Data privacy relates to the regulation of sensitive or personally identifiable information (PII), including how it is stored and used. PII includes any data that can be directly tied to a user, including name, ID numbers, date of birth, address or location, and phone number. It may also refer to associated information, including social media posts, profile photos, or IP addresses.
This is part of an extensive series of guides about compliance management.
Data privacy regulations are laws for enforcing data privacy protections. These regulations vary by location, with some covering specific states and others collections of countries.
Data privacy regulations around the world include:
Despite several regulations being introduced, there is currently no federal law universally regulating data privacy in the US. There are, however, several acts that protect specific types or uses of data. These include:
Additionally, the US Federal Trade Commission (FTC) oversees users' protection from deceptive or unfair trade practices, including data security and privacy. The FTC can define regulations, enforce laws, punish noncompliance, and investigate organizations suspected of fraud or violation.
In addition to federal guidelines, 25 states also have various laws regulating data. Depending on the law, regulations apply to government organizations, private organizations, or both.
The most notable example of state-level privacy laws is the California Consumer Privacy Act (CCPA). This act went into effect in January 2020 and provides numerous protections to California residents. These protections include the ability to access data, opt out of collection or sale, and request the deletion of data.
Canada has 28 statues dedicated to data privacy, spread across a combination of territorial, provincial, and federal bodies. These statues vary widely in scope and guidelines, but all define broad coverage of actions related to the collection, use, or disclosure of personal data.
Canada’s most notable statutes include:
Of these statues, PIPEDA is the broadest and applies to:
The most notable privacy law in the EU is the General Data Protection Regulation (GDPR). This regulation addresses the collection, use, storage, security, and transfer of data related to any resident of the EU. It applies to data handled by organizations regardless of location, including those operating outside the EU. Breaches of the guidelines can result in fines of up to 4% of global turnover or 20€ million.
The primary goals of GDPR include:
GDPR includes protections for the following data types:
Related content: learn more in our guide to GDPR Subject Access Requests
China does not have a federal law relating to data privacy but does have a framework of regulations and laws that cover many cases. For example, the Tort Liability Law and the General Principles of Civil Law both have provisions which have been interpreted to cover privacy or reputation as protections that should be applied to data.
In addition to general protections, there have also been multiple specific regulations and guidelines that have been implemented or proposed. These include:
Australia has a variety of data protection and privacy laws at the territory, state, and federal levels. These include the Australian Privacy Principles (APPs) and the The Federal Privacy Act of 1988. These guidelines apply to all government organizations and private organizations with an annual turnover of AU$3 million.
In addition to the general guidelines, most Australian territories and states also have their own regulations. The exceptions are South and Western Australia. The acts that have been passed include:
Singapore’s data privacy laws are covered under one act; the Personal Data Protection Act (PDPA). This act regulates the collection, care, use, and disclosure of personal information.
PDPA is a general law that establishes a baseline of protections that stack on sector or industry specific regulations. It aims to balance users' rights with the goals of organizations, provided those goals include reasonable and legitimate data use. Additionally, the PDPA includes the creation of a national do not call registry that enables users to opt out of marketing communications.
NetApp Cloud Data Sense leverages cognitive technology to discover, identify and map personal and sensitive data. Use Cloud Data Sense to maintain visibility into the privacy posture of your cloud data, generate crucial data privacy reports, and easily demonstrate compliance with data privacy regulations such as the GDPR and the CCPA.
Learn more about NetApp Cloud Data Sense
Continue exploring in our series of articles about data privacy regulations and how to manage your data effectively for compliance.
California Consumer Privacy Act
As the availability and value of personal data increases, many consumers are expressing concern over how their data is collected and used. To ensure that consumers are protected and retain rights related to their data, governments like the State of California are creating regulations like CCPA.
This article explains what the CCPA is, what rights it grants, how compliance is enforced, how it compares to GDPR, and how you can ensure that your organization is compliant.
Read more: California Consumer Privacy Act
GDPR Subject Access Request
GDPR is one of several data privacy regulations that organizations need to be aware of and responsive to. As part of this regulation, organizations are responsible for responding to requests from consumers seeking to obtain their personal data from the organization. These requests are referred to as DSARs.
This article explains what DSARs are, how to handle requests, how to deny requests, and what responses need to contain.
Together with our content partners, we have authored in-depth guides on several other topics that can also be useful as you explore the world of compliance management.
Authored by Stoke
Read more: GDPR Subject Access Request