The five basic data privacy rules for US compliance

The five data principles

The meaning of data can be as broad as any information, from health records to a lunch order. Different kinds of data are subject to different laws with varying levels of severity. Data about a person’s health, for example, is subject to a strict set of regulations known as HIPAA. Here is some guidance on protecting your clients’ and colleagues’ data through five basic data privacy rules.

Data privacy law in the US

Data privacy rules apply to any information that can be used on its own, or in combination with other clues, information, or context, to identify, contact, or locate an individual. 

Data covered by data privacy rules is any information related to a person that could be used to identify that person, either directly or indirectly.

It could be a name, photo, email address, date of birth, ethnicity, religion, financial record, medical information, or employment history. It could even be posts on social networking sites.

Different countries use different terms to describe this kind of data. In the US, it’s known as personally identifiable information (PII).

The key data principles

While specific rules on data privacy can vary by state and jurisdiction, there are some basic rules that should always be followed. You need to be aware of these because everyone in an organization is responsible for protecting the data held on employees, customers and clients.

There are four key data principles:

  1. Don’t collect data unless you have to
  2. Don’t use data for purposes other than the purpose about which you have informed the individual
  3. Protect data at all costs
  4. Destroy data when it’s no longer required

The five data privacy rules

Consent

Before disclosing any data, check if the proper consent is in place to do so. Depending on the type of data, you may need the consent of the individual concerned before passing it on.

Purpose

Before collecting any data from an individual, make sure you need it. You should only collect the exact amount of data needed and never more than is required for the purpose. Also, data should not be collected or used without approval. Don’t collect more than is needed.

Security and access

Data should always be kept and stored anonymously using the latest security and de-anonymization methods. You have a responsibility to protect data from loss, theft, unauthorized use and modification. Data should not be accessed without permission or a specific, lawful purpose.

An individual should have the means to view and correct the data held on them as provided by law.

Disclosure and accountability

Individuals will have a right to know why their data is being collected and how it will be used by law. Individuals can normally hold companies to account for the use of their data and keeping it safe and secure. Individuals may be able to sue or report companies who abuse or misuse data. Some of the fines can reach up to 4% of global annual turnover. 

Destruction and disposal

Data should not be kept for any longer than is necessary. Data that is not being used, out of use, or no longer required should be destroyed. All data should have a retention period associated with it, and data should be periodically reassessed and destroyed or disposed of when no longer needed.

Top tips for keeping data safe

There are federal and state laws that set out the requirements for proper disposal of certain categories of PII such as health information. Breaching them can result in civil or even criminal penalties against you or your business. Here is some guidance on how to keep data safe:

  • Store data securely and ensure it can only be accessed by authorized users
  • Have clear policies in place to protect data and comply with the law
  • Train all staff on data privacy and your organization’s policies
  • Complete security audits regularly and insure that documents containing personal data or PII are disposed of correctly
  • Report any breaches or concerns, even if you think it is small or insignificant.

VinciWorks’ online data privacy training for US-based businesses

Screenshot of VinciWorks' data privacy game in the course
Data Privacy: Fundamentals includes a gamified data privacy simulation to test users’ knowledge

VinciWorks’ online data privacy course, Data Privacy: Fundamentals, provides all staff with a comprehensive overview of data privacy rules, policy, and legislation in the United States. The course combines short bursts of learning with practical scenarios and real-life case studies to ensure all staff know how to safely and securely work with data. Interactive scenarios and gamified challenges test and score data privacy knowledge as users progress through the training. The course also covers The California Consumer Privacy Act (CCPA), effective January 1, 2020.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.