Compliance can be a complex issue for small businesses. Depending on where you're located and where you do business, there are a host of laws, regulations, standards, and ethical practices that may apply. In today's digital age, working towards and maintaining compliance actually helps improve your data management and lower risks.
As many companies shifted to remote work during the pandemic, cyber incidents increased. According to the International Criminal Police Organization (Interpol), an intergovernmental organization of 194 member countries, businesses deployed remote systems and networks to support working from home, and criminals took advantage of increased security vulnerabilities to steal data and cause disruption.
In one four-month period (January to April 2020), about 907,000 spam messages, 737 incidents related to malware, and 48,000 malicious URLs – all related to COVID-19 – were detected by one of Interpol's private sector partners.
The stakes have never been higher to ensure data compliance, regardless of company size.
According to the Federal Trade Commission (FTC), if sensitive data (Social Security numbers, credit card, or other account data -- anything that identifies customers or employees) falls into the wrong hands, it can lead to fraud, identity theft, or similar crimes. Given the cost of a security breach—losing your customers' trust and perhaps even defending yourself against a lawsuit—ensuring compliance with all relevant regulations will probably save money in the long run.
It's the law
In the United States, there is no overarching federal law governing security and privacy, but there are many rules that apply to specific industries and media, such as telecommunications, healthcare, and marketing. On the state level, the Legiscan database reveals that hundreds of bills addressing privacy, cybersecurity, and data breaches are pending across the 50 states, territories, and the District of Columbia.
The most comprehensive piece of state-level legislation across these often-intertwined categories is the sweeping California Consumer Privacy Act (CCPA), enacted and signed into law on June 28, 2018. In November 2020, California voters approved the California Privacy Rights Act (CPRA), which creates a new consumer privacy agency. These state legislations are modeled after the European Union's General Privacy Data Protection Regulation (GDPR), which was introduced by the European Union in 2018.
The GDPR was designed to give EU citizens more control over their personal data, and it aimed to simplify the regulatory environment for businesses, so both citizens and commercial entities in the European Union can fully benefit from the digital economy.
GDPR establishes one law across the continent and a single set of rules that apply to companies doing business within EU member states. This means the reach of the legislation extends further than the borders of Europe itself, as international organizations that conduct activity on 'European soil' still need to comply. Sending emails to a company or a person in the EU, or taking an EU citizen's credit card details or any personal data, places your business under the auspices of the GDPR.
How to get started
In the United States, the FTC has provided five principles to help keep your data safe and help achieve compliance, including:
Take stock: Know what personal information you have in your files and on your computers.
Scale down: Keep only what you need for your business.
Lock it: Protect the information that you keep and ensure that it's only accessible by needed personnel for specific purposes.
Toss it: Ensure that any data that you no longer need is disposed of properly.
Plan ahead: Create a plan to respond to security incidents.
Getting expert advice from a solution provider such as Dell Technologies can help guide you to an appropriate data protection plan based on the regulations to which your company may be subject. The deadline for compliance is now!