Data protection management is an important activity in any successful business. Customers expect it, the media are constantly on the lookout for leaks, and hackers are getting smarter. All of these factors are reason enough to take data privacy in your business seriously. But one of the most important aspects of data protection management is compliance. 

We’ve outlined the most important regulations that relate to data privacy that your compliance officer should know about. 

Please note that this is not an exhaustive list and proper due diligence should be conducted on any country you do business with. 

The United States

FERPA

This Federal Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records and applies to all schools that receive funds from the U.S. government.

HIPAA and HITECH

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted by the 104th United States Congress and relates to protected patient health information such as patient history and identifiable information. The Health Information Technology for Economic and Clinical Health Act (HITECH) deals with the privacy and security of health information that is electronically transmitted.

COPPA

The Children's Online Privacy Protection Act (COPPA) regulates all personal information collected from minors and gives parents control over what information websites can collect from their children.
 

Privacy Shield

The EU-U.S. and Swiss-U.S. Privacy Shield frameworks were set in motion by the U.S. Department of Commerce to govern the collection, use, and retention of personal data transferred from the EU, UK, or Switzerland to the United States, respectively.
 

PCI/DSS

PCI DSS version 3.2 requirements relate to payment platforms and the protection of payment information. With PCI DSS, it is mandatory to mask primary account numbers. Annual validation is required by an independent PCI Qualified Security Assessor.

GLBA

The Gramm-Leach-Bliley Act (GLBA) is a U.S. federal law that requires financial institutions to explain how they share and protect their customers' private information.

Please note that each state has its own laws and regulations that must be complied with. For example:

- New York Privacy Act

- Massachusetts Data Privacy Law

- California Consumer Privacy Act (CCPA)

- Hawaii Consumer Privacy Protection Act

- Maryland Online Consumer Protection Act

Currently, almost all states have legislation pertaining to data privacy. Please check the state legislature that is relevant to your business. 

The Americas

PIPEDA

in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA)  covers the disclosure of personal information in the private sector.

Federal Law on the Protection of Personal Data

Mexico’s Federal Law on the Protection of Personal Data held by Private Properties 2010 regulates the processing of personal data for private enterprises.

Europe and the UK

GDPR

The General Data Protection Regulation (GDPR) extends to all businesses (including businesses that operate outside of Europe) that offer goods and services to European residents and collect personal data in the process.

Data Protection Act 2

France’s Data Protection Act 2 (Law No. 2016-1321) supports the provisions of the GDPR. 

Federal Data Protection Act 2017 

Germany’s Federal Bundesdatenschutzgesetz (BDSG) works alongside the GDPR to outline how data can be collected and processed.

FLDP and DPO

The Federal Law on Data Protection (FLDP) and Data Protection Ordinance (DPO) are the data privacy laws of Switzerland.

Data Protection Act 2018

The Data Protection Act 2018 incorporates the EU GDPR and supplements its provisions in the United Kingdom.

PECR

The Privacy Regulation on Privacy and Electronic Communications (PECR) is a data protection regulation in the United Kingdom that relates to electronic marketing messages.

Global privacy laws

Personal Information Security Specification 

This is the data privacy law in China that relates to transparency, personal rights over data, and consent.

PDPB

The Personal Data Protection Bill 2018 (PDPB) is based on the GDPR and grants Indian citizens certain data protection rights.
 

The Russian Federal Law on Personal Data (No. 152-FZ)

The Federal Law on Personal Data 2006 (Act No. 152 FZ) relates to the collection and processing of customer data in Russia. 

PoPI

The Protection of Personal Information (PoPI) Act 2013 is a data privacy law in South Africa that prescribes how customer data can be used for marketing purposes.

Australia’s Privacy Act 1988 

This is the key privacy law that governs both the public and private sectors in Australia.

As you can see, there is no getting around data privacy regulations. Each country, state, and region has its own legislation on data protection and these are updated regularly. Non-compliance carries heavy penalties, as search giant Google recently discovered. 

Effective data protection management includes proactively taking steps to safeguard sensitive customer data in your business. This can be done using a sensitive data discovery tool and data masking that locates sensitive data in your business and de-identifies it to prevent misuse.  

Hush-Hush can help you with the right tools to handle your data privacy and compliance needs. Request a free demo today.