HIPAA. ADA. GDPR, and more.
You’ve probably seen headlines with these acronyms and others, focusing on companies who have been fined or sued for failure to comply. These stories are a reminder that making sure your company is in educated and in compliance with these regulatiopns is a crucial step in risk management to keep regulatory agencies from pursuing your company and customers from criticizing or even suing your organization.
That’s why we’re providing a primer on six acronyms that you must know as you do business digitally and pursue digital transformation in how your employees do their work and relate to customers. Of course, we are not attorneys, and this is not legal advice—it is a primer on some regulations we discuss internally as we work with our customers on digital disruption initiatives through software.
General Data Protection Regulation (GDPR) is one of the most impactful pieces of regulation passed in recent years. GDPR requires businesses to protect the personal data of users who are members of countries in the European Union. This regulation includes companies based in the European Union (EU) or any foreign company (i.e. U.S.-based companies) that does business within any country in the EU or with any citizen of an EU country.
GDPR was passed after public concern amongst EU member countries about their citizens’ lack of data security. GDPR is a comprehensive regulation that protects EU citizens’ data such as basic information (name, address, etc.), web data like IP addresses, political affiliation and more. It also gives people the right to request to be forgotten by any company. Companies that violate GDPR will pay a hefty price; for example, Google was fined $57 million for breaching GDPR in January 2019. This is why it’s important to have human-centered software design (HCSD) by considering a user’s wants and needs when it comes to data privacy and security. If companies fail to empathize with the user’s perspective in all parts of the designing of software, including data collection and storage, they run the risk of running afoul of GDPR.
The California Consumer Privacy Act (CCPA) is a stateside example of a government’s concern over user data. CCPA focuses more on data collection and privacy and is not as comprehensive as GDPR, but it gives Californians rights that include: knowing what personal information is being collected, knowing if their data is being sold, and allowing them access to their personal information. Companies that are directly impacted by CCPA include companies generating over $25 million per year, companies that engage in data brokerage and companies that sell user data for the majority of their revenue. Some actionable steps to avoiding CCPA violations include using user data as necessary, avoid selling customer data and being cautious with third-party data.
CCPA is scheduled to take effect in January 2020, and it is likely that the regulations may be amended before it takes effect. It’s vital for your company to keep up with this regulation and others, because it serves as a reminder that GDPR-esque regulation is coming quickly, and soon geographic limitations will likely no longer exist.
The Americans with Disabilities Act (ADA) is a federal civil rights law that was signed in 1990 to prevent discrimination based on disabiliy. The ADA is an extremely important regulation because its compliance is required by law for all companies. There were nearly 5,000 lawsuits filed in the first 6 months of 2018 alleging ADA violations with business websites.
The goal ADA compliance entails having a website that can be accessed by disabled individuals, videos that can have closed captioning enabled, and many other factors. While there are best practices for accessibility, and tests for accessibility, there is actual no single standard that your business can use to guarantee compliance. While using these tools don’t guarantee you won’t be sued, they will help your business show attention to compliance instead of negligence.
Again, a user-centered approach to website design, mobile app design, or web app design makes a big difference here. Considering how seeing-impaired, hearing-impaired, and color-blind people, or people who have other disaiblities, will interact with your business digitally is an important step toward not just compliance but ultimately to serving all of your customers well.
FINRA is a non-profit organization that was authorized by the U.S. Congress to protect American investors by regulating the broker-dealer industry. What sets FINRA apart from all the other acronyms covered in this post is that FINRA is an organization the enforces compliance directly. This can be in the form of fines, lawsuits, or any other appropriate action. FINRA helps ensure America’s financial markets are fair by writing and enforcing all rules governing broker-dealer firms and transactions; FINRA provides investors with basic rights, oversees all securities testing and approval, monitors equity markets and detects fraud. If your business operates in the financial services industry or is adjacent to it, you need to make FINRA compliance a core digital competency for your company.
The Payments Card Industry (PCI) is the part of the financial industry that regulates all forms of electronic payment. It is vital for all companies that accept payments online to be PCI compliant. Amongst the PCI regulations, Payment Card Industry Data Security Standard (PCI DDS) is one of the most prevalent regulations that applies to all businesses accepting electronic payments. It was passed to ensure several safety standards for both consumers and companies. For consumers, it protects cardholder data by requiring that stored data is protected and that cardholder data is encrypted across open, public networks. This regulation actually helps companies because it pushes them to protect their customers against data breaches.
The Health Insurance Portability and Accountability Act (HIPAA) was originally passed in 1996 to help improve the efficiency and effectiveness of the healthcare system nationwide, and it has been revised multiple times since. One big thing HIPAA does is require that individual health data is protected in specific ways. if your company is doing anything in the healthcare space, you clearly need to be HIPAA compliant. As with payment information, heatlh information is specifically protected, and so your business needs to take extra steps to protect it.
Only your attorney can tell your business exactly how you need to adhere to the regulations discussed in this post. But knowing these regulations should raise questions in your mind that you answer during the course of your business’s continuous innovation and relentless reinvention of software solutions.