Data Privacy Laws in the US: Where Compliance Meets its Purpose

Updated: Jan 13, 2021

Data Privacy Laws US

I trust that this article on data privacy laws in the US will find its way to business executives who are ready for a radical transformation in risk and compliance, and those who want to build a relationship of trust with their customers and employees.

The article in its present form originated spontaneously in response to the most frequently asked questions in our webinars, events, and forums about data protection and privacy laws in the US. With some questions added verbatim, the article focuses on demystifying common misapprehensions in relation to data privacy compliance across various industries, end-to-end basic solutions, and spotlight on General Data Protection Regulation (GDPR).

Please tell us about the nature and stringency of data privacy regulations in the US.

Unlike the recent General Data Protection Regulation (GDPR) in the EU, data protection and privacy laws in the US are not comprehensive in form. Data privacy laws in the US are mostly industry specific or state laws. These laws most actively apply to the processing of personal data, based on the principles resembling transparency, lawful basis for personal data processing, purpose limitation, and retention of data.

If data privacy laws in the US are not consolidated, which are the important regulations businesses must know about? Also tell us how they impact various industries.

When it’s about these data privacy laws impacting the commercial landscape, the dangers and rewards for businesses would completely depend on a contextual understanding of the risks associated to non-compliance of these regulations. Undeniably, there are a few laws playing a key role in the risk management portfolios of businesses. We’ve stated those laws in brief so as to unfold how the data privacy laws impact various industries.

  1. Gramm-Leach-Billey Act (GLBA) – The GLBA compliance, also known as Financial Modernization Act, is a federal law requiring consumer financial products or services to ensure the security of customers’ personal data. For instance, the GLBA compliance limits insurance companies from using or disclosing customer information.

  2. The Health Insurance Portability and Accountability Act (HIPAA) – HIPAA, enforced by the US Department of Health and Human Services’ Office for Civil Rights, oversees the concrete confidentiality of personal health data in the healthcare industry.

  3. The Fair and Accurate Credit Transaction Act (FACTA) – FACTA applies on the financial services industry and regulates the data retention limits of businesses by observing the complete destruction of data after its final usage.

  4. The Electronic Communications Privacy Act and the Computer Fraud and Abuse Act regulate the interception of electronic communications and computer tampering, as mentioned by Thomson Reuters. This data privacy law applies to all digital infrastructure development companies in the US.

While these are the most prominently complied data protection and privacy laws in the US, a few other self-regulatory guidelines are also followed as principles of data privacy for businesses, depending on their location of existence or the nature of data the businesses are dealing with. We will focus on these when we discuss compliance solutions further.

We understand we need to comply with these data protection and privacy regulations in order to do business in the US. Then what’s the best, cost effective way to comply with these regulations?

Compliance with data privacy laws in the US is a keystone of trust and transparency between businesses and consumers. Many businesses have difficulty determining noncompliant outcomes because they focus on mere procedures that they hold as guidelines. These businesses are not set dynamically. Just ensuring that internal processes are followed doesn’t make a business any valuable in compliance reputation. Businesses must adopt a holistic, rigorous approach to compliance with data privacy laws in the US.

To begin with, businesses should first understand that they are approaching an opportunity of earning their customers’ trust in this digital age. We are talking about a cultural change, one that influences mindsets. After this belief is instilled, they should proactively take the following steps to ensure compliance with data privacy laws in the US.

  1. Conduct a preliminary internal privacy audit irrespective of which laws apply to the industry or geographic region.

  2. Find the gaps and close those by strengthening data processing locks internally.

  3. After this step, a company has moved from an effective position to an efficient position for initiating compliance operations. Businesses will now need to adopt an industry specific approach that takes into account the identification of granulized data forms in the following categories: Data categorized on the basis of the source of collection; Records of associated customer/user consent along with the purpose of collection; Lifeline of the data and records of respective uses/transactions

  4. Now that you have synthesized enterprise-wide data, it is time to define data transferability and data erasure projections for the above data structure. The powerhouse of data should be aligned to clear business objectives. In doing so, a business outlines a crystal picture of the governance framework, architecture and data life cycle.

As an example, an organization in the healthcare industry should understand the HIPAA compliance and secure the adoption of electronic health records. Basically, the healthcare firm should be aware of all digital communications including email, cloud transfer, data storage devices and employee exposure to data fragments. Consequently, this step will help the healthcare firm comply with HIPAA by ensuring that the confidentiality and availability of all personal health information of users is maintained.

You mentioned about data privacy of internal digital communications. Please focus on email as an example, and tell us how compliance can be strengthened by regulating email data.

Email is one of the most preferred communication modes within businesses and corporate houses. Much of the consumer and employee data is stored/ transferred in emails, which means companies must now manage email backup and archived data with rigor. Therefore, now that GDPR has gone into effect, enterprises must ensure proactive access and retrieval of emails. The best selection of email archival tools will take heed of the integration of email client, ediscovery strength and storage security. This is more than just a solution for compliance; it is an approach that deals with the validation of data sources, email for example.

You stated GDPR. It has been on the headlines since its activation on 25th May, 2018. Please tell us more about how GDPR is poised to affect business operations in the US.

The GDPR aims to strengthen data protection for EU residents whose data resides anywhere in the world. If you are processing personal data of EU citizens, you must comply with this regulation, irrespective of where you are located on the globe.

GDPR is an industry-agnostic regulation. However, some industries will be impacted more than others. For instance, if your business is catering to individual customers (industries such as financial services, insurance, retail, and healthcare), you would need to take significant steps as you are monitoring personal behavior.

But if your business is catering to other businesses through support services such as business, process, and system, you must be GDPR compliant on a negligible scale as equally as the service receiver. In such industries, the onus for the protection of user data rests squarely on cloud services, platform services, SaaS, analytics and marketing firms. Now that we know how GDPR will impact the proliferation of data, let’s graduate on how we plan to be compliant.

The most basic GDPR audit function is based on the following 2 fundamentals:

  1. The location of the personal data, to be tracked in near real-time mode

  2. Data breach notifications are actively triggered in testing

The nature of data associated to every stream of a business is unique in itself, and require a tailored disintegration of compliance.

Based on the revised IT infrastructure plan, a business can now simply lay a company-wide data policy framework for conforming to GDPR actions. It can be done in the following way at an organization or business function level.

  1. Define processes for the automation of collection, aggregation and reporting of user data

  2. Filter personal data and the attached user consent

  3. Identify information security requirements and evaluate available tools/assets

Once these actions are on the scale, businesses now have a fully compliant approach to reporting data to GDPR regulators. However, a constant auditing process now needs to be on the horizon. Because beyond the stubborn resistance to heavy penalties, legal ramifications and serious repercussions, businesses can spur a broader vision to become trusted data scouts for their alliances by being compliant to the GDPR.

Now what? Am I already late to initiate my risk and compliance assessment process for the data privacy laws in the US?

Not exactly. If regulators haven’t probed into your data bookkeeping, you are in a healthy state to streamline your compliance needs as a business operating in the US. Nothing hastily, but strategically.

Firstly, businesses must be mindful of setting up breach notifications by executing a test data breach response procedure. To enumerate, businesses in the healthcare industry can right away opt for email archiving solutions in compliance with HIPAA to adhere to the administrative and technical protection of the Security Rule. Other industries can similarly take a proactive step to index email content, metadata and attachments through strict controls of who can access what email data in the archive.

Secondly, businesses must evaluate third-party risk by integrating privacy risk into the review through updated agreements and contracts.

Finally, businesses can opt for a robust function aligned to these data privacy laws in the US. For instance, organizations can impart accountabilities and responsibilities to business units depending on the data exposure limitations. But if your business fails to comply with the data privacy laws in the US, there are hefty penalties associated.

What are your views on these data protection and privacy laws helping businesses in the US build a relationship of trust with their customers?

Today, building customer data transparency is as important as the data warehouse. If your customer intelligence is robust, you need to be equally stout in trust and integrity. Data privacy laws in the US are an integral opportunity for businesses to build trust among customers and employees. If you aspire to be a data scout in your industry, you should be able to identify key metrics of data transparency and share your data protection levels with customers and industry peers.

When you are data privacy compliant, your associated users are well-informed. Therefore, if you are apparently turning into a data steward, you are reaping the value of customer data accessibility and newer uses of the available data. Compliance with data privacy laws in the US should turn into a business imperative in the form of a cultural narrative of data protection.