It’s that time of year! Ice and snow? Long, dark days? Cozy sweaters?
Not if you’re in charge of data security.
Once the ball falls, it’s time to get ready for National Data Privacy Day. For businesses and individuals alike around the world, January 28 is the annual opportunity reminder to raise awareness and take action to protect privacy and data. Started over twenty years ago on the anniversary of the Council of Europe’s Convention 108 – the first international treaty addressing privacy and data protection.
Today, the European Union protects the data privacy of individuals within the EU with the General Data Protection Regulation (GDPR), established in 2016. All EU member countries and any business (including American-based companies) that offer goods and services in the EU are required to comply. Canada has individual privacy protection from commercial entities in the Personal Information Protection and Electronic Documents Act (PIPEDA). China, Brazil, Thailand and other countries also have blanket privacy regulations.
Domestic data privacy protection
Data privacy isn’t so cut and dry for US companies and likely to take more than a devoted Data Privacy Day to fully understand and apply. American businesses have a patchwork of data privacy regulations and laws that apply to geographies, industry types as well as the type of personal information that is gathered.
A loose drive is the low-hanging fruit in a data breach and could violate one or more of these state and federal regulations:
- California Consumer Privacy Act (CCPA)
- California Privacy Rights Act (CPRA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Sarbanes-Oxley Act
- Fair and Accurate Credit Transactions Act (FACTA)
- Gramm-Leach-Bliley Act (GLBA)
- Bank Secrecy Act
- Patriot Act of 2002
- Identity Theft and Assumption Deterrence Act (ITADA)
- US Safe Harbor Provisions
- FDA Security Regulations (21 C.F.R. part 11)
- PCI Data Security Standard (PCI DSS)
See Guardian’s complete list of data destruction certifications and regulatory compliance >
Privacy protection by industry (two examples)
If you’re a hospital, medical practice or healthcare network doing business in California, your data privacy requirements include the CCPA, CPRA, HIPAA and PCI DSS to include credit card information and patients’ protected health information (PHI).
Data security and destruction for banks and financial institutions are regulated by the GLBA which defines how to handle confidential information, The FTC’s FACTA outlines data disposition and the PCI DSS dictates how long credit card info can be stored and final disposition. Add in SOX regulates how domestic public companies and accounting firms (and more) handle financial information and financial reporting. And, for companies doing business in the EU, pay attention to the GDPR.
Industry experts at ERI, SHI, ASCDI, TES, Sipi and more told us how to make the most out of Data Privacy Day 2023 >
Data sanitization is an essential component of data privacy compliance and protection
Adding to the complexity of “what to do” for data privacy, each regulation has its own set of similar but different rules and requirements for storing personal data as well as the secure and compliant sanitization of the data. How to achieve those requirements falls under the “Guidelines for Media Sanitization” set by the Federal Government’s NIST SP 800-88 R1.
This year, Data Privacy Day is on a Sunday. Whether it’s your day of rest or a day of deep thought, it’s the right opportunity to
- become familiar with all regulations that apply to data stored by your business
- understand the value of your data (to someone else)
- define your commitment to protecting your clients’ and company’s privacy
- evaluate your data destruction processes
- account for any equipment housing your data including personal devices, network devices, data centers, clouds, printers, cell phones, etc.
Talk to a data destruction expert
Overwhelmed? Don’t be. We’ve created a guide to the NIST 800-88 standard that includes a handy questionnaire designed to help companies like yours develop an impregnable end-of-life data privacy process. Download it here.
Or, give us a call. You don’t need to wait for Data Privacy Day 2024 or Data Privacy Week. For almost twenty years, Guardian Data Destruction has worked with VARs, ITADs, MSPs and resellers to provide best-in-class data destruction services to protect companies all over the world.
(Already thinking about how to spread the data privacy word? Our next blog will focus on how to celebrate Data Privacy Day. Snowpants not required.)