Running a business online means handling lots of confidential information about your company, customers, stakeholders, etc. that must be protected from unauthorized access. Data security has long stopped being a mere buzzword and today businesses must make a constant effort to protect any sensitive data they have.
With that in mind, it's important to understand what data protection laws are out there that might affect your business, so let's take a look at the 10 most important ones you should keep an eye on.
The General Data Protection Regulation, or GDPR, was proposed on 14th April 2016 and officially implemented on 25th May 2018 and we can say today that it completely changed data privacy regulations for the better.
The EU's data protection framework protects the personal data and privacy of EU citizens by holding businesses and organizations accountable for properly and safely handling their sensitive personal data and ensuring the prevention of data breaches.
While there have been other data privacy laws before, it was GDPR that really started it all and so it deserves a special place on our list.
The Health Insurance Portability and Accountability Act, HIPAA, dates back to 1996 and is a collection of standards and security measures created to secure the Protected Health Information (PHI) of patients and their confidentiality, integrity and availability in transit and at rest.
Protected health information, or PHI includes:
- Patient's name
- Their address
- Email address or IP address
- Phone number
- Physical identity information such as a photo or a fingerprint
- Identifying numbers such as medical account or SSID
Unlike the EU, the US doesn't have a single data privacy regulation like the General Data Protection Regulation. Instead, states have different privacy laws that serve to protect consumer data.
One such data privacy law that businesses in America should be familiar with is the California Consumer Privacy Act or CCPA.
The CCPA expanded on the previous California Online Privacy Protection Act (COPPA) to give users more control over their information.
- Allows individuals to request and get a record of their personal information that companies have collected on them from the last 12 months
- Request the business to stop selling their customer data and to delete them
- Enables consumers to opt-out of having their private data shared or sold by having businesses place a "clear and conspicuous link" on their homepage with the text "Do Not Sell My Personal Information"
- Puts a mandatory opt-in for selling personal data of those under 16 years
- Allows consumers to sue a business if their user data was disclosed in a data breach or stolen.
- Also, the CCPA allows consumers to sue a company if they have failed to protect their valuable data i.e. didn't encrypt data they were collecting from users.
The ePrivacy Regulation is an extension of the GDPR that looks to provide better instructions to companies on how to properly deal with digital communication channels, in particular, cookies, email marketing, IoT devices, etc.
This data privacy regulation is still not in effect and is expected to be officially implemented no earlier than 2023 as the European Parliament is negotiating the final text.
The law has significant opposition in the EU who are concerned that the ePrivacy Regulation is too loose when it comes to obtaining user consent. For example, the current version of the law allows service providers to access the user's personal data on their devices "for the performance of a contract." Previously, this was only allowed "if strictly necessary"
Email Privacy Act
The Email Privacy Act prevents service providers from deliberately disclosing email contents. As well, the government must first obtain a warrant in order to force the user to disclose the contents of their email.
The bill was first introduced in 2013, but failed the 113th US Congress the same year. However, at the next, 114th Congress, the bill passed unanimously on 27th April, 2016 and was hailed by the media as a "sensible" if imperfect update to privacy law."
One of the most important things that the Email Privacy Act 2016 did was the removal of the 180-day rule. This essentially gave free rein to government agencies to access user's email data after being stored for 180 days. With the EPA, they now must obtain a warrant regardless of how much time has passed.
Data protection laws in many countries, including the United States, are in many cases still not strong or clear enough to truly ensure protecting user data. Regardless, you should be familiar with these privacy laws and ensure that you're protecting the personal data of your users and following the necessary data encryption practices.
The best way of keeping sensitive data secure in email communication is with the right encryption software.
Liverado is an end-to-end email encryption service that aims to protect and secure your data so it can't be abused by hackers, big data companies or the government. Sign up today to Liverado to protect your sensitive personal data.
*Why is encryption important for a business?*
Encrypting the sensitive data that your organization is collecting and has stored will greatly minimise the risk of a data breach and in turn ensure better trust of your consumers as they know that their personal information and sensitive financial data is safe with your company.
*What information should be encrypted?*
Any information that can potentially someone's personal or financial information should be fully encrypted. This includes: 1. Name 2. Address 3. Phone number 4. Bank account 5. Credit card number 6. SSN 7. ID 8. Passport number 9. Private communication like email 10. Etc.
*Why is it important to know the difference between data security and data privacy?*
Although often used synonymously, data privacy and data security are not the same thing. Data privacy is concerned with how data is collected, stored and shared, while data security aims to protect data from malicious attackers.