Skip to content
June 5, 2023

Data Security Regulations: How to Stop Playing the Guessing Game for Good

Complying with data privacy regulations can often feel like assembling a jigsaw puzzle with hundreds of colleagues around the world.

But in each country, the picture on the jigsaw puzzle box is completely different. 

And none of your colleagues can see each other’s puzzle box.

So you’re navigating through the puzzle, with one team guiding their puzzle pieces one way, and another team juggling their pieces to slot in…

Now imagine there’s a global manager looking over everyone’s shoulders, waiting to catch you out by swapping out jigsaw pieces when you aren’t looking.

It sounds stressful. And complicated.

That can be the situation for many companies who are wading through the deep and murky waters of international data compliance – whose puzzle pieces of data security regulations are very, very real.

Across many countries, the differing regulations – from GDPR to HIPAA – mean that businesses can no longer adopt a one-size-fits-all approach to their data security compliance. 

Regulations can change by country, continent, and over time. Your data itself is then subject to a tangled web of regulations that vary according to how it’s used, who it was gathered from, where it was gathered, where you’re using it, how long you’ve had it…

And that can often mean that the final piece of the puzzle is extremely difficult to find and solve. 

It’s a fine balancing act to reach the exact standards for all of your data, in all of your locations, across all of your use cases, while staying agile and updated at all times. 

That’s why it’s essential to have a data security solution in place that can handle all of this complexity. 

A sufficiently powerful data security solution not only helps you to have a better view of the bigger picture; it also helps to finally complete the puzzle of data security requirements for the foreseeable future.

Learn How to Build Customer Trust In the Age of Privacy First

READ NOW

How data protection regulations and standards are changing

When it comes to data protection laws, change remains the only constant – whether that’s from incremental updates or brand-new legislation. 

Data protection regulations are constantly evolving as governments adopt new approaches, public opinion shifts, and our understanding of data protection evolves.

Below are some examples of what’s new and potentially coming next for data protection:

Payment Card Industry Data Security Standard (PCI DSS)

First created in 2004, PCI DSS is in the middle of a three-year transition period toward Version 4.0. Organizations should already be updating their processes for full compliance by the March 2025 deadline. 

Among the 64 changes and improvements, security- and compliance-related activity must be continuous, rather than yearly. Certification is now required whenever there are significant changes to the in-scope environment.

There’s also a requirement for greater definition around roles and responsibilities. This includes confirming activities are assigned and understood. Documentation must be shown that demonstrates organizations are complying with these new best practice requirements.

HIPAA

This federal healthcare act has several proposals in the data protection pipeline. These relate to the HIPAA Privacy Rule, and reportedly represent the biggest update since 2013. Recommendations include allowing patients to inspect and photograph their Protected Health Information (PHI). 

Another proposal is to reduce the maximum time period for providing PHI to subjects from 30 to 15 days. 

Of course, this will impact legacy health systems already struggling to handle increased data volumes. Providers will need to consider new platforms for locating and sharing the data within shorter time frames. 

My Health, My Data Act

This act relates to the usage of “consumer health data” and related privacy rights. 

External to HIPAA, it will apply from March 2024 across Washington. This state-by-state approach is the norm in the US, posing challenges for organizations trying to maintain consistent compliance at a federal level. 

Among the requirements, consumers will be asked for consent twice – first to collect their data, and second to share their data. Consumers will have the right to request data and receive responses within 45 days. 

Organizations, classed as “entities”, must also demonstrate appropriate transparency and purpose for their data usage.

The Data Act

Five years on from enacting GDPR, EU member states are currently evaluating the Data Act. This includes proposals “regarding harmonised rules on fair access to and use of data.” 

Like GDPR, it would encompass businesses established outside the EU that work with EU citizens’ data. 

The act covers personal and non-personal data. Organizations will need to be able to separate the two when it comes to defining policies, access, and controls.

Another main theme is around growing volumes of data – from social media to third-party data from websites and apps. New rules are being proposed for who can use and access data that’s generated from consumers, businesses, and public authorities. 

There are also proposals for safeguards against unlawful consumer data transfers and access from unauthorized third parties.

IT frameworks for data regulations

Each enactment and amendment will ask questions of data owners and their compliance, governance, and security teams. Complexities arise from the diverse ways data is now being used, its variety of sources, and the velocities of arrival. 

In response, businesses should implement new frameworks around data security, access, and control. This creates a common language to use with partners and vendors to help define the scope.

“Data is everywhere, and what constitutes sensitive data for organizations today has greatly expanded.”

Forrester

Adopting a one-size-fits-all approach often leads to one of two outcomes: 

  1. Data is excessively protected and over-restricted. Permissions and approvals take longer, and manual forms of access control make analysis hard to scale. 
  2. Data is overly accessible, with fewer or looser controls and permissions. This increases flexibility and agility – but breach risks and fallout costs are potentially much higher.

The preferred approach is to identify IT security frameworks and map them to specific criteria – for example, the locations of business and data centers, relevant industries and legislation, plus organizational risk profiles. 

Setting out these drivers is a structured approach, making it easier to identify appropriate policies, procedures, and processes. 

After all, data security isn’t simply about securing information from threats. It’s also about securing the business from potential compliance breaches and reputational risks. 

Implementing the right framework is the crucial first step to making that happen. 

Scoping stage: Three types of data security frameworks

There may be some crossover, but the differences tend to come down to levels of organizational maturity for data security:

Control framework

Identify controls required for protecting and securing data and systems.

This should be at a strategic level, with guidelines plus a minimum or baseline set of controls, along with an action plan based on what should be implemented.

Control frameworks are commonly used when a business is starting or reworking a data security solution.

Data discovery and classification tools, coupled with advanced metadata, will support this framework creation.

Program framework

As control methods mature, the program framework is designed to manage their development.

There should be assessments of current security levels to build a structured roadmap that’s benchmarked against industry standards and which also factors in strategic and structural changes within the business.

For example, where businesses or industries impact data collection, and how data collection methods require changes from updated legislation.

Risk framework

Having established control and program frameworks, organizations can now prioritize identified risks. This should be based on probability and potential impact.

The end result is a data protection policy and ongoing plan for mitigating data security risks.

If you’re starting from a blank page, you can also adapt elements from the NIST cybersecurity framework:

IdentifyWhat are the current risks and potential impacts on the business?
ProtectWhat are the controls for protecting data at rest, in transit, and when it’s being accessed?
DetectWhat tools are available for data breach detection?
RespondHow are organizational responses planned, managed, and analyzed?
RecoverHow soon can there be a return to “Business-As-Usual”?

Mapping data protection frameworks to specific standards 

Let’s say you’ve now identified, mapped, and created the framework. It’s time to identify the standards for maintaining the necessary data security levels. Some of the most common include:

  • ISO 2700 series
    The globally recognized information security standard. Within the series there are standards including personal data in the cloud (ISO 27018), disaster recovery (ISO 27031), and PHI (ISO 27799).
  • PCI DSS
    As discussed above, changes to PCI DSS mean changes for organizations that receive, process, and transmit online payments. They need to review their current framework and map it against the new payment security requirements.
  • NIST CSF
    When is a framework also a standard? When it’s the National Institute of Standards and Technology Cybersecurity Framework. While voluntary for non-federal organizations, NIST helps manage and reduce risks around privacy and security.
  • SOC 2
    This comes under standards set by the American Institute of Certified Public Accountants. Organizations undergo audits that assess internal controls for managing customer data. These are based on five principles: Privacy, Security, Availability, Processing Integrity, and Confidentiality. Standards are customized to your organization. 
  • Sarbanes-Oxley Act
    Publicly traded US companies are required to meet strict reporting and security standards under SOX. These cover multiple areas of corporate governance, from risk management and public disclosure accuracy to reporting and auditing.

What data security framework will work best for me?

As we have established above, navigating which regulations apply to your organization in different situations can be a headache-inducing task. 

It’s rare for one framework or standard to be sufficient. It’s more likely for organizations to combine frameworks and controls. 

Faced with such a tangled and ever-evolving set of regulations, it’s hardly surprising that many businesses opt to control their data with an iron fist. They find the area of their business where data access is most restricted – whether that is the country that has the most stringent regulations or the types of data that are most carefully controlled – and apply those restrictions to their entire dataset. 

Fewer businesses take the opposite approach: taking steps to make their data more easily accessible and usable, but risking their compliance in the process. 

Organizations need a way to find an effective balance between these two options. 

That’s why it’s essential to find a solution that can:

  1. Build a “map” of your compliance – establishing which regulations apply to which parts of your data. The best solutions will connect to your existing catalogs and autotag your data.
  2. Implement flexible, adaptable policies – ensuring that your data is always protected to exactly the right level: secured enough to avoid fines or breaches, while still accessible enough to be useful.

While convergence is appropriate at the framework level, there also needs to be a balance that delivers a localized approach. 

You can then ensure compliance within different geographies, and with industry-compliant governance for managing data within the cloud for virtualized environments.

As a dynamic policy-based access control system, Velotix is set up to provide an overview of regulatory compliance within your data, and implement appropriate data protection policies with autotagging. 

Ensuring you’re never soft-locked out of the data you need when and where you need it most.
Never be in the dark about your data again. Find out more about data security regulations and requirements with Velotix.

NEW GEN AI

Get answers to even the most complex questions about your data and explore the complexities of your data landscape using Generative AI chat.