The following is an excerpt from Reviewing Your Data Protection Strategy, a free industry guide that looks at new data protection regulations in places like Europe, America, and Australia, and how to protect against the number one cause of data breaches.
Right now, data regulations around the world are being tightened and even harsher penalties enforced to protect consumers. In Europe and the UK, the GDPR is set to completely change the way businesses store and manage personal data. The sweeping new Notifiable Data Breaches (NDB) notification laws in Australia from February 2018 onwards require all businesses that experience a data breach to report it. Multiple US states have data regulations and a proposed federal data breach notification law (dubbed the Data Security and Breach Notification Act) is being considered right now.
Governments the world over understand cyber security is a huge threat to the safety and privacy of their citizens. They continue to tighten the law for businesses who hold valuable information and impose harsh penalties when it is not properly protected. How will legal regulations affect you?
EUROPE - The GDPR
The GDPR requires data holders to do everything in their power to protect the personal data of European citizens from being leaked or exposed. Even accidental leaks are viewed as the data holder not doing enough to keep personal information safe. Because of this, unintentional data breaches – like sending an email to the wrong person, or not redacting a person’s bank account number – has penalties just as if the business did not use passwords and security systems to protect against hackers. Therefore, it is essential you have the necessary safeguards in place.
Penalties: minor offenses are to be punished by a fine of up to €10,000,000 (USD $12,000,000) or 2% of annual global turnover (whichever is greater). More serious offenses could be fined up to €20,000,00 (USD $25,000,000) or 4% of annual global turnover (whichever is greater).
It should not be forgotten that the available penalties are more than just financial. The Data Protection authorities have far-reaching powers that include the ability to put a stop to a businesses’ data processing or naming and shaming them publicly – either of which could be far more damaging than a financial fine.
Who does it apply to? Any organization globally that holds or processes the personal data of European citizens.
AUSTRALIA - The NDB Scheme
The Notifiable Data Breaches scheme (NDB) requires organizations in Australia to report all eligible data breaches to the affected parties and the Office of the Australian Information Commissioner (OAIC). Under the law, data breaches are those that result in serious harm to any individual affected and include emails sent to the wrong recipient.
Penalties: regulatory action and court-ordered civil penalties
Who does it apply to? Australian Government agencies, businesses, and not-for-profit organizations with an annual turnover of $3 million (USD $2,400,000) or more, credit reporting bodies, health service providers, and TFN recipients.
NORTH AMERICA - HIPAA, GLBA, and more
Nearly all US states have their own data breach notification laws. California was the first with legislation introduced in 2003. Different industries have their own regulations – the Health Insurance Portability and Accountability Act of 1996 (HIPAA) covers medical data and The Gramm–Leach–Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, covers financial data.
The California Consumer Privacy Act of 2018 (CCPA) was legislated to provide the state’s citizens greater ownership of their personal information. Now, Californians have the right to know, among other things, what personal data is being collected on them and, if it is sold or disclosed, to whom. The CCPA applies to organizations that a) do business in California and b) either have annual gross revenues over US$25 million; hold the personal information of at least 50,000 consumers; or earn more than half of its annual revenue from the sale of consumers’ personal data.
Mandatory breach notification – PIPEDA
Canada’s notifiable data breach law came into effect on 1 November 2018. Organizations subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) are now obligated to give notice of certain types of privacy breaches.
Download the guide to Reviewing Your Data Protection Strategy in 2019 to learn about the new regulations and a simple solution to make sure your workplace is protected.