Blogs
Cyber Security

Data Protection - Compliances Adhering to Industry Needs

Gauri Mishrakoti
LinkedIn
LinkedIn

Imagine a vast vault, brimming with treasure - in this case, treasure is the data that organizations collect from their customers. Organizations must collect this data as it holds several customer benefits - personalized experiences, optimized operations, and growth. However, guarding this treasure trove comes with a responsibility - demanding responsible data handling. 

Compliances in data protection play a fundamental role in safeguarding sensitive information and ensuring smooth business operations. They are an essential framework that guides organizations in handling data responsibly. Established by regulatory bodies, they have evolved to deal with data privacy, security, and protection rights from collection and storage to personal data usage. 

Compliance plays a crucial role in

  1. Protects the rights of individuals regarding their data
  2. Ensures the accuracy and completeness of data
  3. Implementation of standardized security measures
  4. Adherence to national and international laws and regulations
  5. Identifying, assessing, and mitigating risks related to data breaches
  6. Builds trust with customers and partners
  7. Maintains reliability for business operations

Data protection compliance varies significantly across different industry sectors due to specific regulations and standards tailored to the unique needs and risks of each industry. 

Industries and their Data Compliances

Compliances for data protection vary significantly across industries. The differences vary due to differing regulatory requirements, types of data handled, and potential risks associated with data breaches. Here are some of the most common data compliances that industries employ -

General Data Protection Regulation (GDPR)

  • GDPR aims to give control to individuals over their data and simplify the regulatory environment for international business by unifying the regulation within the EU and the European Economic Area (EEA). 
  • It applies to any processing of "personal data," which is any information relating to names, email addresses, phone numbers, IP addresses, and even location data.
  • GDPR emphasizes achieving a strong level of data security through appropriate technical and organizational measures. Encryption is considered a best practice to meet these requirements. So if a breach occurs, encrypted data remains unreadable, minimizing potential harm.
  • Non-compliance with the GDPR can result in several penalties for organizations. These penalties are enforced through tiered systems of fines. The two tiers outlined for administrative fines are
    • Tier 1 (Lower Violations)
      • The violations include failure to report data breaches to the relevant supervisory authority and affected individuals, failure to implement data protection by design & by default, failure to maintain records of processing activities, and not appointing a Data Protection Officer (DPO) when required.
      • Organizations can be fined up to €10 million, or 2% of a company's global annual revenue from the preceding financial year, whichever is higher.
    • Tier 2 (Greater Violations)
      • The violations include disobeying basic data processing principles, breaking data subject rights like the right to be informed, right of access, and the right to erasure, unauthorized sharing of personal data for international access, and failure to comply with an order from a supervisory authority.
      • Organizations can be fined up to €20 million, or 4% of a company's global annual revenue from the preceding financial year, whichever is higher.

Health Insurance Portability and Accountability Act (HIPAA)

  • HIPPA Act is a US federal law that focuses on protecting patients' health information. 
  • HIPAA safeguards information that relates to a patient's past, present, or future physical or mental health, the provision of healthcare to the patient, or payment for the provision of healthcare to the patient.HIPAA is crucial for any entity that handles healthcare data, ensuring that patient information is kept confidential and secure.
  • End-to-end Encryption: It recommends end-to-end encryption to ensure only the authorized sender and recipient can access the data, even if it transits through intermediary servers.
  • HIPPA violations come with a range of penalties if the organizations don’t follow the compliance. The penalties are based on the level of culpability (tier-based: knowingly, reasonable cause, willful neglect).
  • The Department of Health and Human Services (HHS) imposes civil monetary penalties on organizations that range from $137 to $68,928 per violation, with a maximum of $1.5 million per year for all violations of the same provision.
  • Criminal Penalties are pursued by the Department of Justice (DOJ) for intentional violations. Fines range from $50,000 to $250,000, with potential imprisonment of up to 10 years.

Digital Personal Data Protection Act (DPDP)

  • DPDP is a recently enacted law in India (2023) that governs the processing of personal data that is collected online (websites and apps) or collected offline and then digitized, regardless of the organization.
  • This also applies to the processing of Indian residents' data outside India, if it's done for offering goods or services within India.
  • Understanding and implementing the requirements of DPDP is essential for any organization processing digital personal data, ensuring robust data protection and privacy management in the digital age.
  • The act outlines significant penalties for violations. If an organization fails to implement adequate security measures to protect personal data, it can face a penalty of up to ₹250 crore.
  • Violating the rights of data subjects, such as the right to access, correction, and erasure of personal data, can lead to fines of up to ₹100 crore. If an organization fails to promptly report data breaches to the Data Protection Board of India, it can be fined up to ₹150 crore.

Securities and Exchange Board of India (SEBI) Guidelines

  • SEBI is a regulatory body for the securities and commodity market in India under the administrative domain of the Ministry of Finance, Government of India. It includes guidelines for data security measures. Here is a quick breakdown of the regulations
    • Data protection: Enforce effective data protection, backup, and recovery measures with encryption.
    • Data classification: Identification and classification of sensitive data and Personally Identifiable Information (PII).
    • Encryption Requirement: Mandates strong encryption methods for both data-in-motion and at rest.
    • Data Leak Prevention: Deployment of Data Leak Prevention (DLP) solutions or processes.
    • Data Backups: Maintaining offline, encrypted data backups and testing their integrity regularly.
    • Key Management: Authorizing users to manage encryption keys to prevent unauthorized access.
  • SEBI can impose significant monetary penalties on organizations for various types of compliance violations
    • Fraudulent and Unfair Trade Practices - ₹25 crore or three times the amount of profits made out of such practices, whichever is higher.
    • Insider Trading - ₹25 crore or three times the amount of profits made out of insider trading, whichever is higher.
    • Non-Disclosure or Misstatement - Providing false/misleading statements can result in fines ranging from ₹1 lakh to ₹1 crore or three times the amount of profits made.
    • Listing Regulations - Not meeting corporate governance norms, can result in penalties up to ₹1 crore.

RBI Regulatory Framework for Customer Data Management

  • The RBI framework sets protocols for the banks to manage customer’s data to protect their privacy, prevent unauthorized access, and maintain financial system integrity.
  • RBI obligates banks to implement encryption to protect data both in transit and at rest. The banks should implement it as a fundamental practice to maintain the indecipherability of data and secure sensitive information from unauthorized access.
  • RBI can impose hefty penalties on organizations for various types of non-compliance, including
    • Failure to Report Data Breaches - Organizations failing to report data breaches promptly can be penalized depending on the nature and impact of the breach.
    • Violation of Data Storage and Security Norms - Fines can be imposed based on the severity of the breach ranging from ₹1 lakh to several crores depending on the extent of the violation and the impact on customers.

In an era where data breaches, it is crucial to adhere to data protection compliance tailored to sector-specific needs. By implementing these measures businesses across all sectors can secure their data, reduce risk, build stakeholder trust, and ensure long-term success in a data-driven world.

Sources

  1. Flowbox 
  2. RBI Guidelines 
  3. SEBI 
  4. RBI Guidelines 
  5. GDPR Fines

Share this post
Cyber Security
Gauri Mishrakoti
LinkedIn
LinkedIn