Compliance and Regulation Standards
Depending on the industry and location of where the business is being done, business owners and managers legally must follow some of the compliance standards, including GDPR & HIPPA, as to not receive hefty fines from government entities. Other standards such as SOC2 and ISO27001 are voluntary but can provide significant assurance to stakeholders.
GDPR
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU). Since the Regulation applies regardless of where websites are based, it must be heeded by all sites that attract European visitors, even if they don’t specifically market goods or services to EU residents.
The GDPR mandates that EU visitors be given a number of data disclosures. The site must also take steps to facilitate such EU consumer rights as a timely notification in the event of personal data being breached. Adopted in April 2016, the Regulation came into full effect in May 2018, after a two-year transition period.
HIPPA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule.
COPPA
COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.
ADA
The Americans with Disabilities Act (ADA) became law in 1990. The ADA is a civil rights law that prohibits discrimination against individuals with disabilities in all areas of public life, including jobs, schools, transportation, and all public and private places that are open to the general public. The purpose of the law is to make sure that people with disabilities have the same rights and opportunities as everyone else. The ADA gives civil rights protections to individuals with disabilities similar to those provided to individuals on the basis of race, color, sex, national origin, age, and religion. It guarantees equal opportunity for individuals with disabilities in public accommodations, employment, transportation, state and local government services, and telecommunications. The ADA is divided into five titles (or sections) that relate to different areas of public life.
In 2008, the Americans with Disabilities Act Amendments Act (ADAAA) was signed into law and became effective on January 1, 2009. The ADAAA made a number of significant changes to the definition of “disability.” The changes in the definition of disability in the ADAAA apply to all titles of the ADA, including Title I (employment practices of private employers with 15 or more employees, state and local governments, employment agencies, labor unions, agents of the employer, and joint management-labor committees); Title II (programs and activities of state and local government entities); and Title III (private entities that are considered places of public accommodation).
SOC 2
SOC 2 is a compliance standard for service organizations, created by the American Institute of CPA’s (AICPA) which specifies how organizations should manage customer data. SOC 2 is based on: security, availability, processing integrity, confidentiality, privacy.
- Risk Assessment
- GAP Assessment
ISO27001
ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS), though there are more than a dozen standards in the ISO/IEC 27000 family. Using them enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties.
- Risk Assessment
- GAP Assessment