Data Protection and Privacy

The protection of personal data often refers to autonomy and control over one’s data. This level of autonomy and control varies depending on the context. In general, the definition of privacy differs from country to country, or state by state. Some companies are contemplating a strategy based on implementing the most stringent data privacy provisions and then applying them across the globe. However, that won’t work either, because some data privacy requirements are mutually exclusive. For example, while both GDPR and CCPA require companies to obtain consent before collecting personal data, the specifics differ. A common static user consent screen simply won’t work. Some of the new regulations prohibit excessive data collection. Companies can only collect personal data that is needed for the service or product they offer. Asking for a phone number or gender just to deliver an email newsletter or enable the download of a white paper is not allowed. This means businesses have to rethink and redesign their user experiences and eliminate all data fields on registration pages and other forms that could be considered excessive. In regions where there are no such restrictions, marketing teams might still want to collect additional data.

We provide services in domain; Privacy Compliance and our services include but we are not limited to:

• General Data Protection Regulation (GDPR)
• ISO 27701 PIMS
• California Consumer Privacy Act (CCPA)
• Brazilian General Data Protection Law (LGPD)
• Personal Information Protection and Electronic Documents Act (PIPEDA, Canada)
• Singapore Personal Data Protection Act (PDPA)
• Health Insurance Portability and Accountability Act (HIPAA)

The GDPR is the European Union’s General Data Protection Regulation. Its purpose is to “harmonize data privacy laws across Europe, to protect and empower all EU residents’ data privacy, and to reshape the way organizations across the region approach data privacy for EU residents wherever they work in the world.” It is a new set of rules designed to give EU citizens more control over their personal data. It aims to simplify the regulatory environment for business so both citizens and businesses in the European Union can fully benefit from the digital economy.

ISO/IEC 27701:2019 is a privacy extension to the international information security management standard, ISO/IEC 27001 (ISO/IEC 27701 Security techniques – Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management – Requirements and guidelines). ISO 27701 specifies the requirements for – and provides guidance for establishing, implementing, maintaining and continually improving – a PIMS (privacy information management system).
ISO 27701 is based on the requirements, control objectives and controls of ISO 27001, and includes a set of privacy-specific requirements, controls and control objectives.

The CCPA provides augmented consumer protection to California’s almost 40 million residents. The Act offers those living, working, and consuming in California additional rights surrounding the use and collection of their personal data. The Act dictates that businesses must not discriminate against, nor penalize, any consumer that actively uses their CCPA rights. This covers quality of service, pricing, monetary transactions, and more. The CCPA focuses on empowering California’s consumers with the autonomy to take charge of their personal data in an ever-growing digital economy.

Brazil’s General Data Protection Law (or LGPD) brings sorely needed clarification to the Brazilian legal framework. The LGPD attempts to unify the over 40 different statutes that currently govern personal data, both online and offline, by replacing certain regulations and supplementing others. This unification of previously disparate and oftentimes contradictory regulations is only one similarity it shares with the EU’s General Data Protection Regulation.

The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law for private-sector organizations in Canada. The act originally went into law on April 13, 2000 to foster trust in electronic commerce but has expanded since to include industries like banking, broadcasting, and the health sector. The purpose of the law – per legislation – is to “govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.

The Personal Data Protection Act (PDPA) provides a baseline standard of protection for personal data in Singapore. It complements sector-specific legislative and regulatory frameworks such as the Banking Act and Insurance Act. It comprises various requirements governing the collection, use, disclosure and care of personal data in Singapore. It also provides for the establishment of a national Do Not Call (DNC) Registry. Individuals may register their Singapore telephone numbers with the DNC Registry to opt out of receiving unwanted telemarketing messages from organizations.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule.