Regulations that protect people’s privacy and data rights are becoming more common — and so are the myths about complying with them. Here are four myths debunked.
The General Data Protection Regulation (GDPR) protects the data privacy rights of European Union citizens, while the California Consumer Privacy Act (CCPA) gives California residents more control over their personal data. Similarly, the Health Insurance Portability and Accountability Act (HIPAA) safeguards the medical information of US citizens.
As more businesses try to adhere to these comprehensive policies, more myths about complying with them keep surfacing. Here are four of those myths debunked:
Size does not matter when it comes to complying with most data privacy regulations. For example, regardless of their size, all US healthcare providers, healthcare clearinghouses, and health plan providers must comply with HIPAA. Not surprisingly, health plan providers include health insurance carriers, health maintenance organizations, and government agencies that pay for healthcare (e.g., Medicare). But what people might not realize is that companies in other industries are also included. Any US company that offers but does not administer a healthcare plan to 50 or more employees is considered a health plan provider and thus must comply with HIPAA.
Size does not matter with GDPR, either. All companies that process or hold the personal data of EU citizens must comply with GDPR. However, businesses with under 250 employees have fewer requirements to meet when documenting their data processing activities. This stipulation is likely leading to the misguided belief that small companies do not have to comply with GDPR.
Another factor leading to confusion is that some data privacy laws use factors other than number of employees to determine which organizations need to comply. For example, businesses must comply with CCPA if they conduct business in California and meet at least one of these criteria:
So, most small and mid-sized companies that do business in California do not need to comply with CCPA. However, there are exceptions. For instance, a data broker that primarily sells consumers’ personal data would need to, even if it has only a few employees.
Cloud computing is now the norm in companies worldwide, but there is a common misconception among them concerning data privacy laws. Many companies think that cloud service providers are responsible for making sure their data is being handled in a way that is compliant with applicable data privacy regulations. This is wishful thinking.
Company accountability is a key factor in GDPR. It is the business’s responsibility to “ensure enforcement of the privacy principles not only within its walls but also across suppliers with whom it might share the data and subcontractors that might process data on its behalf,” according to GDPR experts. Cloud service providers fall into the latter category.
Company accountability is also a key factor in HIPAA. Although cloud service providers and other types of business associates can come under fire for not properly protecting data while it is in their care, the company is ultimately held responsible for compliance, according to HIPAA experts.
If you ask people to give examples of personal data, they will likely list items such as a person’s name, address, and credit card numbers. However, personal data encompasses much more — and companies that simply assume they know what is considered personal data in a data privacy regulation could find themselves in noncompliance with it.
Unfortunately, there is no standard definition of personal data among the various data privacy laws in existence. Each regulation has its own definition.
For example, in HIPAA, the data that needs to be safeguarded is referred to as “protected health information (PHI)”. It is defined as:
“…information, including demographic data, that relates to:
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.”
So, PHI includes demographic information that can be used to identify individuals, such as their birthdates, phone numbers, email addresses, license plate numbers, and full-face photos. It also includes health-related data, such as admission and discharge dates, health records, health plan ID numbers, and billing information.
GDPR refers to the information that needs to be protected as simply “personal data”. It is defined as:
“… any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
The GDPR’s definition for “personal data” is more encompassing than HIPAA’s definition for PHI, which is to be expected given that GDPR has a broader scope than HIPAA. However, GDPR’s definition is also fairly vague, so it could be construed to include many different types of data. For instance, physical factors could be interpreted as physical characteristics (e.g., height, weight), while cultural factors could be construed as religious or political preferences.
The question to answer is: Can this particular piece of data be used to identity an individual by itself or in combination with other pieces of information? If the answer is “yes” or “possibly”, it is best to err on the side of caution and take measures to protect it.
It is true that failure to comply with data privacy regulations can result in hefty fines. For example, there are four categories of violations in HIPAA. The fine for a violation can be high as $50,000 per violation in each category, with a maximum penalty of $1.5 million per category per year. GDPR fines can also be substantial. The maximum fine is €20 million (around $22.5 million USD) or 4% of a company’s annual global turnover (whichever is greater).
While HIPAA and GDPR regulators have the authority to levy very large fines, they typically do so only for willful, serious violations. The purpose of the data privacy laws is to protect people’s privacy and data rights, not raise money.
In the case of GDPR, the regulators’ main goal is to educate and advise organizations on how to comply with the law. “We have always preferred the carrot to the stick,” according to UK Information Commissioner Elizabeth Denham.