Last updated on January 17, 2022 by Balvinder Dang
Sharing and storing enterprise data in a manner that is secure and compliant with regulations has become a true challenge in the past few years. The amount of data is increasing each day and regulations are changing annually.
Failing to comply with these regulations could mean huge fines or even jail time. In other words, finding ways to store and share data in an integrated and secure manner is crucial. But where do you start and what regulations should you consider? Here’s everything you need to know.
How to approach compliance with government regulations
Before we can discuss how to secure data to increase compliance, we need to take a look at the main regulations. The list is not exhaustive, but it encompasses the most important provisions you will find in various laws around the world. Laws may vary according to your location, your customer’s location, or the type of data you process.
The EU General Data Protection Regulation
The EU General Data Protection Regulation (GDPR) came into effect in May 2018. It was the first regulation of its kind and it brought a lot of changes to the way companies approach data processing.
Its goal is to give back to users the power over their personal data. Companies are no longer allowed to gather data in bulk without explicit consent. They also need to ensure the data is only used for the purpose within the scope of the consent. Upon request, they should be able to “forget” the personal data of a user.
Some of these personal rights, especially the right to be forgotten, may come in contradiction with other legal obligations companies have. For example, purchase orders need to be kept for at least 5 years, according to the Sarbanes-Oxley Act.
Another unique thing about the GDPR is that it applies to any business that uses data from EU residents. It does not matter where the business is located or what type of data it stores. The only thing that matters is where its customers are located.
The Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act (HIPAA), applies to the medical data of US citizens. Different countries may have different regulations. So if your company touches personal health information, you will need to be compliant with the regulations of the person’s country of residence.
The California Consumer Privacy Act
The California Consumer Privacy Act, in short, the CCPA, was enforced on January 1st, 2020. It is the toughest US law of its kind and in many ways, it is similar to the GDPR.
In some regards, it is tougher than its European counterpart. For instance, it broadens the spectrum of the definition of personal data to include any information that can help create a profile.
Unlike the GDPR though, the CCPA does not apply to every business. It only targets those that have gross annual revenue above $25 million, those who sell personal data of more than 50,000 consumers, and those that get more than 50% of their annual revenue from selling personal data.
The Sarbanes-Oxley Act
The Sarbanes-Oxley Act (in short, SOX) was passed by the US Congress in 2002. It is a regulation that applies to accounting firms. It has strict rules about retention periods of various types of data and financial reporting procedures.
When it was first enforced, it was considered the hardest law to comply with and it gave IT departments a real headache. Its goal is to protect investors and ensure financial records and disclosure accurately show how a certain business operates.
Emails, spreadsheets, instant messages, everything that could be considered crucial data for financial reporting, needs to be kept for a minimum of 5 years. Because the spectrum is so broad, the risk of conflict between SOX obligations and GDPR or CCPA obligations is high and pressures companies to find effective data sharing and storage solutions.
Payment Card Industry Data Security Standard
The PCI Security Standards Council was established by American Express, MasterCard, Visa, Discover, and JCB International. Its scope is the management and security of credit card data.
To prevent misuse of data, the PCI DSS puts clear boundaries on what information companies have access to. For instance, an organization can store the primary credit card number, but not the CVV that exists on Visa, Discover, and MasterCard.
Enterprise Data Sharing and Storage Security – What To Consider
Usually, when thinking of compliance, you need to consider two main areas: data retention and data security.
The biggest challenge companies face is finding methods to ensure compliance with multiple regulations. Laws do not exclude one another, yet their provisions could often feel contradictory.
For instance, an accounting firm located in the European Union will need to comply both with the GDPR and the SOX. One tells companies to keep records for a minimum of 5 or even 7 years. The other tells them clients have “the right to be forgotten” – to have their data permanently erased.
A company that processes data related to health and is located in California could find itself subjected to both the HIPAA and the CCPA, depending on their business scope.
The various obligations related to data retention may lead some to choose Write Once Read Many (WORM) solutions. In essence, once written to the designated storage, the data cannot be modified. This can be a solution for SOX compliance, but it can be helpful when dealing with other regulations as well.
The problem is that often WORM solutions only help with a limited amount of data. The most common examples of WORM storage include a CD or Blu-Ray. A company that needs to store many terabytes might need to look elsewhere. Physical WORM solutions also pose certain security problems and they’re easy to lose.
WORM might make it hard to comply with other regulations such as the GDPR. For instance, if you’re faced with a request to forget a data subject’s personal information, the only method to do that is to destroy the WORM storage. However, other regulations – both governmental or internal – might forbid you from doing that. In this case, you could resort to anonymization.
Through anonymization, the data is irreversibly altered so that the data subject can no longer be identified. Once written to a WORM storage, this process can no longer take place. In other words, if you know you could need to anonymize data, do it before using WORM or choose another storing method.
Versioning may be a better option in many cases. In this case, you do not replace data. Instead, each new revision, or correction, is stored in a different version. It offers better control over the data and it helps avoid confusion when it comes to retention provisions.
Versioning provides traceability, which is essential during any regulatory screenings, whether we are talking about SOX, GDPR, or another law. Most such audits will require companies to provide proof of the ways in which the data was obtained, to trace all its steps, from the moment consent was obtained to the user and all modifications that were made along the way.
Another option to consider, that will allow better traceability is opting for soft deletes instead of permanent deletes. Soft deleted data can be easily restored. However, they also allow you to “set the data aside”. It is a good option during long retention periods. You only keep on hand the data you most need, while you can soft delete the rest. In the case of an audit, you can easily restore soft deletes. Once the retention period is over, you can quickly delete all previous soft deletes.
Temporality, the addition of a temporal component to the data, is another useful tool for compliance. When there is both a system and a functional dimension, the method is called bi-temporality. This concept has existed since the 1980s, but even today there are few professionals who employ it. That’s because many see it as a complex process, only useful for large amounts of data. With the right process in place, however, bi-temporality can be very helpful in the case of audits, especially when there are many data retention policies in place.
Because most regulations have provisions relating to data breaches, security is a crucial matter. The GDPR, for instance, has great fines in place for data breaches where the security of the data subjects is compromised due to the company’s negligence.
Compliance, in this case, involves strict access, authentication, and sharing policies. Encryption is a popular method that ensures only qualified personnel have access to certain data. Combined with other techniques, such as versioning, it can increase security and ensure compliance.
In terms of data access policies, one way to improve security and have better control over the data is using fine-grained access control. With it, access can be controlled according to each user’s role. Unlike coarse-grained access control, however, fine-grained access control uses multiple conditions to grant or deny access to resources. Access is only granted on a need-to-know basis.
As an example, let’s look at an insurance company. Group A will have access to social security numbers and salaries of contractors, but they won’t be able to see invoices. Group B on the other hand handles financial audits. They should be able to see invoices, salaries, and other expenses, but not social security numbers. In the same manner, all the other access levels can be defined. This ensures both security and privacy. It also makes traceability much easier, as there will always be clear evidence of who has access to what.
Keep in mind that most regulations do not recommend a certain security method. In other words, you’re free to use any data sharing and storage techniques you like based on the type of data you have, your operations, and the general scope of your business.
Most databases and platforms are seeking to become compliant with various regulations. While this doesn’t mean you don’t need to take steps to make the processes in your organization compliant, it does help share responsibility and makes the process easier.
In case of a data breach, you should be able to prove that you’ve chosen the best methods possible.
Because retention and security are often intertwined, it is important to note that versioning, along with soft deletes and temporality or bi-temporality that are described in the previous section, can be used to improve security, especially when it comes to enterprise data sharing.
Secure enterprise data sharing may seem difficult at first sight, especially when you consider the various regulations your company needs to comply with. Laws do not exclude one another and oftentimes they may have contradictory provisions.
There are no shortcuts to compliance. Each business needs to closely evaluate its scope, their data, to know its obligations. From there, audits and data classification should follow. Access policies are crucial in ensuring security, while versioning, soft deletes, and even bi-temporality can make audits easy and flawless. Anonymization and encryption are also two techniques to keep in mind, especially when you need to comply with multiple regulations.
In the end, data stored in an integrated, versioned, and secure manner is the best way to comply with any regulations.
Datavid provides solutions that can help companies across various fields reach compliance. Our expertise covers among other things, data retention, security, policies, data orchestration in various industries such as pharmaceutical, financial, life sciences, governmental organizations, and more. We make the process quick and easy so that you can focus on your business, so don’t hesitate to contact us for more information.