Are you working with Customers, Health and Finance Data? Besides GDPR, Think PCI-DSS & HIPAA

Data Compliance: HIPAA, GDPR, PCI-DSS.

Three renowned models of laws and regulations have been put in place by governments and by industry to ensure individual data are GDPR, HIPAA and PCI-DSS. 

General Data Protection Regulation (GDPR)

GDPR was instituted by the European Union to develop and fit individual information security guidelines. Presently as a result as of May 25, 2018, it is a comprehensive and clear set of guidelines that acknowledges that different “essence” of personal data require different levels of protection.

Sensitive data, such as health, biometrics, genetics, or criminal history are directed to the highest levels of protection. The quantity of data also counts, with companies that regularly collect and process large volumes of personal data having to register with government-appointed Data Protection Authorities.

GDPR applies to all organizations, regardless of where they are based, who gather and process individual information on EU residents. Non-EU organizations need to choose a GDPR delegate and will be liable for all fines and endorses.

Essential requirements of the GDPR are:

• Consent: Organizations must get consent to collect personal data, with the level of consent varying according to the type of personal data being collected.
• Data minimization: Reacting to years of unnecessary collection of personal data by apps, with no clear purpose in mind, the GDPR specifies that organizations can only collect personal data that is clearly related to a well-defined business objective. If an organization collects personal data for one purpose but then decides it wants to use it for another purposes (such as consumer profiling), that could be considered non-compliance.
• Individual rights: Another key feature of the GDPR is the very clear rights that it gives data subjects (i.e., the individuals whose personal data is being collected) to understand why their data is being collected and how it is being processed.

Data Subject Rights :

1. The Right to be forgotten (Delete)
2. The Right to Access
3. The Right to Portability
4. The Right to restriction of Processing
5. The Right to Rectify
6. The Right to Object

Penalties : extremely strict penalties for non-compliance (up to €10 million or 2% of worldwide annual turnover, whichever is higher) and breaches (up to €20 million or 4% of worldwide annual turnover, whichever is higher). 

Have you heard about PCI-DSS and the HIPAA?

What Kind of Information is Protected?

How to address them?

Payment Card Industry Data Security Standards (PCI-DSS)

PCI-DSS is a collection of security standards developed by the major credit card companies to help protect sensitive cardholder data. 

Unlike HIPAA and GDPR requirements, which are based on governmental regulation, PCI-DSS compliance requirements are contractual commitments maintained and driven by the Payment Card Industry Security Standards Council (PCI SSC), an independent global body established in 2006. 

The PCI Standard is mandated by the card brands and governed by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud. Validation of compliance is performed annually or quarterly.

The card companies which administer PCI-DSS are 

PCI-DSS applies to all merchants or organizations that accept, transmit or store cardholder data. However, there are different PCI-DSS compliance levels depending on the number of payment transactions that a merchant/organization has handled over the previous 12 months. 

PCI-DSS outlines 6 categories of control objectives: 

1. Build and Maintain a Secure Network and Systems

2. Protect Cardholder Data

3. Maintain a Vulnerability Management Program

4. Implement Strong Access Control Measures

5. Regularly Monitor and Test Networks

6. Maintain an Information Security Policy

It is the merchant/organization that is held responsible for the security of the cardholder data that it collects and holds, even if they use a third-party company to handle credit card payments. There are two ways that the merchant/organisation is expected to validate its PCI-DSS compliance: Quarterly vulnerability scans & Annual assessment.

Penalties: for non-compliance can result in fines to the acquiring bank of $5,000-100,000 per month, with the banks usually seeking to pass the fine along to the merchant. Besides, the bank could terminate the relationship with the merchant or raise the transaction fees considerably. 

Health Insurance Portability and Accountability Act of 1996 (HIPAA) 

The main motive of the (HIPAA) was to improve health care efficiency and patient care outcomes by encouraging the free flow of health information in the US. At the same time, these HIPAA compliance necessities mandated national standards to secure the privacy of personal health information. Compliance with HIPAA’s final Privacy Rule has been compulsory since April 2003, and with its final Security and Enforcement Rules since April 2005.

HIPAA rules and regulations apply to all “covered entities”—health plans, health care providers, and health care clearinghouses who transmit health information in electronic, oral or written form. It also applies to the business associates of covered entities, i.e., individuals or organizations who are contracted to provide services but are not part of the covered entity’s workforce.

The Privacy Rule is somewhat broader than the Security Rule in that it protects all "individually identifiable health information" that is either transmitted or held by a covered entity or its business associate, in any form or media. This protected health information (PHI) includes information related to the individual’s physical or mental health or condition, health care provided to the individual, or payment for the provision of health care to the individual. PHI also includes basic identifying information such as a patient’s name, their date of birth, SSN, and home address. In order to encourage health care research, the Privacy Rule places no restrictions on the use or transmission of de-identified health information.

• Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit.
• Identify and protect against reasonably anticipated security threats.

Penalties: for non-compliance with the law that ranges from $100 to $50,000 per affected PHI record, up to a maximum of $1.5 million per incident.