How two of the largest markets in the world are working on privacy and security
If you are someone who has used an app using personal details or logged into something via your smart phone or even searched on the internet for something from your personal device, data is out there with a public or a private entity. Though this brings a lot of benefits, personal information in the outside world is not always safe. Cyber security is one of the most commonly used term in today’s world of modern technology.
To safeguard one’s data and information, each government brings into place its own set of laws which has to be complied by any organisation. Vulnerable individuals and communities are the most affected by data breaches which expose their life, thoughts and other personal information. However, sharing these data on at least a few platforms makes it easier for people to use today’s technology.
Why should law step in for data protection?
There are two main reasons why the legal system was required to step in to curb the issue of data breaches.
Regular updates based on reality
If left in the hands of private firms to dictate the laws to protect data, it might have been a one-time stunt to satisfy the customers and no heed would have been paid to it further even after several years. In today’s connected world, governments should actively pursue these laws and update them regularly. Although it is happening in a few countries, there is still a need to step up as technology is growing at an unimaginable rate.
Corporates do not safeguard our data
Although corporates have been pushing for individual or self-regulation mechanisms to have greater flexibility, they haven’t succeeded in a non-biased and non-binding rule to safeguard people’s data. It is a scary situation to leave it in their hands and hope for the best.
99% of the 233,581 complaints filed until April 2020 have been resolved through HIPAA.
HIPAA of 1996 and where it stands today
The Health Insurance Portability and Accountability Act of 1996 was formed by the US department of Health and Human Services (HHS) and introduced as a federal law to protect sensitive health information of patients from being disclosed without their consent. Most of the medical industry in the US thrives on health insurance and health plans which require the patients to share their personal information on a different portal. This law, initially introduced as data privacy law has now grown to a greater prominence with time.
Commonly known as the Public Law 104-191, it currently has two major purposes:
- To provide continuous health insurance for workers even while changing jobs or if they are unemployed. This reduces the financial burden on the firms related with the individuals by standardizing the financial transactions.
- To combat fraud, abuse and waste in healthcare and improving access to long-term access to health services and insurance.
In 2010, this was extended to healthcare organisations that were not covered by the HIPAA including Electronic Health Records (EHR) and related systems.
In 2013, an omnibus rule was introduced as a modification to the existing laws. This modification stated the guidelines that concern the business associated of the entities covered. The penalties violating the HIPAA was increased to $1.5 million per breach.
In 2016, a further clarification was declared announcing that cloud service providers and other business associates of healthcare organisations come under the HIPAA privacy. Health organisations involving in data breach face heavy financial penalties.
The EU’s way with GDPR
General Data Protection Regulation (GDPR) is the core of European digital privacy legislation. The European Union in 2012 came up with data protection reform to be implemented all across the EU so that Europe is “fit for the digital age”.
GDPR gives the citizens more control over their data. This is equally applicable to both businesses and individuals so that every one benefits from digital economy. Organisations collecting the information should be careful of breaches and all information should be collected under strict conditions. If the rights of data owners are misused, exploited or abused in any manner, a heavy penalty is imposed. This is applicable to organisations within the EU and those outside EU who provide supplies and services to any country within the EU. Basically, all major organisations would have to follow GDPR.
The following is the elaborate list of things to be followed for compliance with GDPR.
1. Obtaining consent
The organisations must obtain prior consent of users when collecting their information. A complicated language under Terms and Conditions cannot be a camouflage to abuse the data. Consent should be given and withdrawn easily.
2. Notification of breach on time
If a breach is identified, the person concerned should be notified within 72 hours. Anything beyond this time frame attracts fine.
3. Right to data access
Anyone is entitled to access how their data is used and what information is used by the organisation. an electronic copy should be submitted to the person who requests.
4. Right to data deletion
A customer can request that their data be deleted once the purpose of their data collection is achieved. It is also called the Right to be Forgotten.
5. Data portability
If an organisation uses their data in a certain way, the customer is allowed to use that data outside the organisation.
6. Privacy by design
A structural design to protect people’s data should be in place from the beginning. Only that will ensure compliance with GDPR.
7. Right to data portability
Data collected by one organisation can be transferred to another upon request and under certain conditions.
Under GDPR, there are two entities involved in data collection – the processor and the controller. A controller is a person or an authority who decides the purpose and means of processing the data. A processor is a person or an authority that processes the data on behalf of the controller. Thus, it is understood that it is not subjected only to tech companies but any industry that collects personal data. For instance, a hotel requiring one’s details for check-in should follow GDPR.
Ever since the new GDPR requirements from May 2018, almost 60,000 breach reports were reported within the first eight months. Although the number seems discouraging, it spreads confidence among the users that their data privacy cannot be abused under any circumstances.
With Rootquotient dealing with clients from all over the world, the US, the UK and some countries in the EU frame our predominant client base. We are well aware of the nooks and corners of the laws of each country and have been extremely careful in using various data. Our strict policy against data breaches and the awareness of the repercussions among the employees make sure they are safe with us and transparent to the respective users.
In the era of data analytics taking the big stage, the other side of the coin has been taken care of by various governments to help the citizens cope with the complex corporate structures and regulations. The citizens should be aware of their rights to ensure safety of their personal data. 64% of the respondents at a survey said that they are equally worried about governments (mis)using their data, which seems a valid concern. While the governments impose laws for organisations, who watches over them?