ControlCase

IT Certifications, Continuous Compliance and Cybersecurity Services Provider

You are here: Home / Blog / It’s All Private!!!! – The Ready Reckoner

“Data is the new Oil” – An over-used quote in today’s times, but unfortunately is true and resonates with the underlying philosophy for any information security implementation.

The push towards digitization across the globe means that various industries like retail, healthcare, F&B, etc. have moved a significant amount of their business/services to online mode.  This requires consumers to share their personal or sensitive data (e.g. Card Numbers, SSN Numbers, Health Records, Identification data, etc.) on these online channels. All this sensitive data attracts hackers and malicious users like bees to honey since a database containing sensitive data sells for a lot of money on the darknet.

So, protecting and maintaining the privacy of this data becomes a primary responsibility of any organization. This responsibility is defined by the industry as a single term known as “Data Privacy”.

Considering the criticality and sensitivity of Data Privacy, governments across the world have provided guidelines to regulate the handling and protection of this data by the organizations under their respective jurisdictions. Following are some of the well-known privacy acts across the globe:

  • Philippines – Data Privacy Act of 2012
  • Singapore – Personal Data Protection Act 2012 (PDPA)
  • Europe – General Data Protection Regulation (GDPR)
  • UK – Data Protection Act
  • US – HIPAA
  • India – Personal Data Protection Bill 2019 (not a law yet)

In US, along with HIPAA, state-wise privacy acts like California Consumer Protection Act (CCPA) Nevada SB 220, Massachusetts Data Protection Law, etc. are additionally imposed.

All these regulations are very extensive and require Subject Matter Experts like ControlCase to help navigate through the implementation and maintenance. However, the following best practices can be used as a ready reckoner by any organization to start their journey of “Maintaining Data Privacy”

  • Accept and Store the information only which is mandatorily required for completion of the respective business operations. Avoid taking unnecessary additional personal information.
  • Ensure that the data privacy system’s architecture and implementation are finalized after engaging Subject Matter Experts to identify the best approach for respective organizations. Approach for every organization may vary based on the number of records, the extent of exposure, the likelihood of attacks, etc.
  • Ensure Consumer consent is acquired prior to the storage of any personal or sensitive information.
  • Ensure procedures are in place to remove all the data of any consumer who choose their “Right to Forget”
  • Ensure that site has a section that describes the control posture utilized and regulations adhered to protect personal data as a consumer assurance.
  • Run a company-wide data discovery scan to identify known and unknown locations where sensitive/personal data is stored.
  • Ensure encryption controls are present for transmission and storage of sensitive or personal information with strong key management methods.
  • Security best-practices like role-based access control, two-factor authentication to access production systems, IDS/IPS monitoring, system hardening & updating latest patches, removing obsolete system components, etc. should be followed.
  • Conduct annual third-party assessments/audits with SME audit companies like ControlCase, to validate the data privacy and security posture of the organization against the applicable data privacy regulations, to confirm its adherence.
  • In case of gaps or vulnerabilities take assistance from the SME’s to come up with a Corrective Action Plan.

The above basic implementations should be a top priority as a breach resulting due to non-adherence of the regulations would lead to:

  • Bad Press & Loss of Reputation to the Organization
  • Litigations
  • Heavy Sanctions ranging to approximately millions of dollars.

So, start with the basics of our ready reckoner and engage with an SME to work on your Data Privacy Journey. Because, as our tagline says – “It’s All Private!!!!”

This concludes our first part in this series, please stay tuned with us for the next articles in this series which will dissect Data Privacy further in common English.

Ashish Kirtikar
ControlCase
General Manager - Europe & UK

Related Blog

HIPAA, CCPA, and GDPR: Privacy or Information Security?
Modern enterprise security teams must address many different types of requirements as they create their cyber defenses. These requirements can be internally generated, customer requested, legally defined, mandated by a court, or driven by an incident. They typically involve adding new protections such as cyber security platforms or increasing assurance such as through penetration testing.
CCPA vs. GDPR
¡Todo es Privado! ....No Significa No….
The push towards digitization across the globe means that various industries like retail, healthcare, F&B etc. have moved a significant amount of their business / services to online mode. This requires consumers to share their personal or sensitive data (e.g. Card Numbers, SSN Numbers, Health Records, Identification data etc.) on these online channels.
Désormais tout est privé .... Non signifie Non ...
The push towards digitization across the globe means that various industries like retail, healthcare, F&B etc. have moved a significant amount of their business / services to online mode. This requires consumers to share their personal or sensitive data (e.g. Card Numbers, SSN Numbers, Health Records, Identification data etc.) on these online channels.
It’s All Private!!!! - No Means No…
The push towards digitization across the globe means that various industries like retail, healthcare, F&B etc. have moved a significant amount of their business / services to online mode. This requires consumers to share their personal or sensitive data (e.g. Card Numbers, SSN Numbers, Health Records, Identification data etc.) on these online channels.
Désormais tout est privé - Le barème prêt
La poussée vers la digitalisation à travers le monde signifie que diverses industries telles que la vente au détail, la santé, la restauration, etc. ont migré une part importante de leurs activités / services vers le mode en ligne. Cela oblige les consommateurs à partager leurs données personnelles ou sensibles (par exemple, numéros de carte, numéros SSN, dossiers médicaux, données d'identification, etc.) sur ces canaux en ligne.

About Us

ControlCase is a global provider of certification, cybersecurity, and continuous compliance services. ControlCase is committed to empowering organizations to develop and deploy strategic information security and compliance programs that are simplified, cost-effective, and comprehensive in both on-premise and cloud environments.
ControlCase offers certifications and a broad spectrum of cyber security services that meet the needs of companies required to certify to PCI DSS, HITRUST, SOC2, CMMC, ISO 27001, PCI PIN, PCI P2PE, PCI TSP, PCI SSF, CSA STAR, HIPAA, GDPR, SWIFT, and FedRAMP.