New Privacy and Data Security Guidance and Rules on Tap for 2017

A new year has begun, and there are plenty of new privacy and data security rules lined up to change the business world. Here is a brief overview of the state regulatory changes, federal guidance updates, and global initiatives that will have an impact on your day to day business.

State Regulatory Changes

The big regulatory change on a state level is a revision to a proposed cybersecurity rule in New York. The New York Department of Financial Services has revised and extended compliance with their proposed cybersecurity rule from the end of last year. The changes to the rule include a small business exemption, periodic rather than annual risk assessments, modification of who within an organization needs to review and approve a company’s cybersecurity plan, among other things. These rules apply to New York-regulated financial institutions such as insurers, money services businesses, and virtual currency companies. Many regulators are looking toward this example for their own regulations.

Related Content: Where do you store your old files? And is it time to make that digital?

Guidance for Federal Agencies

In January, the Office of Management and Budget (OMB) released guidance for agencies in protecting against and responding to data security incidents, or hacks. This is a clear sign of how deeply ingrained our technology is within our culture as now all federal agencies are required to comply. This guidance covers contracts with federal contractors and how they should include terms that allow the federal agency to take steps to respond to a breach, should one occur. This could result in significant financial and workload obligations for the vendors, likely limiting the available contracts to only those companies capable of supporting those responsibilities.

GDPR

On an international scale, the European General Data Protection Regulation (commonly known as GDPR) instated a series of new guidance as it relates to data portability, data protection officers, and the identification of the lead data protection authority. Under this new guidance, users will have access to their data by data controllers as well as the right to take their data elsewhere. The guidance also outlines the requirements relating to the appointment of Data Protection Officers (or DPOs). It lays out to cases in which a company will not need to appoint a DPO and when it is mandatory, as well as the level of experience defined as adequate for DPOs, as well as independence and resources required to uphold their responsibilities.

The identification of the Lead Data Protection Authority is detailed as necessary for companies with multi-country operations involving data transfers. This guidance offers additional clarity for companies keen to remain or achieve compliance with GDPR such as would be required to maintain significant operations in Europe and complying with European data protection authorities requirements.

For more thoughts on how you can capitalize on the changing regulators landscape this year, connect with a Happy Faces Records Management to learn how we can help you maintain a high level of document security, organization, and disposal.
CONTACT OUR TEAM OF EXPERTS NOW

Leave a Reply

  • (will not be published)