What is data compliance?

Data compliance is the collection of efforts that allow a business to follow data privacy regulations.

Learning Objectives

After reading this article you will be able to:

  • Explain what data compliance means
  • Compare data compliance with privacy and security
  • Make the case for why data compliance matters

Copy article link

What is data compliance?

Data compliance is the act of conforming to the laws and industry standards for storing, handling, or processing personal information or sensitive data. To protect privacy, there are many different types of regulations today regarding personal and sensitive data. Organizations that do not follow these regulations may violate personal privacy, and as a consequence may receive fines or other penalties from the relevant governing bodies.

Individuals have various rights regarding their personal data under these regulatory frameworks. Both the rights and the way these rights are described can vary across jurisdictions — there is no one-size-fits-all set of standards. However, following typical best practices for the handling of personal information (for instance, the Fair Information Practices) can start an organization in the right direction for compliance.

Why is data compliance important?

Protecting individual privacy:

Complying with data privacy regulations, as might be inferred, helps keep personal data private. Many sets of privacy laws give consumers control over their data, allowing them to edit or in some cases delete it, and require that organizations collecting data let consumers know who can see their data and how it is used.

Many (including Cloudflare) consider privacy to be a desirable goal in and of itself. But regardless of one's views on privacy, organizations that respect consumer privacy are more likely to be trusted by their users and customers.

Avoiding fines and other punishments:

Organizations that wish to continue to do business in various regions, and to avoid negative business outcomes such as fines, should value data compliance highly. Many regulatory frameworks give local courts strong power to impose fines, sanctions, and other penalties for violations.

For instance, the General Data Protection Regulation (GDPR) fines are:

  • First-tier violations result in a maximum fine of either €10 million or 2% of the business's worldwide revenue, whichever is higher
  • Second-tier violations result in a maximum fine of either €20 million or 4% of the business's worldwide annual revenue, whichever is higher
  • On top of these fines, individuals can seek compensation for damages when a business violates their GDPR rights

Avoiding data breaches:

While data compliance is not in and of itself the same thing as securing data, the controls required by most data privacy frameworks will usually make data more secure. This reduces the likelihood of a data breach.

Is data compliance the same thing as data security?

Not quite, although compliance and security interact in some ways. For instance, part of data compliance is putting controls in place to make sure unauthorized persons do not view data, and this enhances security as well.

But compliance and security are two different efforts, and in fact they sometimes come into conflict. For instance, if a third-party anti-malware tool scans all personnel files, this may increase security. But it may also put the organization out of compliance if the third-party tool does not conform to the applicable regulatory standards.

It is important for the security and privacy teams of an organization to work closely together to ensure these two efforts, compliance and security, do not come into conflict.

What are the major data compliance standards to follow?

Each region usually has their own data regulations, and more are passed by legislative bodies all the time. Some of the major ones that likely apply to any business operating globally include:

  • General Data Protection Regulation (GDPR): This is a comprehensive data privacy law that establishes a framework for the collection, processing, storage, and transfer of personal data. The GDPR applies to any organization that offers goods and services to people in the EU.
  • Health Insurance Portability and Accountability Act (HIPAA): This is a US federal law that regulates how health information is handled. The US currently lacks an overarching data privacy framework but does have industry-specific regulations like HIPAA.
  • Payment Card Industry Data Security Standard (PCI DSS): This framework is maintained and enforced by the PCI Security Standards Council (PCI SSC), a private-sector industry group founded by a number of credit card companies. PCI DSS applies to businesses that process credit or debit card transactions.

Others to know include the California Consumer Privacy Act (CCPA), the ePrivacy Directive, the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act, and the Sarbanes-Oxley (SOX) Act.

How to take steps towards data compliance

Data compliance is a constant effort, and there is never a complete guarantee that an organization is fully compliant. But certain practices make data compliance much more likely.

  • Data inventory: An organization should know what data they have and where it is. An overarching data governance strategy is of help here.
  • Access control: This restricts the availability of data to only those persons and services that need it to reduce data exposure, prevent lateral movement by attackers, and keep data secure. The wrong person viewing personal data can in some cases put an organization out of compliance, so access control is crucial.
  • Encrypt data at rest and in transit: Encryption scrambles data so that only persons or services with the ability to decrypt the data can view or alter it.
  • Train employees and contractors: Training and education are extremely important for preventing accidental compliance violations and breaches.
  • Log data usage and perform audits: Logging enables organizations to demonstrate compliance to outside authorities, and helps to confirm that proper data policies are being followed.
  • Know and study the regulations that apply: Depending on where a business operates, where its customers are, and which industry it is in, different data regulatory frameworks may apply. Organizations should employ persons who have expertise in the applicable regulations and can assist with data governance and compliance. This is, in fact, a requirement under some regulations: The GDPR mandates that organizations of a certain size employ a "Data Protection Officer."

Cloudflare is built for compliance, and is designed to offer organizations the features and solutions they need to remain compliant. The Cloudflare connectivity cloud simplifies compliance by offering composable controls in a single platform. Explore how Cloudflare simplifies data compliance.