In a recent survey by Cisco, 84% of respondents indicated they care about data privacy—their own data, the data of others, and the desire for more control over how that data is used. However, as reported from the first blog in our privacy series, another study found only 6% of Americans understand what happens with data once it’s collected.
The discrepancy between these statistics highlights an important need to provide education around privacy regulations and best practices. This blog post, which is the second installment within our privacy series, will explain in more detail how privacy is differentiated and what options you have when adding privacy to your organization’s assessments.
What is privacy, exactly? While the answer might seem simple, there are differentiating factors that make privacy its own unique concept in cybersecurity.
“People often think privacy and security are the same. While they are closely related, they mean different things,” said Swathi West, manager of healthcare compliance at BARR Advisory.
While both relate to the protection of data, security and privacy are reflected differently in assessments. Let’s take a look a closer look:
The Health Insurance Portability and Accountability Act (HIPAA) reflects the difference between privacy and security. The HIPAA Security Rule applies to health plans, healthcare clearinghouses, and to any healthcare provider who transmits health information in electronic form. This rule only applies to electronic protected health information or (ePHI) that is stored on a computer, in the cloud, or transmitted over the internet and then downloaded onto a local drive or USB.
However, the HIPAA Privacy Rule applies not only to health plans, healthcare clearinghouses, but also to any healthcare provider who transmits health information. The Privacy Rule covers protected health information of a patient in general, not just electronic, but also in paper and other forms.
There are a number of assessments with mappings that help organizations comply with privacy regulations. Some of these assessments vary by industry and are better suited for financial and healthcare industries who have much more specific privacy regulations. For example, a healthcare organization may choose to obtain a HITRUST certification to demonstrate their compliance with HIPAA.
West indicated that, “For the majority of organizations, ISO is a great choice to comply with privacy regulations. ISO 27701 is the latest standard in the ISO 27000 series and specifically addresses what an organization must do when implementing a privacy information management system, essentially adding privacy processing controls to an already existing standard for information security.”
BARR can perform a number of different risk assessments that adhere to the privacy standards of various industries, including:
Another notable certification is the Asia-Pacific Economic Cooperation (APEC) Certification, which has designed the APEC Privacy framework to provide an accountable approach to managing data privacy protection and the flow of personal information across borders.
It’s possible to include the privacy criteria into a SOC 2 audit. As part of the AICPA’s Trust Service Criteria (TSC), privacy incorporates eight categories into its requirements, including:
Each of these categories helps to provide your customers and partners with confidence that their personal data is protected with your organization.
The GDPR is the most thorough privacy regulation that exists in the world today. Its function is to protect the fundamental rights and freedoms of individuals residing in the European Union (EU), particularly their right to protection of their personal data.
“There is not one framework that specifically addresses the GDPR, which can make compliance seem tricky,” said West. However, BARR offers two types of assessments that help you approach GDPR compliance:
As mentioned before, ISO is a popular option which includes a global framework of controls which can help you get close to compliance with the GDPR. The Microsoft DPR also have a number of privacy components that can closely address GDPR certification.
There’s no one-size-fits-all recommendation when it comes to choosing a framework to fit your organization’s privacy practice. Different frameworks may work better for different organizations based on individual needs.
“The best thing an organization can do as they are getting started is pick one framework and stick with it. When organizations try to meet every framework, it becomes complicated, especially for an early stage company,” said West.
Any privacy assessment will examine your organization’s privacy protection policies and procedures—including what information you’re collecting, where it is stored, and how it is managed. First, it’s important to speak with your operations and legal teams to understand what regulations you may need to comply with depending on where you do business.
For example, if you are collecting and processing personal information of individuals who live in the EU, you have to comply with GDPR. If your business serves California residents and meets one or more of the three requirements spelled out in the California Consumer Privacy Act, you’re required to comply with CCPA.
More states are following in California’s footsteps. Nevada has already enacted state data privacy laws similar to the GDPR. New York, Florida, and many other states are not far behind, and moving forward, the federal government is proposing legislation for national data privacy protections in the U.S.
West added, “Even if you are not collecting or processing personal information of individuals in the EU, California, or other states and countries with similar data privacy laws, it is always important to understand what plans will be in place for the future so you can be as prepared as possible.”
BARR is here to help answer your questions regarding privacy regulations and compliance frameworks to help achieve your compliance needs. Contact us today for a free consultation.