Compliance is a topic of utmost importance for all of the companies, since the number of rules and regulations in most of the fields is vast and varied. There’s also a lot of confusion with compliance laws interacting, since some fields of compliance tend to overlap a lot (for example, local country laws being somewhat similar to a more global compliance regulation).
On the topic of bigger compliance regulations, it’s safe to say that credit card data is one of the most important data types, and to ensure the proper safety and protection of said data companies have to comply with a set of security standards that is PCI DSS.
PCI DSS
PCI DSS is the abbreviation for Payment Card Industry Data Security Standards, and it was created in an attempt to protect both the cardholder information and the businesses that are processing said data.
Before the standard was established, a lot of companies were unknowingly participating in the spread of payment card fraud by either not taking the topic of cardholder data protection seriously enough, or just by flat out dismissing all of the concerns about payment data security as a whole.
There are multiple scenarios that may result in a cardholder data being lost in some way, especially without the proper safeguards in place. Some of these scenarios are:
- Database issue
- Eavesdropping scenarios (hidden cameras, for example)
- Wireless router issues
- Online portal issues
- Storage network issues
- Problems with card readers, and more
Saying that the complete set of PCI DSS regulations is long and complicated is fair, but there are also many shorter compliance checklists that can be used to go over the biggest potential issues with your compliance matters. For example, the PCI DSS compliance checklist presented below includes many different fields of work, such as monitoring, encryption, testing, reporting, and more:
- Use anti-virus and malware protection software
- Avoid simple passwords
- Spread cardholder data strictly on a “need-to-know” basis
- Setup a firewall and maintain it
- Add logging and tracking to your system components
- Remember about regular security tests
- Use encryption when transmitting cardholder data via open networks
- Implement a security policy that details the means of protecting important information within your company, and so on.
GDPR
While we’re on the topic of global compliance regulations, it’s also important to mention GDPR in that regard. General Data Protection Regulation compliance covers more than just payment data safety, but works with personal data protection in general, as well as other privacy-related topics.
GDPR as a regulation is supposed to monitor the entire lifecycle of EU citizens’ personal data, no matter if the company that is processing said data is within the borders of the EU or not.
For that exact reason the introduction of GDPR in May 2018 brought many changes to a massive number of companies all over the world – since every company that processed EU citizens’ data was now supposed to be GDPR-compliant.
Problems with GDPR and local laws clashing began almost immediately. For example, before GDPR compliance became mandatory, Australia already had two different laws with a relatively similar goal:
- Australian Privacy Act 1988;
- Australian Privacy Principles.
There are many similarities between these laws and GDPR principles, but it is also more important to note the differences between the two. These differences are:
- The concept of “lawful basis”;
- Data breach requirements;
- Different approach to consent when it comes to data processing;
- Expanded privacy policy regulations;
- More rights to data owners;
- The need for additional appointments, etc.
Not all of the Australian businesses suddenly need to be GDPR-compliant. On the other hand, this is a good first step for any company in a country that is located outside of the EU – to conduct a research and figure out the correct answer to the question “Am I processing any of the EU citizens’ data or not?”.
Personal Identifiable Information
The topic of GDPR regulations and what kinds of data it regulates brings forward another important topic called “personal information”. Personal information, or Personal identifiable information, is a specific type of information that can be used as the unique identificators to discern a single person from anyone else in the entire world.
Some examples of PII are employee information, financial history, personal beliefs, health history, memberships, and so on. The amount of forms that this information can take is also massive, including, but not exclusive to: biometric information, written text, verbal communication, images, etc.
It’s possible to discern two major types of PII: linked and linkable.
- Linked information is a piece of information that is explicitly connected to an individual. A popular example of this type of information is an employee file that contains a person’s name. If the name is blacked out but the rest of the file still allows for the correct identification of an individual – then this is a different information type entirely.
There are many different examples of linked personal identifiable information, including names, phone numbers, personal address information, identification numbers (passport, social security, etc.), asset information (IP address), and many more. - Linkable information, on the other hand, is not as clear and precise as the linked type. This type of information relies on a variety of different factors to determine if the information in question could, in fact, be used to determine an individual.
Here’s a popular example: a random car’s license plate in the hands of a bystander could not be used to identify the person that owns the car, in most cases. However, the same license plate in the hands of an officer with access to a specific database would allow this specific person to identify the car’s owner. - Determining proper examples for linkable information is also not that easy. However, here are some of the more obvious examples: financial status, geolocation, religion, educational information, business information, race, employment record, and so on.
Conclusion
To be properly compliant with all of the local laws and worldwide regulations, you have to keep in mind a lot of the factors. Some of these factors are regulation-specific rules (appointing a data protection officer), or overlapping fields of interest between regulations and laws.
And sometimes simply knowing the location of personal information that you’re processing is already a huge step towards complete compliance with all of the laws and/or regulations.
The post How To Comply With All Local Regulations Simultaneously? first appeared on Feedster.from Feedster https://www.feedster.com/business/how-to-comply-with-all-local-regulations-simultaneously/
No comments:
Post a Comment