The term “data compliance” might seem harmless enough at first. Just manage and protect your data, and you’ll be fine, right?
But then you start to think about just how much data your business handles. Where does all that data come from, and who else has access to it? How can you ensure that all that data is accurate, complete, and protected? What will happen to you—and your business—if you mess something up and accidentally use tainted data? Or if you break regulations—internal or external—and fail to protect someone’s private data?
It’s enough to keep those small-business leaders who are responsible for maintaining and protecting sensitive customer and client data up at night.
We want you to get a good night of sleep, so in this article we’ll attempt to take some of the mystery—and fear—out of data compliance, and give you a checklist of steps to make sure your business stays on the right side of regulations.
Data compliance is the practice of ensuring that protected data is managed in a way that adheres to both internal (processes and best practices) and external (legal regulations and standards) rules and guidelines. It can also be referred to as data governance, data security, and data privacy compliance.
Protected data is a blanket term that refers to any data that could be used to identify individuals and/or is protected under data protection laws and privacy regulations (more on that below). Examples of protected data include social security numbers, email addresses, banking and financial information, and health records. Protected data is also sometimes referred to as personally identifiable information, or PII.
Repercussions for knowingly or negligently violating data protection rules and regulations often include termination, fines and penalties, and other legal ramifications including prison.
But being data compliant is also just good business. If you fail to protect your customer’s data, you are breaking not only the law in some cases, but also a contract of trust with your customers.
So how can you make sure that this doesn’t happen?
You can’t protect what you can’t see, so the first step for ensuring data compliance is to make sure that you are aware of all the data that your business is responsible for and keep that dataset to a manageable size.Here are a few examples of protected data by industry:
Medical: Patient health records
Retail and eCommerce: Credit card information
Sales and marketing: Customer contact info, such as home and email addresses
Financial services: Banking information
Next, you need to be aware of all of the external data regulations that might apply to your business.
These regulations vary depending on which industry you are in and where you do business, so rather than including an exhaustive list here, here is a list of possible regulations to be aware of, including Europe's General Data Protection Regulation and the California Consumer Privacy Act.
While these data protection laws may seem scattered and confusing, the European Union’s General Data Protection Regulation (GDPR) is probably the closest thing we have to an objective, comprehensive data regulation source of truth. The European Union calls it “the toughest privacy and security law in the world.” With that in mind, if you model your small-business data compliance guidelines after the GDPR, you shouldn’t have to worry about government regulators knocking at your door, whether you do business in Europe or anywhere else in the world.
Here’s a checklist of the seven key GDPR principles to help ensure data security:
Lawfulness, fairness, and transparency: This principle may seem a little vague, but it’s meant as a catch-all. This principle can be summed up with two questions: Do you have permission to use the data you’re using, and are you using it fairly (i.e., not selling it to others without permission)?
Purpose limitation: Even if you have permission to use someone’s personal data, that permission has boundaries, and you’re obligated to respect those boundaries. For example, if someone grants you permission to use their data for market research, you can’t just go out and publish their data on the internet. If you decide to use data for a different purpose, you need to get renewed permission.
Data minimization: The data you collect should be limited to what you need for the purposes disclosed upon collection. For example, you can’t collect a list of residential addresses for a catalog mailing list and then start sending them your email newsletter without their permission.
Accuracy: When you’re collecting someone’s personal information, you’re obligated to protect the integrity of that information. It’s on you as a data steward to conduct periodic data audits to make sure personal data is updated and free of typos.
Storage limitation: When someone gives you permission to use their data, it’s not a lifetime agreement. Establish a standard time limit for personal data you collect (one year or five years, for example), and then either delete or renew permission for that data when the time comes.
Integrity and confidentiality: This is a big one, and it means that you—as a data owner—are responsible for protecting data not only from accidental internal leaks, but also malicious, external threats. This is where cybersecurity software is a must-have. If you do suffer a malicious data breach, you’re responsible for informing individuals whose data may have been compromised.
Accountability: The GDPR calls for businesses to not only protect sensitive data, but also to keep records of how they’re protecting that data. GDPR regulators have been known to ask for this proof during audits, so be ready to provide evidence of the measures you’ve taken to uphold these principles.
The more data you have, the more involved your data compliance efforts will become. When you’re just starting out and have 50 email addresses for your newsletter distribution, you can probably handle data compliance on your own. But as your data analytics efforts grow, you’ll need your data compliance efforts to grow accordingly. Here are three tips for scaling data compliance as your organization grows.
Start with the overarching GDPR principle. Data compliance guidelines vary based on industry, the region you do business in, and even the type of data you’re collecting (medical, financial, etc.) Follow the main GDPR principle outlined above: Do you have consent to use personal information? Are you using this data fairly? Follow these guidelines, and you should be protected in almost any situation.
Assign or hire a data protection officer. As your business grows, the data you’re responsible for will likely become too much for someone to keep an eye on as a side duty. You’ll eventually need to assign a full-time data protection officer, or hire someone to oversee data management.
Adopt cybersecurity software. Protecting your business and the customer data you’re responsible for from external cyber threats can keep you up at night. But good cybersecurity software can take a lot of that responsibility off your plate and give you the peace of mind that your data is in good hands.
Data is a technological medium and calls for technological tools to handle and protect it properly. These tools will not only make things easier on you as a business leader, but will also make your data compliance efforts as effective as possible.
Here are a few of our top software categories for data protection to browse through:
Data governance software helps businesses identify sensitive data and clean large datasets.
Compliance software helps businesses protect their data and ensure compliance with industry-specific rules and regulations.
GDPR compliance software helps businesses protect sensitive data and adhere to GDPR regulations specifically.
This document, while intended to inform our clients about the current data privacy and security challenges experienced by IT companies in the U.S. marketplace, is in no way intended to provide legal advice or to endorse a specific course of action. For advice on your specific situation, consult your legal counsel.
Explore by topic