Compliance generally refers to the rules, laws, policies and standards set by organisations and governments to legally conduct business in specific geographic areas or countries. Compliance helps organisations increase customer confidence, which in turn increases business revenue.
Some organisations simply overlook this compliance framework and don’t follow rules and regulations. This can lead to serious damage to the organisation’s reputation, fines, lawsuits and loss of customer and partner confidence. By overlooking compliance frameworks, organisations are not only putting their own data at risk, but also that of their customers. Below is a list of well-known data compliance frameworks:
GDPR (General Data Protection Regulation):
GDPR is essential for businesses that have customers from EU countries. GDPR covers data storage, encryption and access control for all organisational data. GDPR helps protect the privacy and personal data of EU citizens.
GDPR requires consent from citizens before any type of data about them is stored and collected. The personal data collected can only be used for the stated purpose, and can’t be used for any other purpose.
The most important aspect of the GDPR is the individual rights of citizens regarding the personal data collected about them. Citizens can demand an explanation of how their data will be used, and for what purpose.
Another unique aspect of GDPR is the severe penalties, which are up to €10 million or 2% of total annual turnover for non-compliance and up to €20 million or 4% of total annual turnover for data breaches.
SOX (Sarbanes–Oxley Act):
SOX came into existence to protect the public from organisations or businesses carrying out financial fraud. SOX demands accurate financial information from organisation management, without any board interference and if found fraudulent, then charges a high penalty.
SOX applies to all US-based auditing companies, Certified public accountants (CPA) and CPA firms.
Entire SOX is entirely covered in below 11 titles with all the details and requirements:
- Title I: Public Company Accounting Oversight Board (PCAOB)
- Title II: Auditor Independence
- Title III: Corporate Responsibility
- Title IV: Enhanced Financial Disclosures
- Title V: Analyst Conflicts of Interest
- Title VI: Commission Resources and Authority
- Title VII: Studies and Reports
- Title VIII: Corporate and Criminal Fraud Accountability
- Title IX: White Collar Crime Penalty Enhancement
- Title X: Corporate Tax Returns
- Title XI: Corporate Fraud Accountability
Under SOX, fines can range from approximately $1 million and 10 years imprisonment to $5 million and 20 years imprisonment for willfully providing false financial information.
HIPAA (Health Insurance Portability and Accountability Act):
HIPAA sets data security standards for organisations and healthcare providers to ensure that patients’ personal health information (PHI) is kept confidential and secure. HIPAA is about protecting individuals’ health information that is collected in electronic, oral or written form by various health plans and health care providers, including doctors, clinics, hospitals and pharmacies.
PHI includes information about an individual’s physical and mental health, treatment and payment for health care, as well as basic information such as name, date of birth, SSN and home address.
Failure to comply with HIPAA laws/standards can result in penalties ranging from $100 to $50,000 per affected PHI record and up to $1.5 million per incident.
CCPA (California Consumer Privacy Act):
The CCPA is very similar to and inspired by the GDPR. Some similarities with the GDPR are that a customer or consumer, whose data is being collected, has complete control over the data. The customer has the right to know what information is stored by the company, the right to delete certain data, and the right to share information. However, unlike the GDPR, the CCPA is not mandatory for every organisation doing business in California, United States. Organisations only need to comply if they meet certain criteria, such as having an annual turnover of more than US$25 million or processing the personal data of 50,000 or more California residents.
Penalties under the CCPA range from US$100 to US$750 per customer record. Although California is a small region compared to the EU, compliance is quite popular due to its economic growth.
PCI-DSS (Payment Card Industry Data Security Standard):
PCI DSS is a regulatory standard developed by credit card companies to protect cardholder data. Introduced in 2004, PCI DSS applies to anyone who processes, stores or transmits credit card data.
PCI DSS has six levels of controls based on payment transactions over the past twelve months. PCI DSS helps to create a secure environment for payment transactions. Proper implementation of these control levels can help organisations protect cardholder data, protect customers, prevent breaches, avoid fines and build customer confidence. The six PCI DSS controls are listed below:
- Build and Maintain a Secure Network and Systems
- Protect Cardholder Data
- Maintain a Vulnerability Management ProgramImplement
- Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
PCI DSS regulations non-compliance can result in fines of $5,000-100,000 per month.
How SecurDI Can Help?
At SecurDI, we can simplify the complex process of implementing compliance frameworks and help organisations achieve and easily maintain multiple compliance frameworks. Our team can also suggest and help your organisation to improve the ongoing compliance frameworks to minimise the risk of penalties and to improve the overall management of your organisation.