cyBARR Chats Privacy Series Episode 3: Industry Specific Privacy

By August 17, 2022Data Privacy, Videos

In this cyBARR Chat, Healthcare and Privacy Manager Swathi West discusses how privacy regulations vary by industry. Learn more about how companies in healthcare, education, and finance can comply with relevant privacy requirements.


[00:00:00] Claire McKenna: Hello everyone. And welcome to our next installment of our special Cy BARR chat series. Focused on privacy. In our previous chats, we discussed privacy regulations and how to add privacy into your risk assessment. Today, we delve even deeper into industry specific privacy and we’re joined by swath west healthcare and PR privacy manager here at BARR to explain how privacy differs in various industries.

So Swathi welcome. Let’s get started. Why do different industries have different privacy regulations and requirements? And why is this necessary? When we already have broader compliance regulations, like the CCPA and GDPR. 

[00:00:42] Swathi West: Great question, Claire. I think, you know, people have gotten familiar with some of the biggest privacy regulations, like you mentioned, can be the GDPR, the CCPA, and we, we even discussed these, um, in deep, in last previous chats in recent years, you know, when you think about GDPR or a CCPA, uh, people just, you know, just think about Facebook or social media companies, because you always see that in the news.

However, these frameworks are not just applicable to social media companies or, um, you know, or Facebook, if you will, they apply to data agencies or even third party data suppliers. Today. We’ve seen several data agencies collect and sell millions of our, our data, personal data, and even their consumer data every day.

So it is important to keep in mind that. These laws are applicable to industries based on the type of data and the amount of data that organizations may collect process or store. So, you know, back to your question on why different industries. Have to abide by different privacy regulations and why not use the broad compliance frameworks, which are already out there like, you know, CCPA or GDPR goes back to the type of business you are in and the type of data the organization is collecting, whether it might be, you know, personally identifiable information to your name, email SSN.

A protected health information, anything to do with your medical records and even financial information have write your tax, um, information and things like that. It, it even goes back to, you know, we always talk about the data, but I think the biggest thing with privacy to think about it, it also goes back to the geographical locations because these laws are, um, you know, depending on the country, for example, United States, depending on the type of data you are collecting, or even depending on the state you’re residing on, for example, California, in this case, you have to comply with CCPA and.

And depending on the industrial or the organization you are in, um, for example, FERPA, right? The family education rights and privacy act for educational institutions and gram, um, Gramly bla act for GBA. So it depends on the data. It goes back to the data side and also where you’re reciting. And if you consider European union, You know, which includes the Belgium, Germany, France, Italy, all the, um, every, you know, everything that’s in that European union, you have to comply with GDPR and we have the new Brussels general.

I mean, it’s not new anymore, but, um, the Brussels general data protection law LPA that that’s in effect from 2018. Um, and you have, um, if you are collecting Australian resident information, you have, um, Australia’s privacy principle, a P and then there’s one for Canada. Now, you know, the list goes on for China, Japan, and India.

So. Unfortunately complying with privacy. Can’t be like a one size fits all. It is very important to understand that type, the type of privacy regulation that is best suited for your industry, that specific industry you are in, or even the type of business you are in. So, um, you, again, to adjust your question, we can’t just use the GDPR or CCPA.

We just need something more specific that addresses the type of business you are in and also the location you. 

[00:04:03] Claire McKenna: Got it. Thank you for such a comprehensive answer. So you already started to mention this a little bit, but which industries have the strictest data privacy compliance regulations. 

[00:04:16] Swathi West: Good question.

Um, I can’t. I mean, we can, you know, we can go back to the stats and data for this one. Right. It depends on how expensive the type of data is. And, uh, we know from the data breaches that we’re seeing lately, the biggest thing is healthcare, right? So the top three, at least from what we’re seeing today, um, in the world would be healthcare, finance and even education.

Um, so for example, healthcare, right? Um, you can imagine like healthcare companies have a lot of sensitive data. Only they have personal identifiable information, uh, with your SSNs or, um, you know, names and addresses, but they also have patient records. So, you know, they have a lot of protected health information and insurance information.

So any organization with protected health information is required to comply with the federal, um, HIPAA. and then, you know, which is again, health insurance, portability and accountability act. They have, you know, security and privacy. We we’ll dwell a little deep, um, in our future chats, but I would say healthcare is really important and they have to comply with, um, HIPAA, privacy act and same thing with finance.

You know, there’s so much data out there and if you. If you look at the stats, uh, recently financial institutions and financial services have seen, you know, seen an increase in the reported breaches over the past few years. You, it goes back to how. Freely or how available our financial information is. I mean, everyone uses, um, or most people uses turbo tax for finance taxes, right?

So, you know, things like that are never before our financial information is readily available out in the world. So to protect the consumer’s financial data in 1999, you know, us federal government imposed, uh, Graham leach, bla act, and this requires financial institutions, companies that offer consumers.

Financial products or services like loans or, um, investment advice or insurance to explain their information, sharing practices to their customers. Um, so in order to safeguard the sensitive data, right, and the financial regulatory agencies have to establish appropriate administrative technical and physical safeguards.

And in order, in order to keep this, uh, keep this sensitive, uh, data more secure. And be compliant with G O B a, the organizations also need to inform their customers how they share their sensitive data. And also let customers know that they have the right to opt out of sharing their data with third parties.

You know, we’ve seen this, um, choice to opt out in all the privacy acts and that’s the big part. So these, you know, financial organizations have to provide that opt out option. And, you know, let the customers know that they’re sharing their data with the third parties and, you know, that’s why this organizations have to have specific security plans in place if you’re in the financial industries.

And, um, you know, I touched a little bit about this educational education, a as well as the biggest industry, you know, have, uh, regulations. To it because especially in us or, you know, I’m from India. So even in India, you know, if you go to high school or college, you’ll be aware that, you know, we all aware that educational institutions have so much personal information about a student.

So keeping in this, this in mind, us federal government enacted a loss specific to educational institutions called the family educational rights and privacy act. And you know, this protects the student’s educational records. Applies to federally funded institutions. And like I said, this helps to keep their protect the student records and gives the parents an El, you know, or eligible students more control over their educational records.

And, um, rather than, you know, disclosing it public, it’s very protected. So. I would say that’s another industry that is highly regulated. Um, just to keep in mind that, although not in these specific industries, companies collect a lot of data, like data marketing agencies. So all these agencies, we we’ve discussed, uh, data agencies or anything that you do research and analytics lately.

So they all should be aware of how these regulations apply specific to them. So, yeah, the, these would be the top three that I can think. 

[00:08:34] Claire McKenna: Awesome. Thank you for that. I really appreciate you delving into all of those specific industries. I wanna touch on a little bit more of the last thing you just said.

Um, so discuss those three specific industries, but what about companies adjacent to those in industries? How do they determine whether those regulations might apply to them or. 

[00:08:56] Swathi West: The best way. I would say, you know, companies to just mind those regulations, whether they, you know, apply to them or not would be the data.

I know I’m, I’m probably repeating myself. Like I just understand what kind of data you have, for example, even if they’re not directly involved in healthcare industry, right. But they might process or store or transmit protected health information. They, they may need to comply with HIPAA. You know, there’s always this covered entity business associate that we talk about.

You know, you’re getting data from somewhere else, but, you know, are you signing in the BAAs or are you, do you have that requirement to keep the data that you’re getting secure? So things like that, asking those questions, um, important questions is very important to make sure you comply with them, even though you think you are not, you might.

So, you know, for that reasons, I always suggest partner with a privacy law expert or a consult with your own legal counsel to. Answers for all these questions and also even partner with, um, someone know who knows what the regulations are, that’s out there. Um, so they can help you understand what regulations apply directly to your organization.

Also goes back to the type of data you store. 

[00:10:08] Claire McKenna: Great. Thank you. I really like that you, uh, you know, gave that advice on partnering with an expert. So my last question for you today is what other advice do you have for businesses as they navigate industry specific regulations? 

[00:10:23] Swathi West: A great question, Claire, you know, goes, goes back to asking the right questions, right?

Like I said, in the last, um, last answer, you ha you should be able to asking the right questions. So that’s very important and I always. You know, just give a fun little answer for my clients because it’s just, it’s big. I mean, I don’t know everything about their business, but because you are, you are in the business, you’re doing those business.

So I always say, go back to asking the right questions on five W’s and how so? I always say that because you know, to start with, you have to understand who you are, so it can be the type of business you’re in the industrial you are in and, uh, you know, just understanding the customers you have. Right. So definitely.

Who are we like, what do we do? Right. And, um, the next question would be whose personal information you’re collecting. Um, so for example, it, it can be your, your own employees, right? Or it can be the students, the patients, or it can also be your consumers, your customers. So what, you know, who’s information you’re collecting today, that that’s very important to understand, um, Further what industries of what regulations help you.

And the next question would be, why are you even collecting this? You know, this can be for like a, like I mentioned, maybe for analytics purpose, or this is for your third party data agency, you’re selling this data or, um, you know, even, um, you’re collecting for some regulatory purposes or some legal reasons you have to collect a certain type of data.

Um, so that’s very important to understand why you’re collecting and. Fourth question is where are you collecting the data? Right. So we’ve seen, um, you know, all these, the Facebook and social media, going back to the first question, it can go back to the geo geographical location. It can go back to the state, can go back to a certain countries.

So where are you headquartered? And are you collecting personal information? Of us residents or UK or Brazil, India, Japan. I mean, we were talking about some laws that govern the specific countries too. So it’s always important to ask where are you collecting the data? And the fourth important question is how long are you storing this information?

This can go back to your, um, data retention requirements specific to your product or replication. Or even legal purposes, right? Uh, it can be, for example, HIPAA, you might have to store certain data for seven years. So things like that, understanding how long you have to store a type of information that you’re collecting is very important.

And after you answer all the questions about, and then the biggest question to ask is what type of industry specific regulations I need to be aware of, but to get to that, what type, um, you should be able to understand. You know, your industry, you are in the type of data you’re collecting why you’re collecting and where you’re collecting, where you’re storing and how long you’re storing that information for.

So addressing those questions will, you’ll get to what type of industry specific is required for you. And I know I gave, um, a fun answer, you know, asking the right questions is not always just gives you the ultimate answer on what type of industry specific regulations that requires. To you? Um, I would say, you know, more generate answer would be definitely, you know, work with your legal counsel.

Or trusted partners like BARR, so we can help you navigate through these ever growing, um, state, federal country. I mean, industry specific regulations, right? Every, every state is, um, will be having a privacy law pretty soon in the next couple years. So, uh, we, we definitely have a head start on this one, so definitely, you know, work with, um, a trusted partner like BARR to so we can help you answer these question.

[00:13:56] Claire McKenna: Great. Thank you so much, Swathi. I really appreciated that five Ws and how answer love being able to simplify the process. Um, that was my last question. So thank you, swath for all of your insight. And we look forward to seeing everyone next time on cyBARR chats. Thank you.