Quebec Law 25 regulates how companies operating in Quebec manage people's data. Read here on the law's key requirements and how to comply.
What is data compliance?
Data compliance is a practice and a process. It refers to the adherence of protocols and standards that are designed to safeguard personal data and information. Data compliance requirements and regulations define (1) how data is collected, used, processed, and stored, and (2) the processes to ensure the data is protected against loss, theft, corruption and misuse.
Data compliance defines the guidelines, rules, and processes that need to be adhered to. In comparison, data security is more focused on technology and mechanisms.
Although there are multiple different compliance frameworks across the information technology sector, data compliance is best summarized as a way for information technology firms and businesses to ensure safeguards and processing of information is allowed by law, and the safekeeping of records that pertain to an individual or organization are protected and de-identified.
Common data compliance frameworks
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- HIPAA focuses on regulations that stipulate the mechanisms and procedures required, in order to enforce Personal Health Information (PHI) Integrity and privacy. The Rule requires that there are safeguards established and enforced to protect the privacy of protected health information. Additionally, HIPAA defines conditions on the use and disclosure that may be made of such PHI.
- General Data Protection Regulation (GDPR)
- The General Data Protection Regulation (GDPR) is known as the toughest privacy and security law in the world. GDPR governs the way that we can process, store, and use personal data (information about an identifiable, living person).
- Payment Card Industry Data Security Standard (PCI DSS)
- PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data.
- Sarbanes-Oxley Act of 2002 (SOX)
- SOX compliance requirements stipulate that all financial reports include an Internal Controls Report. Included in the report should be proof that the company’s financial data is accurate. Additionally, it should prove that appropriate controls are in place, and verify the security of data.
- Health Information Trust Alliance
- HITRUST was established to provide an option for the healthcare sector to address information risk management across a multitude of third-party assurance areas. The desired outcome is to reduce the need for multiple reports. The HITRUST report covers multiple assurance and compliance aspects.
- Cybersecurity Maturity Model Certification – part of the Cyber Security Trust Module
- Relevant in the US market. CMMC is the US Government’s solution to address low compliance rates associated with NIST SP 800-171. It is designed to limit the businesses that may bid for, and win contracts with the US government. It is a tiered model structure.
- The Protection of Personal Information Act (POPI)
- South African regulatory data compliance that “gives effect to the constitutional right to privacy, by safeguarding personal information when processed by a responsible party, subject to justifiable limitations.”
Although there are multiple governing bodies for different data compliance standards, an organization will most likely have to follow a standard if they are processing, storing or transmitting information across its network or to a third party. This would include things such as personal health information, personally identifiable information, or card holder data.