What to Consider When Adding Privacy Regulations to Your Assessments

In a recent survey by Cisco, 84% of respondents indicated they care about data privacy—their own data, the data of others, and the desire for more control over how that data is used. However, as reported from the first blog in our privacy series, another study found only 6% of Americans understand what happens with data once it’s collected. 

The discrepancy between these statistics highlights an important need to provide education around privacy regulations and best practices. This blog post, which is the second installment within our privacy series, will explain in more detail how privacy is differentiated and what options you have when adding privacy to your organization’s assessments. 

Security Versus Privacy 

What is privacy, exactly? While the answer might seem simple, there are differentiating factors that make privacy its own unique concept in cybersecurity. 

“People often think privacy and security are the same. While they are closely related, they mean different things,” said Swathi West, manager of healthcare compliance at BARR Advisory. 

While both relate to the protection of data, security and privacy are reflected differently in assessments. Let’s take a look a closer look:

• Security is protection from, or resilience against, potential harm caused by others. It refers to how your data is protected. 
• Privacy, on the other hand, is the state or condition of being free from observation or disturbances by other people. In other words, you have control over your personal information and how it’s used. 

The Health Insurance Portability and Accountability Act (HIPAA) reflects the difference between privacy and security. The HIPAA Security Rule applies to health plans, healthcare clearinghouses, and to any healthcare provider who transmits health information in electronic form. This rule only applies to electronic protected health information or (ePHI) that is stored on a computer, in the cloud, or transmitted over the internet and then downloaded onto a local drive or USB.

However, the HIPAA Privacy Rule applies not only to health plans, healthcare clearinghouses, but also to any healthcare provider who transmits health information. The Privacy Rule covers protected health information of a patient in general, not just electronic, but also in paper and other forms. 

Understanding Privacy Assessments 

There are a number of assessments with mappings that help organizations comply with privacy regulations. Some of these assessments vary by industry and are better suited for financial and healthcare industries who have much more specific privacy regulations. For example, a healthcare organization may choose to obtain a HITRUST certification to demonstrate their compliance with HIPAA.

West indicated that, “For the majority of organizations, ISO is a great choice to comply with privacy regulations. ISO 27701 is the latest standard in the ISO 27000 series and specifically addresses what an organization must do when implementing a privacy information management system, essentially adding privacy processing controls to an already existing standard for information security.” 

BARR can perform a number of different risk assessments that adhere to the privacy standards of various industries, including:

• HITRUST
• HIPAA Assessments 
• Microsoft Data Protection Requirements (DPR)
• ISO 27001

Another notable certification is the Asia-Pacific Economic Cooperation (APEC) Certification, which has designed the APEC Privacy framework to provide an accountable approach to managing data privacy protection and the flow of personal information across borders. 

Adding Privacy Criteria for SOC 2 Audits 

It’s possible to include the privacy criteria into a SOC 2 audit. As part of the AICPA’s Trust Service Criteria (TSC), privacy incorporates eight categories into its requirements, including:

• Notice
• Choice and Consent
• Collection
• Use, Retention, and Disposal
• Access
• Disclosure and Notification
• Quality
• Monitoring and Enforcement

Each of these categories helps to provide your customers and partners with confidence that their personal data is protected with your organization. 

General Data Protection Regulation (GDPR) Compliance

The GDPR is the most thorough privacy regulation that exists in the world today. Its function is to protect the fundamental rights and freedoms of individuals residing in the European Union (EU), particularly their right to protection of their personal data. 

“There is not one framework that specifically addresses the GDPR, which can make compliance seem tricky,” said West. However, BARR offers two types of assessments that help you approach GDPR compliance:

• ISO 27000 series 
• Microsoft (DPR) 

As mentioned before, ISO is a popular option which includes a global framework of controls which can help you get close to compliance with the GDPR. The Microsoft DPR also have a number of privacy components that can closely address GDPR certification. 

Choosing the Right Framework 

There’s no one-size-fits-all recommendation when it comes to choosing a framework to fit your organization’s privacy practice. Different frameworks may work better for different organizations based on individual needs.

“The best thing an organization can do as they are getting started is pick one framework and stick with it. When organizations try to meet every framework, it becomes complicated, especially for an early stage company,” said West. 

National and International Privacy Regulation

Any privacy assessment will examine your organization’s privacy protection policies and procedures—including what information you’re collecting, where it is stored, and how it is managed. First, it’s important to speak with your operations and legal teams to understand what regulations you may need to comply with depending on where you do business.

For example, if you are collecting and processing personal information of individuals who live in the EU, you have to comply with GDPR. If your business serves California residents and meets one or more of the three requirements spelled out in the California Consumer Privacy Act, you’re required to comply with CCPA. 

More states are following in California’s footsteps. Nevada has already enacted state data privacy laws similar to the GDPR. New York, Florida, and many other states are not far behind, and moving forward, the federal government is proposing legislation for national data privacy protections in the U.S.

West added, “Even if you are not collecting or processing personal information of individuals in the EU, California, or other states and countries with similar data privacy laws, it is always important to understand what plans will be in place for the future so you can be as prepared as possible.”

BARR is here to help answer your questions regarding privacy regulations and compliance frameworks to help achieve your compliance needs. Contact us today for a free consultation.