The European Union General Data Protection Regulations (GDPR) continues to place demanding, but necessary, requirements on business in relation to data privacy compliance. As organizations achieve the necessary certification, however, it becomes easier to meet other privacy standards, particularly in relation to being California Consumer Privacy Act (CCPA) and Health Insurance Portability and Accountability Act (HIPAA) compliant.
HIPPA is a U.S. specific piece of legislation designed to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.
Central to all of these privacy frameworks is for consumers to be granted:
- The right to know about the personal information a business collects about them and how it is used and shared.
- The right to delete personal information collected from them (with some exceptions).
- The right to opt-out of the sale of their personal information.
- The right to non-discrimination for exercising their consumer rights.
Data from Tugboat Logic (supplied to Digital Journal by Jose Costa, the firm’s CISO) indicates that once a firm achieves compliance with GDPR, then organizations have achieved 70 percent of CCPA compliance and 19 percent of HIPAA’s recommendations. This means some of the hard work conducted to meet the requirements for GDPR does not have to be repeated for other common regulations.
This also works vice versa, so if a firm is CCPA compliant, it has met 58 percent of the requirements for GDPR. Hence, understanding the data privacy overlap can be especially useful and this can enable firms to simplify their own compliance journeys. This also aids addressing external forces, such as GDPR enforcement, which are becoming increasingly challenging.
Maintaining compliance and staying within the law paves dividends and not to do so can be costly. GDPR fines were up sevenfold by the end of 2021, with many of the bigger technology companies becoming an increasing target by EU member nations.
As companies continue to struggle to meet GDPR requirements, it i predicted that 2022 will see data regulators ramping up enforcement as concerns loom around the state of personal data transfers between the EU and US.
The company advises determining in advance the evidence that needs to be collected for each piece of legislation. By adopting a matrix, it becomes possible to determine where overlaps occur and it becomes possible to apply one piece of evidence to many frameworks. This saves time, money, and it ensures an efficient process.
