Enterprises need to comply with a increasing suite of data protection, privacy and industry-specific rules and regulations, including laws drafted overseas.
Chief among these are the EU’s General Data Protection Regulation (GDPR) and the UK’s Data Protection Act. These are joined by the Privacy and Electronic Communications Regulations or PECR.
Firms that handle card payments continue to be governed by the PCI-DSS regulations.
GDPR will not go away when the UK finalises its departure from the EU. In fact, GDPR is being written into UK law and will be there to stay indefinitely in some cases.
Its scope is wide, and penalties harsh and can run to up to 4% of global turnover.
For business’s data storage this means only keeping information that is necessary and for as short a period as possible, although the regulation does not define any timescales. This includes archives and off-site backups.
Data also has to be secured, and for most enterprises this means it has to be encrypted.
But firms also need to know where their data is, and how it is used. GDPR sets out a right to be forgotten – to have all data erased – as well as allowing individuals to opt out of automated decision making and profiling. Without good knowledge of all data assets this will be hard to do.
Subject access requests and e-discovery will also impact the timescale for retrieving customer records, and in turn, service level agreements.
Also see: How to destroy data the GDPR way
UK Data Protection Act
The Data Protection Act sits alongside GDPR in UK law by providing UK exceptions to GDPR requirements. These include special categories of data, including health and employment.
There are also differences that affect law enforcement data, as these are not covered by GDPR.
Actions for storage and data managers to comply with the DPA will be similar to those for GDPR. However, they will need to segment systems and data where UK-specific rules apply, such as for health and law enforcement.
Privacy and Electronic Communications Regulations (PECR)
The PECR regulates cookies, tracking, and regulates marketing and other “unsolicited” electronic communications.
Although the PECR is commonly referred to as the “cookie law”,it stretches further than that. It is based on the EU’s e-Privacy Directive, and covers the security of any electronic communications offered to the public, as well as privacy around billing and location information on communications networks.
The PECR was updated in 2019 to incorporate GDPR’s definition of consent. The rules are set to change again under the EU’s upcoming ePrivacy Regulation.
Data Protection: A Practical Guide to UK and EU law
A set of industry regulations rather than a law, PCI-DSS governs any credit or debit card payment information, including how it is acquired, transmitted and stored. As a practical set of rules, PCI-DSS is a good proxy for protecting personal and financial information.
The standard requires merchants to demonstrate a secure IT network that protects card holder data, maintain a vulnerability management programme, implement access control measures and regularly test their networks.
Steps for CIOs include encrypting any card information, on the move and at rest, endpoint protection, including point-of-sale equipment, network security, and policies governing who can access sensitive data.
Firms must also ensure card data is deleted once it is no longer needed for a transaction and this has to be factored into the design of backup and archiving tools.
More businesses are moving data to the cloud, and processing it there. But they must ensure that in-house technology and cloud service are compliant.
A business can outsource data management, but will always hold the risk. The large cloud providers have improved their regulatory transparency over the past few years, but CIOs should still be asking hard questions – as well as ensuring data is secure moving from local systems to the cloud and, potentially, between cloud providers.
This article contain Amazon affiliate links, which means we may earn a small commission (at no extra cost to you) if a reader clicks through and makes a purchase. All our articles are independent and are in no way influenced by any advertiser or commercial initiative.
If you would like to be a guest contributor please contact us.
Do you find this article useful? Comment below...