From GDPR to HIPAA, learn how sensitive information is transferred over the web and what steps you need to take to stay compliant.
Join the DZone community and get the full member experience. Properly securing sensitive customer data is more important than ever. Consumers are increasingly insisting that their data be secured and managed properly. The regulatory environment is also becoming tougher, and business requirements are becoming increasingly complex. The burden is placed on the company and its development teams to meet these requirements while still delighting users. If that leaves you in a bind, we’re here to help with a quick data privacy primer! First, we’ll help you to understand the various kinds of sensitive customer data and the regulations that apply to it. Next, we’ll guide you in assessing your current handling of that data. Finally, we’ll provide direction on how to properly govern that data. The first task is to understand what kind of sensitive customer data you are already handling and what regulations apply to it. Three factors determine which regulations apply to a given set of data: First, consider the data itself. Depending on the type of data that is being stored in your system, different regulations apply. Let’s begin with Personal Information (PI). This is perhaps the broadest category of regulated data, referring to nearly anything that is or can be associated with a person. PI is regulated by the General Data Protection Regulation (GDPR), the California Privacy Rights Act (CRPA), NY SHIELD, and others. Examples of this data include: Personally Identifiable Information (PII) is a subcategory of PI and refers to any data which could be used to distinguish or otherwise determine a person’s identity. Generally speaking, the same regulations which apply to PI also apply to PII, although with differing levels of sensitivity. Examples of PII include: Other categories of private consumer data tend to be industry-specific. For example, Protected Health Information (PHI) refers to all “individually identifiable health information.” This is regulated in the US by HIPAA, and is defined as any information which relates to any of the following: Similarly, Nonpublic Personal Information (NPI) refers to the personally identifiable financial information that is provided by a consumer to a financial institution, and as such is specific to financial service organizations.
