Data Privacy Laws & Regulations

You can implement cybersecurity practices without data privacy, but you cannot implement data privacy practices without cybersecurity! This is an important concept to keep in mind when considering any of the newer data privacy laws, regulations and industry frameworks, including the European Union General Data Protection Regulation (EU GDPR), California Consumer Privacy Act (CCPA), and NIST Privacy Framework. These requirements can be considered "two-sided coins" in regards to the interconnected nature of privacy and cybersecurity where there is a clear expectation that in addition to a formal privacy program, a cybersecurity program also exists:

The determination of "secure practices" is left to the organization to define. In most cases, this means alignment with ISO 27001/27002, NIST Cybersecurity Framework, NIST 800-53 or Secure Controls Framework (SCF) as the framework used to define what "right" looks like from a cybersecurity perspective.
The determination of "data privacy practices" are also left to the organization to define. Just like with cybersecurity frameworks, there are numerous privacy frameworks an organization can choose from.
The selection of cybersecurity and data privacy frameworks for an organization to align with is a business decision and is not dictated by technology. Those frameworks are meant to support the organization's overall business operations and strategic goals. The selection of frameworks is foremost a business decision.
These expectations for both data privacy and cybersecurity apply not only to processors and controllers of data, but supply chains as well. An organization's internal "secure practices" are meaningless if there are unmanaged third-party service providers that have unfettered access to sensitive data or the systems / applications / services that store, transmit and process personal data.

Our solutions are applicable for both processors and controllers! We focus on leading industry practices to build documentation that will steer your organization towards building both secure and compliant systems, applications and processes.

Key Takeaways - Data Privacy Laws & Regulations

Data privacy laws regulate how organizations collect, use, store, share and protect personal information. Requirements vary by jurisdiction, sector and data type.
Major frameworks include GDPR (EU/UK), CCPA / CPRA (California), HIPAA (US healthcare), GLBA (US financial services) and a growing patchwork of US state laws.
Common requirements: data inventory, lawful basis, individual rights, security controls, breach notification, vendor management, and data protection impact assessments.
Penalties can be severe. GDPR fines can reach 4% of global revenue. CCPA includes statutory damages and class-action exposure.
The right approach is a privacy program aligned to a comprehensive framework like the SCF, addressing all applicable laws through a single control set.

Overview

Ready To Operationalize Data Privacy & Cybersecurity Principles To Meet Compliance Needs? We are.

Please keep in mind that cybersecurity & data privacy engineering principles are not just limited to EU GDPR & CCPA. The requirement to have secure practices that protect the confidentiality, integrity and availability of your sensitive data is very common:

NIST 800-53 - SA-8;
NIST Cybersecurity Framework - PR.IP-2;
ISO 27002 - 14.2.5 & 18.1.4;
Defense Federal Acquisition Regulations Supplement (DFARS) 252.204-7012 (NIST 800-171) - 3.13.1 & 3.13.2;
Federal Acquisition Regulations (FAR) 52.204-21 - 4;
National Industrial Security Program Operating Manual (NISPOM) - 8-302 & 8-311;
SOC2 - CC3.2;
Generally Accepted Privacy Principles (GAPP) - 4.2.3, 6.2.2, 7.2.2 & 7.2.3;
New York State Department of Financial Service (DFS) - 23 NYCRR 500.08;
Payment Card Industry Data Protection Standard (PCI DSS) - 2.2; and
Center for Internet Security Critical Security Controls (CIS CSC) - 1.2, 5.9, 6.2, 6.3, 6.4, 6.5, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7, 7.8, 8.6, 9.1, 9.2, 9.3, 9.4, 9.5, 9.6, 11.4, 11.5, 11.6, 11.7, 13.4, 13.5 & 16.5.

Cybersecurity & Data Privacy Documentation Done Right

A Solution That Is Scalable, Comprehensive & Efficient

We leverage the Hierarchical Cybersecurity Governance Framework to develop the necessary cybersecurity and privacy documentation components that are key to being able to demonstrate evidence of due diligence and due care for our clients. This methodology towards documentation acknowledges the interconnectivity that exists between policies, control objectives, standards, guidelines, controls, risks, procedures & metrics. This documentation model works well with ISO 27002, NIST CSF, NIST 800-171, NIST 800-53, FedRAMP, CIS CSC Top 20, PCI DSS, Secure Controls Framework (SCF) and other control frameworks.

Essentially, ComplianceForge simplified the concept of the hierarchical nature of cybersecurity and privacy documentation that you can see in the downloadable diagram shown below. This helps demonstrate the unique nature of these components, as well as the dependencies that exist. You can download the example to better understand how we write our documentation that links policies all the way down to metrics. This is a great solution for any organization currently using or migrating to a Governance, Risk & Compliance (GRC) or Integrated Risk Management (IRM) platform to help automate their governance practices.

At ComplianceForge, we are here to provide businesses with the documentation they need to comply with the EU GDPR, CCPA and other requirements that demand companies "bake in" both cybersecurity and privacy principles into their day-to-day operations and project development processes. We refer to it as Cybersecurity for Privacy by Design (C4P). Privacy and secure engineering are just one component of building an audit-ready cybersecurity and privacy program!

C4P Model

Cybersecurity for Privacy by Design (C4P) Model

ComplianceForge offers a very unique set of solutions, beyond just cybersecurity policies and standards. Our comprehensive documentation addresses common cybersecurity and privacy frameworks that enables companies to obtain quality documentation to prove evidence of due care and due diligence for how cybersecurity and privacy principles are implemented. The EU GDPR & CCPA are more than a checklist of requirements - these regulations expect processes to exist. When a process is audited, it requires documentation to prove their existence. Therefore, documentation is king!

Surprising to many people, privacy protections overlay most existing security protection mechanisms. In a C4P model, the focus is on People, Processes, Technology, Data & Facilities. A focus on C4P allows an organization to:

Enable privacy principles through an integrated approach with security;
Preset security configuration settings so that it is secure by default;
“Bake in” security mechanisms, as compared to “bolting on” protections as an afterthought;
Keeping things simple to save resources and avoid negatively affecting users;
Integrate throughout the lifecycle of projects / applications / systems;
Support a common method to “trust but verify” for projects / applications / systems; and
Position security to be seen as an enabler through educating users, managing expectations, and supporting change.

Where Do you Start?

Data Privacy Compliance

Before you can jump in and just start "doing privacy and security," your company needs to first address some fundamental building blocks that are often overlooked:

Security, Compliance & Resilience Program (SCRP)

Make sure your company's policies and standards are "audit ready" for your applicable privacy regulations. This means that they are aligned with an industry-recognized leading framework, which shows that you are aligned with reasonable expectations for your industry.

Privacy Program Documentation

Eliminate "tribal knowledge" by documenting how processes actually work and ensure that key stakeholders are aware of what "right" looks like. If you have written processes, audit them to make sure what is published is actually what is being done.

Integrated Incident Response Program (IIRP)

Establish governance / oversight of processes to ensure your company's processes are actually working as they are supposed to. If not, make fixes and keep verifying.

Privacy By Design

Understanding "Privacy By Design" As It Pertains To Data Privacy Regulations

In terms of the EU GDPR, the regulation is expecting your company to define “adequate level of data protection” and “appropriate technical or organizational measures” in terms of its alignment with leading privacy practices. Therefore, your company is not only expected to adopt a “best in class” approach to implementing privacy frameworks, but your company needs to have evidence that it has done so. Every framework is unique and has its own strengths and weaknesses, but these are the most common sources for "privacy principles" that a company should leverage are:

ISO 27701;
ISO 29100;
Generally Accepted Privacy Principles (GAPP);
Fair Information Practice Principles (FIPP);
NIST Privacy Principles [draft];
US Privacy Shield;
SOC 2 Privacy Principles (AICPA Trust Services Criteria)

Understanding SbD & PbD Expectations

Operationalizing Security by Design (SbD) & Privacy by Design (PbD) Begins With Understanding Expectations

Understanding the requirements for both Security by Design (SbD) and Privacy by Design (PbD) principles involves a simple process of distilling expectations. This process is all part of documenting reasonable expectations to right-size the approach, since every organization is unique:

Applicable best practices based on your company’s industry.
- ISO 27002
- NIST 800-53
- SOC II
- Operational Technology (OT) & Internet of Things (IoT)

Statutory obligations (e.g., state, federal and international laws)
- FTC Act (prohibition on unfair business practices)
- Family Educational Rights and Privacy Act (FERPA)
- Children's Online Privacy Protection Act (COPPA)
- State ID theft laws (e.g., MA 201 CMR 17)

Regulatory obligations (e.g., regulatory bodies or governmental agencies)
- EU General Data Protection Regulation (EU GDPR)
- NY Department of Financial Services (23 NYCRR 500)
- FISMA / DIACAP / DIARMF

Contractual obligations (e.g., vendor agreements)
- DFARS / FAR (e.g., NIST 800-171)
- Privacy Shield
- PCI DSS

Operationalizing Security by Design (SbD)

Security by Design (SbD) requirements come from numerous sources. In this context, the most important are:

International Organization for Standardization (ISO)

National Institute for Standards & Technology (NIST)

US Government (HIPAA & FedRAMP)

Information Systems Audit and Control Association (ISACA)
Cloud Security Alliance (CSA)
Center for Internet Security (CIS)
Open Web Application Security Project (OWASP)

Operationalizing Privacy by Design (PbD)

Privacy by Design (PbD) requirements come from numerous sources. In this context, the most important are:

Fair Information Practice Principles (FIPPs)

European Union (EU) General Data Protection Regulation (GDPR)

Organization for the Advancement of Structured Information Standards (OASIS)

International Organization for Standardization (ISO)
National Institute for Standards & Technology (NIST)
Information Systems Audit and Control Association (ISACA)
US Government (HIPAA & FTC Act)