What Should a Security Manager Know About US and UK Privacy Laws?
George Bernard Shaw once said that the U.K. and U.S. were “two nations divided by a common language.” You can say a similar thing about security managers. Security managers in both countries have data privacy as a common theme in their roles, but it is the nuances in the application that may divide them.
Data privacy has become increasingly added to the to-do job list of a security manager. This is due to a number of factors, including the raised profile of data privacy in general thanks to a number of high-profile incidents. The Snowden revelations about state surveillance in 2013 started the ball rolling, and the never-ending data breaches that seem to be, at least, a weekly occurrence have continued it. Where once there was data security, now there is the added goal of ensuring the privacy of these data.
It needs to be noted that data security and data privacy are not the same thing, although at times they are symbiotic. Securing information can help to augment the privacy of an individual’s personally identifiable information (PII in the U.S.) or personal data (in the U.K.).
Let’s start with what data privacy is.
What is Data Privacy?
First and foremost, privacy is not about keeping data secret. This is a misconception that has blighted the application of data privacy. It’s more accurate to describe data privacy as having control over the use of data, with the control aspect being delegated to the individual but augmented by the underlying protection within the system.
The U.K. and the U.S. have regulations and laws that incorporate a number of data privacy expectations. This article will explore some data privacy-related questions in order to look at the various aspects of U.K. and U.S. privacy laws that impact the role of a security manager.
What UK and US Regulations Incorporate Data Privacy?
The United Kingdom
The U.K. has a U.K.-wide regulation, the Data Protection Act 2018 (DPA 2018), which came into “Royal Assent” (was enacted) on May 25, 2018. This date coincides with the E.U.’s General Data Protection Regulation (GDPR) which also came into effect on that date. However, that is no coincidence. The DPA 2018 is an updated law created to reflect changes in the technology landscape and to come into line with the GDPR. There are, however, some key differences between the DPA 2018 and the GDPR, which include:
- A specific guideline around data privacy in combination with law enforcement
- Special provisions for data processing by intelligence services
- Provisions for data processing that is not dealt with by the GDPR around immigration
- Exemptions also exist across a number of industries and sectors, including journalism and health
In the U.K., there are also advisories in certain sectors that need to be accommodated and that may become regulatory frameworks in the future. For example, the U.K. national healthcare provider, the NHS, has created advisories on improving data privacy and security. In the latest, the Review of Data Security, Consent and Opt-Outs, they suggest ways of improving patient trust using data privacy principles.
In the U.S., by contrast, there is no national data protection regulation. Instead, there are individual state laws. Certain industry sectors also have stringent data protection and privacy regulations of their own.
In terms of state laws, the most defined law is the California Consumer Privacy Act of 2018 (CCPA) which was introduced on June 28, 2018. In our recent article, Has California Just Created GDPR 2.0?, we looked at the details of the law and how it impacts the businesses who need to apply the requisite data privacy rules. Other states which have privacy-focused regulations include Delaware’s Delaware Online Privacy and Protection Act, and Nevada and Minnesota’s requirements that ISPs make certain consumer data private.
In the U.S., there are also a number of industry-specific data privacy regulations, such as the Gramm-Leach-Bliley Act in the financial sector, which has provision for the protection of data privacy. In healthcare, there is the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA has a specific Privacy Rule which explicitly deals with privacy of Protected Health Information (PHI).
In the U.S., there is also a specific data privacy ruling around the protection of the personal data of minors known as the Children’s Online Privacy Protection Rule (COPPA). This is upheld by the FTC.
The General Data Protection Regulation (GDPR)
Although the GDPR is an EU law, it can have an impact on countries outside of the EU (including the U.K., post-Brexit). This is because the GDPR has a wide jurisdiction requiring any business, regardless of location, to comply with the requirements if they process any personal data of a citizen within an EU state.
Further details on U.S.-specific privacy regulations were discussed in our earlier article: Differences Between the Privacy Laws in the EU and the US.
Some Questions About Privacy Laws for Security Managers
Security managers who find that their organization falls into the domain of one or more of the regulations or laws that incorporate data privacy will have a number of questions that need answering. Below are some of the most common and pertinent:
Q: What skills and education should a security manager have regarding privacy laws to be able to operate successfully in the U.S. and U.K.?
A: The regulations around personal data privacy can be nuanced. As a security manager, you will be expected to be able to take the legal advice of your organization and apply it. You may find that certain skills in understanding what data privacy is and what legislation exists to protect it can help with the interpretation of the law. The International Association of Privacy Professionals offers a number of certifications on privacy laws in the U.S. Check out InfoSec Institute’s webinar on 5 Ways an IAPP Privacy Certification Can Boost Your Career here.
Q: What constitutes permission to keep and/or share private information in the US and UK?
A: The ethos of “consent” is a key one when determining permission to process personal data. In general, most modern privacy regulations require that an affirmative and clear “opt-in” is required to collect and share private data. The old “opt-out” pre-checked option is frowned upon by laws like the GDPR, for example.
Q: What are the main differences between the U.S. and the U.K. when it comes to privacy laws?
A: In the U.K. there is a national data privacy law, the DPA 2018, that applies across the board to all businesses but has certain exemptions. In the U.S., data privacy and protection have no umbrella laws; instead, there is a mosaic of state-by-state application of data privacy protection. There are, however, robust industry-specific regulations such as HIPAA.
Although the U.S. and U.K. have created data privacy laws independently of each other, these differences may be lessening. The globalization of technology and the worldwide use of social media giants like Facebook are creating a borderless technology platform, meaning that data privacy and jurisdiction are becoming blurred.
However, there are still nuanced differences between the two countries’ attitudes towards data protection. This may be because of differences in cultural attitudes towards personal information. For example, President Trump recently repealed the FCC rules on the selling of personal data by an ISP, which required an opt-in from the consumer.
Q: How much of the current policy is based on old laws like the privacy act of 1974? Are these still relevant?
A: Many of the present-day regulations in the U.K. and U.S. are based on older laws. The update of current-day regulations is to keep up with changes in technology. For example, the U.K. DPA 2018 is an update of the older DPA of 1984. In the U.S., the Privacy Act of 1974 was brought in to protect personal data held on computerized databases of federal agencies. The act is based on fundamental data privacy rights and actions such as data minimization. These rights are still relevant today; however, the act has since been updated to accommodate changes in technology. It was recently modified on January 25, 2017, with a controversial change that excludes foreign nationals from protection.
Q: Are both the U.K. and the U.S. impacted by GDPR?
A: Although the U.S. is outside of the EU and the U.K. is due to leave the EU in March 2019, the GDPR may still affect companies in those countries. The jurisdiction of the GDPR extends to any organization, irrespective of location, if they process the data of or monitor the behavior of “data subjects in the Union.” For example, if you are a U.S. company that sells goods to persons in France and in doing so collects the customer’s name and address, you will be under an obligation to comply with the data privacy expectations of the GDPR.
Q: What should employers look for in a security manager hired to oversee operations in the U.S., the U.K. or both? What certifications might be necessary or preferable?
A: Security managers should have a good grasp of the fundamentals of what data privacy is. They should also have a good understanding of the specific laws and regulations that apply to their business area and any general regulations that need to be adhered to.
There are a number of certifications that can be taken to provide the knowledge needed to understand data privacy. These include the Certified Information Privacy Professional/Europe (CIPP/E) which focuses on EU-wide privacy laws, including the GDPR. Another is the U.S.-centric certification, CIPP/US. A more general certification is the Certified Information Privacy Technologist (CIPT).
Q: How do the requirements for a security manager differ in the U.S. and the U.K., depending on the respective industry?
A: Security managers in the UK and U.S. will need to have a common understanding of what data privacy is and how to manage it. However, because each country has a set of laws that are written specifically for their own jurisdiction, the security manager will need to have an increased awareness of their own national issues. In addition some industry sectors, such as finance and healthcare, have very specific requirements and legislation around data privacy. A security manager working in those industries would need to be very familiar with the requirements.
Q: What steps should you take to transition an employee into the role of a security manager?
A: Employees can be trained to take on the role of a security manager. Many security certification packages are designed to be built on over time with increasingly-focused exams. Start off your employee with entry-level certification and training such as the CompTIA A+/Network+ exams.
Q: What is the benefit of taking courses and certifications for a security manager? Why is this an investment in better security and better compliance over the long term?
A: Security and data privacy are not static entities, as evidenced by the ever-changing security landscape. As technology changes and as consumer perception matures, security and privacy change too. This is why it is important to maintain a culture of learning in an organization. It is also important to offer professional development opportunities to your security workforce to ensure they are abreast of changes in legislation and in technological advances.
The Forward March of Data Privacy
Data privacy is now ensconced in our everyday language. The U.K. and U.S. are two of many countries who are dealing with data breaches and privacy violations by ensuring that laws and regulations reflect the modern world. Keeping your security manager at the forefront of data privacy regulations will not only check the compliance box and avoid hefty fines, but it will also help to build a safer world that is respectful of the privacy of personal data.
Privacy by Design – The 7 Foundational Principles, Ann Cavoukian (IAPP)
Data Protection Act 2018, legislation.gov.uk
Guide to Law Enforcement Processing (Part 3 of the DP Act 2018), ICO
Review of Data Security, Consent and Opt-Outs, National Data Guardian
Data protection in the United States: overview, Thomson Reuters Practical Law
Chapter 12C: Online and Personal Privacy Protection, State of Delaware
Privacy Legislation Related to Internet Service Providers – 2017, NCSL
Summary of the HIPAA Privacy Rule, HHS.gov
U.S. Code Title 5, Government Publishing Office
Art. 3 GDPR – Territorial scope, Intersoft Consulting