Photo provided courtesy of Unsplash.com
By Christina Pici, Staff Writer
In a world where technology is at the forefront of people’s everyday lives, data protection has become an unavoidable topic. Data protection is the process of safeguarding important information from corruption, compromise, or loss.[1] In general, data security refers specifically to the procedures implemented to ensure the integrity of the data itself against manipulation, while privacy refers to controlling access to the data.[2] Data privacy laws and regulations vary extensively.[3] These laws can vary from country to country, or even state to state.[4] Therefore, compliance with any set of these laws and regulations is challenging but is absolutely necessary in order to avoid incurring massive fines for being “out of compliance.”[5] Compliance means ensuring an organization is conforming to the minimum of security-related requirements by comparing a company’s security at a single moment in time to a specific set of regulatory requirements.[6]
The European Union has acted to harmonize its data privacy laws through enactment of the General Data Protection Regulation (GDPR) on May 25, 2018.[7] The stated goals of the GDPR are to provide greater protection and rights to individuals.[8] The GDPR alters how businesses and other organizations can handle the information of those who interact with them.[9] Personal data is any information that allows a person to be directly, or indirectly, identified from data that’s available.[10] This information could be as simple as a person’s name, location data, and online usernames, or alternatively, could be as complex as IP addresses and cookie identifiers.[11] One of the reasons in which Europe is arguably the frontrunner in data protection is its “citizen first” approach to data handling and protection.[12] Data has long been about fundamental human rights to privacy and protection in Europe.[13] Further, privacy and data protection appear as fundamental freedoms under the European Union Charter.[14] In contrast, the focus of the United States is on the integrity of data as a commercial asset.[15]
In the United States, the data protection laws are fragmented, consisting of state and sector specific approaches, and most approaches relate mostly to healthcare companies and financial institutions.[16] For example, the Health Insurance and Portability and Accountability Act (HIPAA), is a set of standards created to secure protected health information (PHI) by regulating healthcare providers.[17] The Sarbanes-Oxley Act (SOX) pertains to corporate care and maintenance of financial data of public companies and it determines what data must be kept and for how long it needs to be held.[18] All public companies must comply with SOX and its requirements for financial data reporting, which include classifying data correctly and storing it safely.[19]
The progressive approach to how personal data should be handled under the GDPR has been compared to the California Consumer Privacy Act.[20] Not all states have had a security breach notification law in place since 2002 like California.[21] This highlights another problem with the data protection laws in the United States. Given the number of laws in existence and their differences at the state level, some may conform with the GDPR and some may not.[22] Moreover, unclear laws, or laws that vary by location, are complex for businesses to follow and make compliance harder to achieve in each of the various locations where a company may be doing business.[23] From this perspective, the GDPR model for data protection appears more practical as it provides a simpler narrative, consisting of uniform rules and regulations.[24]
[1] https://searchdatabackup.techtarget.com/definition/data-protection
[2] Id.
[3] Id.
[4] Id.
[5] Id.
[6] https://phoenixnap.com/blog/security-vs-compliance
[7] https://www.endpointprotector.com/blog/eu-vs-us-how-do-their-data-protection-regulations-square-off/
[8] https://www.wired.co.uk/article/what-is-gdpr-uk-eu-legislation-compliance-summary-fines-2018
[9] Id.
[10] Id.
[11] Id.
[12] https://www.pensar.co.uk/blog/data-protection-in-the-us-vs-europe
[13] Id.
[14] https://www.endpointprotector.com/blog/eu-vs-us-how-do-their-data-protection-regulations-square-off/
[15] Id.
[16] https://www.pensar.co.uk/blog/data-protection-in-the-us-vs-europe
[17] https://www.endpointprotector.com/blog/eu-vs-us-how-do-their-data-protection-regulations-square-off/
[18] https://phoenixnap.com/blog/security-vs-compliance
[19] Id.
[20] https://www.wired.co.uk/article/what-is-gdpr-uk-eu-legislation-compliance-summary-fines-2018
[21] https://www.endpointprotector.com/blog/eu-vs-us-how-do-their-data-protection-regulations-square-off/
[22] Id.
[23] https://www.pensar.co.uk/blog/data-protection-in-the-us-vs-europe
[24] Id.
