Data Privacy and Security Laws Flashcards
GDPR overview
GDPR stands for General Data Protection Legislation. It is a European Union (EU) law that came into effect on 25th May 2018. GDPR governs the way in which we can use, process, and store personal data (information about an identifiable, living person).
1. Lawful, fair, and transparent processing: Personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject.
2. Purpose limitation: Personal data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
3. Data minimization: Personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
4. Accuracy: Personal data shall be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
5. Storage limitation: Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
6. Integrity and confidentiality: Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
7. Accountability: The controller shall be responsible for, and be able to demonstrate compliance with, the principles listed above.
8. Data subject rights: Individuals have the right to access their personal data, rectify inaccurate data, erase data under certain circumstances, restrict processing, object to processing, and data portability.
9. Data Protection Officer (DPO): Appointment of a DPO is mandatory for certain organizations, including those carrying out large-scale systematic monitoring or processing of sensitive personal data.
10. Data breach notification: In case of a personal data breach, the controller shall notify the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it. In some cases, data subjects must also be notified.
PCI overview
PCI DSS standards and resources help protect the people, processes, and technologies across the payment ecosystem to help secure payments worldwide
HIPPA
The Health Insurance Portability and Accountability Act of 1996 Congress incorporated into HIPAA provisions that mandate the adoption of Federal privacy protections for individually identifiable health information.
FERPA (US Dept. of Ed.)
The Family Educational Rights and Privacy Act of 1974 is a United States federal law that governs the access to educational information and records by public entities such as potential employers, publicly funded educational institutions, and foreign governments
APEC (2005)
APEC aims at promoting electronic commerce throughout the Asia Pacific region consistent with the core values of the OECD’s Guidelines on the Protection of Privacy and Trans-Border Flows of Personal Data (OECD Guidelines), and reaffirms the value of privacy to individuals and to the information society. APEC promotes a flexible approach to information privacy protection across APEC member economies while avoiding creating unnecessary barriers to information flows.
AMLA of 2020
Anti-Money Laundering Act
The mission of the Financial Crimes Enforcement Network is to safeguard the financial system from illicit use, combat money laundering and its related crimes, including terrorism, and promote national security through the strategic use of financial authorities and the collection, analysis, and dissemination of financial intelligence
- The purpose is to help detect and report suspicious activity, including predicate offenses to money laundering and terrorist financing, such as securities fraud and market manipulation.
- Financial Institution
- Casinos
- Depository Institutions
- Insurance Industry
- Money Services
- Businesses
- Mortgage Co/Broker
- Precious Metals/Jewelry Industry
- Securities and Futures
USA Patriot Act
USA PATRIOT Act is to deter and punish terrorist acts in the US and around the world, to enhance law enforcement investigatory tools, and other purposes, some of which include:
- Strengthen U.S. measures to prevent, detect and prosecute international money laundering and financing of terrorism;
- Subject to special scrutiny foreign jurisdictions, foreign financial institutions, and classes of international transactions or types of accounts susceptible to criminal abuse.
- Require all appropriate elements of the financial services industry to report potential money laundering;
- Strengthen measures to prevent the use of the U.S. financial system for personal gain by corrupt foreign officials and facilitate repatriation of stolen assets to the citizens of countries to whom such assets belong.
