Regulations

Introduced in 1999 while removing barriers in the financial sector, the Gramm-Leach-Bliley Act (GLBA) also established a set of rules and regulations that protect consumer privacy and secure consumer data.   To ensure compliance with the GLBA, it is recommended that financial institutions mask names, date of birth, social security, tax ID number, accounts, and credit card numbers. Automated data masking is the standard method of de-identification for the above-mentioned sensitive data elements that retains the referential integrity of data.   Data masking meets the requirements of the following provisions of the GLBA: Section 501(b) Requires organizations to establish financial institution standards for protecting the security and confidentiality of customers' non-public personal information. These standards relate to administrative, technical, and physical safeguards. to ensure the security and confidentiality of customer records and information; to protect against any anticipated threats or hazards to the security or integrity of such records; to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer   Learn more about privacy laws here.

If your business handles credit card information, you're more than likely required to be compliant with the Payment Card Industry Data Security Standard (PCI DSS) regulation.   PCI DSS version 3.2 requirements relate to payment platforms and the protection of payment information and establishes the technical and operational framework needed to protect consumers from data security risks. With PCI DSS, it is mandatory to mask primary account numbers (PAN). Annual validation is required by an independent PCI Qualified Security Assessor.   The law facilitates consistent measures for data security globally. Merchants and credit card processing companies are obliged to comply as do e-commerce companies, ATM and cash register operators, money transfer companies, and money exchanges. How can data protection tools help? With PCI DSS, it is mandatory to mask the PAN both in production and in development environments and recommends to protect the rest of the persistent elements in accordance with the local legislature and best practices. Automatic data masking allows you to be proactive with your data protection efforts, and to safeguard other identifiable elements like names, dates, and service codes as well.   There are several persistent data elements that PCI DSS either dictates standards of protection for including: Primary Account Number (PAN) Cardholder Name Expiration Date Service Code Learn more about privacy laws here.

Considered the most comprehensive data privacy law in effect, the General Data Protection Regulation (GDPR) extends to all businesses (including businesses that operate outside of Europe) that offer goods and services to European residents and collect personal data in the process.   The GDPR specifically requires the use of data protection methods to safeguard private data. Data Masking is one of the most widely used and recognized solutions that is recognized by the privacy law. Data masking allows organizations to maintain the convenience of using their customers' data while removing any real identifiers. Using data masking, the data can be de-identified, so that personal information remains anonymous in the context of support, analytics, testing, or outsourcing.   The following provisions can be addressed by using data masking components: Article 3, which refers to the processing of data Article 4, which defines the parameters of de-identification Article 5, which refers to the retention of data Article 11, which addresses processing that does not require identification Article 17, which refers to the deletion of data Article 24, which refers to the responsibility of the controller Article 25, which refers to reasonable measures to protect consumer data, by default and by design Article 32, which deals with the security of processing Article 34, which refers to protection measures to mitigate data breaches Article 40, which refers to the codes of conduct of pseudonymization Learn more about privacy laws here.

As businesses continue to make a global impact, it's important to get to know the laws of the land and understand how your data flows across international boundaries. Most countries have their own data protection laws that need to be adhered to, and many fall under the jurisdiction of more than one.   Here are a few of the international data privacy laws your compliance officer should be aware of.   The Americas PIPEDA In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) covers the disclosure of personal information in the private sector.Learn more about PIPEDA. Federal Law on the Protection of Personal Data Mexico's Federal Law on the Protection of Personal Data held by Private Properties 2010 regulates the processing of personal data for private enterprises. LGPD As of August 2020, Brazil formally enacted its first general data protection law, Lei Geral de Proteção de Dado (LGPD). This comprehension data protection regulation applies to all businesses in Brazil and the data collection and use of Brazilian citizens and residents.   Europe and the UK GDPR The General Data Protection Regulation (GDPR) extends to all businesses (including businesses that operate outside of Europe) that offer goods and services to European residents and collect personal data in the process.Learn more about the GDPR. Data Protection Act 2 France's Data Protection Act 2 (Law No. 2016-1321) supports the provisions of the GDPR. Federal Data Protection Act 2017 Germany's Federal Bundesdatenschutzgesetz (BDSG) works alongside the GDPR to outline how data can be collected and processed. FLDP and DPO The Federal Law on Data Protection (FLDP) and Data Protection Ordinance (DPO) are the data privacy laws of Switzerland. Data Protection Act 2018 The Data Protection Act 2018 incorporates the EU GDPR and supplements its provisions in the United Kingdom. An amended version of this law came into effect on midnight of 31 December 2020.   Asia Personal Information Security SpecificationThis is the data privacy law in China that relates to transparency, personal rights over data, and consent. In October 2020, China unveiled a draft of the Personal Information Protection Law (PIPL) for public consultation. This comprehensive data privacy legislation has yet to be passed into law. APPI Japan's Act on the Protection of Personal Information (APPI) applies to any company, whether in Japan or located outside Japanese borders, that offers goods and services in the country. PDPB Tabled in December 2019, the Personal Data Protection Bill 2019 (PDPB) is based on the GDPR and grants Indian citizens certain data protection rights. The revised version of the law, the Personal Data Protection (PDP) legislation is expected to pass into law in early 2021. Currently, data privacy is covered by the Information Technology Act 2000.   Africa and Australia PoPIThe Protection of Personal Information (PoPI) Act 2013 is a data privacy law in South Africa that prescribes how customer data can be used for marketing purposes. Australia's Privacy Act 1988 This is the key privacy law that governs both the public and private sectors in Australia. New Zealand Privacy Act 1993 This is the key privacy law that governs both the public and private sectors in New Zealand.

In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) covers the disclosure of personal information in the private sector. The privacy law applies to any Canadian private-sector organization that collects sensitive data in the course of commercial activity. A data protection tool is necessary in order to achieve comprehensive PIPEDA compliance.   PIPEDA grants citizens of Canada the following data privacy rights: To know what their sensitive data will be used for To expect organizations to not use their sensitive data for any other purpose other than which was granted consent for The right to update personal data and for that data to be kept up-to-date The right to access their information The right to report organizations that do not follow the rule of law Data masking allows Canadian businesses to stay on the right side of PIPEDA compliance, whilst giving their customers the peace of mind that their data is protected at all times.   Data masking, also known as de-identification, works by masking sensitive data elements, and employs sophisticated algorithms to replace the indicated elements with similar, seemingly authentic elements. Once masked, the data will look authentic, but will have been effectively de-identified.   It is worth noting that many Canadian provinces have their own privacy laws outside of PIPEDA, and it is recommended to check each province your business engages with to clarify the necessary data protection requirements you need to comply with. Learn more about Privacy Laws like PIPEDA here.

The Federal Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records and applies to all schools, colleges or universities that receive funds from the U.S. government.   Under the provisions of FERPA, educators may not disclose student data to anyone without explicit consent. The act also grants certain rights to parents as well as students who are eighteen or older. Parents have the right to request their children's education records, and this right also extends to any student over the age of eighteen.   Student data is either classified as personally identifiable information (PII) or directory information.   PII is data that can be used to identify an individual student such as name, address, social security number, and student number. Directory information is any student data that would be found in an educational record, such as grades, religious beliefs, and medical history. Both PII and directory information should be considered sensitive data. In the wrong hands, this information can be used to directly or indirectly identify a student and place them in harm's way. This information can also be used to commit fraud or blackmail or even sold on the dark web. Data protection tools like data masking protect your student records by masking sensitive data elements, allowing you to control access to this information. Data masking use cases include: protecting schools' and colleges' non-production environments when developing school applications protect sensitive information before disclosing data to third parties to hide student identities while maintaining reports Learn more about privacy laws here.

Governments are well versed in handling confidential information, but more and more government agencies are understanding the risks associated with exposing the Personally identifiable information (PII) of its citizens to unauthorized parties, and are applying privacy safeguards to educational, statistical, tax, and many other types of data.   For government agencies, it is of vital importance that all compliance measures are met for data privacy and that both internal and external risks are mitigated, not only for PII, but for confidential information as well.   Besides following the regulatory guidelines on data privacy that mainly apply to static data masking, they also need to de-identify data in real-time so that only "authorized eyes" have access to sensitive information. Data masking effectively de-identifies sensitive data elements whilst maintaining the integrity of relevant information, allowing researchers to continue their work without risk. In short, data protection methods like data masking allow you to control access to sensitive information, remain compliant with data privacy laws, and manage the risk of data breaches. Data masking is a recommended method of data protection that meets the minimum requirements of most data privacy laws including: HIPAA HITECH GDPR GLBA PCI/DCC FERPA PIPEDA CCPR PRIVACY SHIELD COPPA NYPA Learn more about privacy laws here.

In the United States of America, each state has its own laws and regulations that must be complied with, each differing in stringency.   Currently, almost all states have legislation pertaining to data privacy. Please check the state legislature that is relevant to your business. Examples of individual state privacy laws include: New York Privacy Act Massachusetts Data Privacy Law California Consumer Privacy Act (CCPA) Hawaii Consumer Privacy Protection Act Maryland Online Consumer Protection Act Data protection is a crucial preventative measure to prevent non-compliance with a State Privacy law.   Learn more about privacy laws here.   CCPA One of the most stringent of the U.S. privacy laws is the California Consumer Privacy Act (CCPA) which came into effect on 1 January 2020. The CCPA focuses on enforcing consumer privacy rights, and residents of California are guaranteed the following: The right to request information about how their data is used and shared The right to be forgotten The right to control who has access to their information The right to opt out The right to refuse the sale of their information In order to comply with the CCPA, companies based in California are advised to apply a tried and tested data protection method, such as data masking, to protect sensitive data from both internal and external threats. Data masking is a GDPR-approved method of safeguarding data. Learn more about the GDPR here. CDPA In March 2021, Virginia signed the Virginia Consumer Data Protection Act (CDPA) into law, making it the second U.S. state after California to enact a comprehensive state privacy law. Once the CDPA is in effect, Virginia residents will have the right to access, rectify, delete, ask for, and opt-out of the sale and processing of their personal information. As with the GDPR, the CDPA requires businesses to take adequate measures to ensure their sensitive data is protected, including implementing data protection methods such as data masking. The CDPA comes into effect on 1 January 2023.

Signed into law in 1996, the Health Insurance Portability and Accountability Act (HIPAA) outlines the rules and regulations for medical data protection. The act sets out the standards for data handling, security, insider access, and billing.   Information covered by HIPAA includes protected health information (PHI) and electronically protected health information (ePHI), or simply put, sensitive patient data.   PHI includes the following information: Medical history Health care information Payments and billing history Common patient identifiers such as name, address, date of birth, and social security number Medical records Communication with healthcare providers Medication history Health insurance details Under HIPAA, the Department of Health and Human Services publicized five rules: the Privacy Rule the Transactions and Code Sets Rule the Security Rule the Unique Identifiers Rule the Enforcement Rule Most entities that handle patient data will fall under the jurisdiction of HIPAA, such as health plans, billing services, pharmacies, health insurers, community health information systems and even employer-sponsored health plans. Data Masking is a trusted and proven method of data protection that meets the requirements of the following provisions of HIPAA: Section 164.308 This section deals with information access and management of implementation specifications for granting access to electronic, protected health information. Such mechanisms can involve on-the-fly or static data masking for sensitive data such as social security, medicare number, and patient names for unauthorized parties. Section 164.312 This section deals with access control and implementation specifications of:(i) Unique user identification.(iv) Encryption and decryption Section 164.502 This section deals with the minimum necessary specifications when using or disclosing protected health information or when requesting protected health information from another covered entity. Organizations can dependably limit data to contractors or third parties by masking the values. Learn more about privacy laws here. HITECH The Health Information Technology for Economic and Clinical Health Act (HITECH) deals with the privacy and security of health information that is electronically transmitted. HITECH includes stringent data security requirements for healthcare entities as well as their partner services. The HITECH act essentially widens the landscape for the exchange of electronically protected healthcare information (ePHI) between doctors, clinics, health insurance companies, and other services that process healthcare information. Any organization that handles ePHI needs to ensure that patient data is well-protected or risk heavy penalties for non-compliance.