There are many privacy frameworks today. Some are voluntary and others are enforced by law of the land.
Whatever framework you aim to achieve, in the end, both have the same purpose—individual privacy.
A privacy framework includes a set of standards that organizations must follow to protect individuals’ data. From an organization’s perspective, it’s about the policies and procedures to manage data and use it for different purposes, and from an individual perspective, it is about preventing misuse of their personal information.
How an organization is supposed to collect, use, and disclose an individual’s personal information is guided by the particular data privacy framework.
Consumers are concerned about safeguarding their details and have the right to know how the companies share their data with third-party companies. But consumers are not equipped with the proper knowledge and resources to enforce the correct use of their data by organizations. Hence, legal standards like GDPR, CCPA, and HIPAA exist.
How does data privacy differ from data security?
Before we move ahead, let’s see the difference between data privacy and data security. Both are interrelated and often confused with each other. But both are not the same.
Data security aims to protect organizational data from unauthorized access, use, disclosure, modification, disruption, or destruction. It can be achieved by implementing technical and non-technical measures such as encryption and access control.
On the other hand, data privacy underlies the philosophy that consumers are the owners of the information about them. Privacy addresses an individual’s concerns about misuse of data against their consent.
How to choose the right privacy framework?
Before choosing the proper privacy framework, you should have a team of cybersecurity experts, information technology experts, information security experts, legal experts, compliance experts, and business owners discuss the scope of the frameworks.
Before choosing a framework, the team should be aware of all the frameworks already being used within organizations. One of the available frameworks can be worked as a foundation for the new frameworks. The team should give special attention to cybersecurity frameworks such as NIST CSF, ISO 27001, ISO 29100, etc.
There is no one size fits all solution when it comes to selecting the privacy frameworks for your company. It depends on factors like your industry, the location you operate in, the geography of your customers, and the information you’re storing that decide which privacy frameworks you would require. For example,
- If you store patient information, you have to be HIPAA compliant
- If you collect data of California citizens, then you have to be CCPA compliant
- If you collect data of EU or UK citizens, then you have to be GDPR compliant
- If you work with the Federal government, then you have to be FedRamp compliant
This article will help you to understand how all the essential privacy frameworks secure your organization’s brand identity.
Different privacy frameworks
1. GDPR (General Data Protection Regulation)
The General Data Protection Regulation (GDPR) governs how organizations should handle the personal data of European Union and United Kingdom citizens. GDPR is designed to give EU or UK citizens more control over their personal data.
The purpose of this GDPR is to safeguard the consumers’ personal information and prevent its misuse in any manner.
It is not only applicable to European companies, but any organization that stores European citizens’ personal data must maintain this standard.
Maintaining the proper controls to safeguard the consumers’ data is entirely the responsibility of organizations.
GDPR defines reasons for collecting personal data, and under that:
- Data collected must be for a specific and legitimate purpose and should not be used for any other purpose
- Organizations should collect data that must be limited to what is necessary for the purpose
When any organization fails to maintain GDPR compliance, then high fines are imposed on them. It could impose penalties if a data breach were caused by intention or negligence, such as the severity of the violation, duration, number of data subjects affected by the breach, and degree of damage caused to the user.
The penalties are categorized into two levels.
- Lower level: The fine is up to €10 million or 2% of global revenue from the previous year, whichever is higher.
- Upper-level: €20 million or 4% of global revenue from the previous year, whichever is higher.
Some of the hefty fines levied on well-known companies are:
- Amazon: €793 million fine was levied on Amazon.com Inc when it was found infringement regarding Amazon’s advertising targeting system in which data of customers were processed without proper consent.
- Instagram: €405 million for GDPR violations by Ireland’s Data Protection Commission for how it handles children’s data.
2. HIPAA (Health Insurance Portability and Accountability Act)
Health Insurance Portability and Accountability Act (HIPAA) is a legal standard/law that secures protected patient health information (PHI). It provides trust to the consumers about safeguarding of their medical data with the respective authorities without any disclosure to third parties.
HIPAA addresses the use and disclosure of an individual’s health information by entities subject to the privacy rule. These individuals and organizations are termed covered entities.
These entities are:
- health care insurers (health insurance companies, company health plans, and government plans)
- health care providers (doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies)
- health care clearinghouses (middlemen between healthcare providers and insurers)
- business associates (people or organizations that work on behalf of one of the entities above)
To comply with HIPAA, all covered entities must ensure the confidentiality, integrity, and availability of all e-PHI, detect and safeguard against anticipated threats, and protect against disclosures that are not allowed.
If your organization fails to comply with HIPAA, a penalty can be imposed.
Penalties for civil violations
- Tier 1: When the entity is unaware of violation: Fine of $100 to $50000 per violation, with an annual maximum of $25,000 for repeated violations
- Tier 2: When the entity is aware of a violation but could not avoid it with reasonable care: Fine of $1000 to $50000 per violation, with an annual maximum of $100,000 for repeated violations
- Tier 3: If the violation is a result of willful neglect and an attempt is made to correct it: Fine of $10000 to $50000, with an annual maximum of $250,000 for repeated violations
- Tier 4: If the violation is a result of willful neglect and no attempt is made to correct it: $50000 per violation, with an annual maximum of $1.5 million
3. CCPA (California Consumer Privacy Act)
CCPA is a state-wide data privacy law that regulates how businesses worldwide are allowed to handle the personal information (PI) of California residents. CCPA gives more control to consumers over the data that companies collect.
Under this law, sensitive data includes people’s browsing history, geolocation data, and a visitor’s interactions with a website or application. It covers employees’ as well as consumers’ data.
According to this compliance standard, companies should give an option to consumers to choose not to have their data shared with third parties. It allows California customers to demand to see the information a company has saved and the list of third-party companies with which the data is shared. It also allows consumers to sue other companies if the privacy guidelines are violated.
Organizations need to be CCPA compliant to do business in this region. It promotes, protects and enforces the rights of consumers. Suppose you are CCPA compliant; you gain the consumers’ trust that their personal data is safe with the company.
CCPA allows consumers to know and apply the following rights to maintain their data security.
Right to know
Consumers have the right to access the data companies have stored and used for their needs, such as data sharing. For this, they need to formally ask for access to what data is stored in the companies and how they use it. They can ask about data stored, shared, disseminated, and sold to third parties.
Right to delete
Consumers have the right to get their personal data stored by the companies deleted if it can become a security issue for them. They can ask the companies about the procedure and follow them. Consumers have to do this through a formal application.
It gives the users the authority to erase their data from companies, which means withdrawing consent; thus, companies won’t be able to use, manipulate or sell this data to third-party companies.
Right to opt-out
Companies collect personal data and sell it to third parties. So, users can withdraw their consent from the user agreement and opt out of the company-stored data not being used for selling and other issues as it can hamper their security. You have the right to opt out of such a situation without much struggle.
Right to non-discrimination
CCPA safeguards consumers from any retaliatory actions taken by companies when consumers use their right to know, right to delete, and freedom to opt-out. Thus consumers can safely ask about their rights and use them without any problem.
If you’re violating the CCPA, consumers can file a complaint against you and claim the damages. You will have to give compensation between $100 to $750 per consumer incident or actual damage amount, whichever is greater.
Once a violation is observed, the organization gets 30 days to comply with CCPA. If they fail to comply within the stipulated time, a civil penalty of up to $2500 per violation or $7500 for each intentional violation will be levied.
4. Singapore PDPA (The Personal Data Protection Act)
The Personal Data Protection Act (PDPA) sets standards for protection of personal data in Singapore. It comprises many requirements governing the collection, use, disclosure, and care of personal data in Singapore.
The purpose of this act is to govern the collection, use, and disclosure of personal data by organizations in such a way that both the right of individuals to protect their data and the need of the organizations to collect, use, and disclose personal data is maintained.
PDPA ensures that any organization that regularly collects data should keep track of the following things:
- What personal data is being collected, and purpose of collecting it
- Who is collecting the personal data, and where it is being stored
- To whom the information about personal data is disclosed
Under PDPA, the following obligations occur: accountability, notification, consent, purpose limitation, accuracy, protection, retention limitation, transfer limitation, access and correction, data breach notification, and data portability.
It provides a regime to safeguard personal data from misuse and to maintain individuals’ trust in organizations to manage data. It strengthens the organization by regulating the flow of personal data among businesses.
If your organization is found to be non-PDPA compliant, then authorities can impose a financial penalty of up to $1 million. Also, you have to stop collecting or disclosing personal data and have to destroy previous data collected without consent.
- Spize was fined $20,000 for 100 customers’ data leak.
- Karaoke Bar K Box was fined $50,000 for 3,17,000 customers’ data leak.
5. HITRUST (Health Information Trust Alliance) CSF
HITRUST CSF provides a comprehensive, flexible and efficient way to regulatory compliance and risk management. HITRUST stands for Health Information Trust Alliance, which created a cybersecurity standard to help organizations with data, compliance and information risk.
It is a comprehensive framework that includes requirements from many other standards and regulations like GDPR, PCI DSS, HIPAA, and more. A major benefit of complying with HITRUST is that you’ll be prepared for most of the other privacy frameworks.
Organizations that create, access, store, or exchange personal health information are required to be HITRUST CSF certified.
HITRUST CSF certification helps organizations reduce risk through better information security and empower them to build robust information security frameworks.
If an organization fails to be HITRUST compliant, one of the four penalties could be applied.
- Tier One: Fines between $100 to $25,000 per volition. This can be amended within 30 days if the organization was unaware of its violation and responded in a timely period once it is discovered.
- Tier Two: Fines range from $1000 to $100,000. The organization was unaware of the violation and did not resolve it in a timely manner, a fine for every penalty can be assessed.
- Tier Three: Fines from $10,000 to $250,000 for each volition. An organization has 30 days to improve/align its protocols after willfully neglecting to implement a proper security and performing due diligence.
- Tier Four: Fines in the range of $50,000 to $1.5 million for each violation. If the organization is aware of the violation and willfully neglects to correct any lapses within 30 days.
HIPAA and HITRUST are understood similar to people but they are different. HIPAA is legislation, and HITRUST is an organization. HITRUST Alliance is an independent organization that offers an organization flexible and comprehensive approach to HIPAA compliance and risk management.
The Information Security Registered Assessors Program (IRAP) is an initiative by the Australian Signals Directorate (ASD) to ensure high-quality information and communication technology (ICT) security assessment services to the government by organizations.
IRAP certification enables Australian government customers to validate appropriate controls for addressing the requirements of the Australian Government Information Security Manual (ISM) produced by the Australian Cyber Security Centre (ACSC).
The IRAP aims to provide security to Australian federal, state, and local government data by focusing on the information and communication technology (ICT) infrastructure that stores, processes, and communicates it.
IRAP Assessors ensure your organization has the appropriate physical certification. It assesses security controls and helps you understand and learn about your system’s architecture. It recommends mitigation strategies and enables an informed risk-based decision about the system’s suitability for its security needs.
The Federal Risk and Authorization Management Program (FedRamp) is a US federal security risk management program for the procurement of cloud products and services used by government agencies. It provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud services and products.
FedRAMP ensures that cloud apps and services used by government agencies are safe. It enables efficient and cost-effective procurement of information systems and eliminates duplication of effort and risk management costs.
If your organization provides cloud computing services (including SaaS, PaaS, and IaaS) and wants to do business with US government agencies, then you need to be FedRAMP certified.
If you are a SaaS provider, you need to keep your data on a FedRAMP compliant cloud service provider and your software must also comply with the framework.
To be FedRamp compliant, you need access control, awareness and training, audit and accountability, security assessment and authorization, configuration management, contingency planning, identification and authentication, and incident response.
US federal agencies require FedRamp because it increases consistency with similar standards like NIST and FISMA. Together, they maintain transparency between cloud providers and the US government.
8. ISO 27701
ISO/IEC 27701 is an international standard for privacy information management. It enhances the existing Information Security Management System to reduce privacy rights risk to individuals and organizations.
Going one step ahead of ISO 27001 (on which it is based,) ISO 27701 defines processes and procedures for protecting personal identifiable information (PII). It also provides guidelines for how personally identifiable information (PII) should be managed and processed.
Furthermore, it outlines requirements for establishing, implementing, maintaining, and continually improving a privacy-specific information security management system.
According to Dr. Andreas Wolf, Chair of the ISO/IEC technical committee that developed the standard, ISO 27701 is designed to help businesses not only meet the legal requirements they are subject to, but also demonstrate their commitment to the social responsibilities that come with collecting and processing user data.
Note that there is no standalone certification for ISO 27701. Organizations need to have an existing ISO 27001 certification in order to get 27701 certified. Otherwise, you can implement ISO 27001 and ISO 27701 together in a single audit.
Having ISO 27701 demonstrates next-level data protection for consumers as both the certifications together gives confidence to stakeholders of your organization since a data privacy management system is in place.
ISO 27701 requires that companies regularly produce documentation about personal data handling against breaches. Transparency about a company’s data governance assures consumers, employees, investors, clients, and the government that you are serious about protecting the privacy of your associates.
9. ISO 27018
ISO 27018 focuses on the protection of personal data in the public cloud. It is based on ISO/IEC security standard 27002 and guides the implementation of public cloud personally identifiable information (PII). It also sets additional controls to address public cloud PII protection requirements not managed by the existing ISO/IEC 27002 control set.
Note that, according to the latest changes, ISO 27018 is a document, not a standard.
ISO 27018 compliance is a competitive advantage for both cloud service providers and their customers.
- ISO 27018 ensures confidence to customers of cloud service providers that their data is safe and won’t be used for any purposes for which they haven’t provided consent.
- It ensures organizations’ local and international privacy and data security regulations and mitigates risks associated with PII through the cloud.
- It helps public cloud service providers comply with applicable obligations when acting as a PII processor.
- It assists the cloud service customer and the public cloud PII processor in entering a contractual agreement.
- It provides a cloud service mechanism for exercising audit and compliance rights and responsibilities.
How Scrut helps you get compliant faster with privacy frameworks?
Scrut smartGRC delivers a faster, easier, and smarter path to security and privacy compliance frameworks, eliminating tedious manual processes and keeping you up-to-date on the progress and effectiveness of your GRC programs.
With seamless integrations across your application landscape, you gain a unified, real-time view of risk and compliance, providing the contextual insight needed to make smart, strategic decisions that keep your organization secure and earn the trust of your customers, partners and employees.
Scrut allows you to track all compliance activities in one place. Since there is a good overlap between many frameworks, you can work on multiple security and compliance frameworks simultaneously.