Can you really comply with every regulation?

Auditing, evaluating and updating data handling processes and technology is a necessity under the tougher personal data protection and privacy requirements set out in the new EU General Data Protection Regulation (GDPR). Any organization, anywhere in the world that processes or holds personal data of EU residents must comply with this new regulation or face significant fines.

For some organizations already bound by more stringent controls, like those in healthcare and financial services, they may already be further down the line than others. However, the prospect of competing regulations becomes a very real concern. Is it possible to comply with every regulation in every territory or region? Unlikely. But understanding the complexities of overlaps, and assessing the risks these may pose can’t be ignored.

Financial Services

Financial services organizations are bound by strict controls on data exfiltration, exposure and record keeping under the Exchange Act, FINRA, MiFID, and others. MiFID II, for example, requires all communications, including personal data, that could lead to transactions being carried out to be stored for up to five years. Yet under GDPR, personal data should be kept only for as long as necessary, and data subjects can request their data is deleted in line with “right to be forgotten” entitlements. Which regulation wins out? This is not yet clear and financial organizations should look to the regulators to help navigate through this maze.

The same conundrum applies to the requirement to protect personal data versus the need to share information to help counter financial crime. Article 23 of the GDPR may provide a route to follow here, giving countries the ability to issue guidance based on a need to preserve national security. However, if the organization operates in multiple jurisdictions, conflicting guidance may complicate things even further.

Healthcare

In healthcare, systems like electronic health records, pharmacy, and radiology systems are improving the efficiency of providing care and ease of access to information. However, they also increase the potential security risks of personal data including health information falling into the wrong hands. Healthcare providers governed by the US Health Insurance Portability and Accountability Act (HIPAA) must follow strict guidelines on the collection, use, and protection of health information.

GDPR, while much broader in its definition of personal data, includes requirements for the protection of sensitive health-related data. The requirements are similar but not identical. Healthcare providers in the US must, therefore, understand where the differences are and make provision for these if treating EU residents.

Life Sciences

Similarly, life sciences organizations may well face new rules on data protection, especially those outside of Europe who may receive personal information collected during clinical trials. While they may have some familiarity with EU data protection rules relating to EU-US Privacy Shield, for example, GDPR is likely to impose more stringent requirements.

Next Steps to Achieve GDPR Compliance

The bottom line is many more highly-regulated organizations will likely face competing requirements and unclear guidance. Now is the time to consult the relevant regulators, working parties, governing bodies and others to help clarify requirements.

You may also like:

GDPR: 3 Steps to Building a Trust Strategy

May 25th, 2018: Your relationship with d…

May 25th, 2018: Your relationship with data security & p… Read More >

Marc French

by Marc French

Senior Vice President & Chief Trust Officer

Posted Mar 16, 2018

The GDPR Fallout from a Breach

There’s much more to worry about than ju…

There’s much more to worry about than just fines with a GDPR… Read More >

Dan Sloshberg

by Dan Sloshberg

Product Marketing Director

Posted Mar 01, 2018

GDPR Violations – Can you afford 4% of global revenue?

No matter what size organization, a fine…

No matter what size organization, a fine of 4% of your total… Read More >

Dan Sloshberg

by Dan Sloshberg

Product Marketing Director

Posted Feb 22, 2018