customers know how, where, and why information is collected and processed. Privacy policies need to clearly disclose if and how information can be sold to third-parties as well as an option for individuals to opt out of this process.
While CCPA is designed for the protection of California residents, there are a variety of stipulations that can make companies operating outside of California liable to uphold these requirements as well.
What are the Non-Compliance Consequences?
Substantial fines can be assessed against companies in non-compliance as well as civil action taken against offending parties. After 30 days of being notified of non-compliance, businesses can be fined up to $7500 per violation.
PIPEDA (Personal Information Protection and Electronic Documents Act)
PIPEDA stands for “Personal Information Protection and Electronic Documents Act” and is a Canadian law governing private sectors on how to conduct commercial business while regulating personal information sharing.
When did it go Into Effect?
PIPEDA came into effect on January 1st, 2004 and applies to for-profit organizations along with specific activities of non-profit organizations.
What are the Compliance Requirements?
PIPEDA is designed around various principles of fair information practices. Like other compliance regulations, this Act protects the rights of individuals to have to give consent before organizations can use their personal information. However, PIPEDA also lays out limitations to the amount of data that can be collected by fair and lawful means.
The regulation also makes provisions for individuals to be able to access any and all information collected about them. Individuals can challenge the accuracy and completeness of this information and should be given the ability to amend it as necessary. PIPEDA regulations also stipulate security precautions that should be taken when in possession of personal data.
What are the Non-Compliance Consequences?
While PIPEDA is relatively easy legislation to follow, the penalties for non-compliance are severe. For each violation discovered, businesses can be fined up to $100,000 per occurrence.
PCI DDS (Payment Card Industry Data Security Standard)
PCI DDS stands for “Payment Card Industry – Data Security Standard.” These security standards were designed for any organization that accepts, stores, processes, and transmits credit card information and ensure best business practices.
When did it go Into Effect?
PCI DDS was created in December of 2004 by the four major credit card companies – Visa, MasterCard, Discover, and American Express.
What are the Compliance Requirements?
PCI DSS requirements stipulate strict security standards companies need to take when collecting and processing credit card information. This includes the installation of firewall configurations, transmission encryption protocols, access restrictions, and regulatory security testing.
Companies are required to maintain a policy that addresses all levels of a customer’s information security as well as develop and maintain secure systems to house the information.
What are the Non-Compliance Consequences?
Non-compliance fees vary widely depending on the severity of circumstanced. Acquiring banks can be fined anywhere from $5,000 to $100,000 per month. Not only can these fees cause devastating financial damage to a business, but they can also damage relationships with banking institutions.
Understanding and upholding compliance regulations are essential in today’s digital landscape. By taking the steps now to ensure your business maintains compliance standards at all times, you’ll save yourself from costly fees and potential legal battles that can damage your business’s long-term viability.
About ArmorPoint
ArmorPoint is a security information and event management solution that provides a cost-effective and reliable way to continually protect your business from emerging threats. Through its customizable service pricing model, ArmorPoint’s cost-effective packages and dynamic levels of expert management support the security strategies of all companies, regardless of available budget, talent, or time. And since ArmorPoint offers 24/7 security support with a team of dedicated specialists, they can provide you with the manpower you need to expertly manage all of your cybersecurity initiatives. See how ArmorPoint can make a difference in your security posture with a risk-free 30 day free trial.
