Written by Anne Kimbol, Chief Privacy Officer, HITRUST
The rapid speed and increased movement of information illustrates the need for strong privacy and security controls crosses borders, and these controls often become key to exchanging information across borders, even within the same company. Today, the value of cross-border data transfers is estimated to be in the billions of dollars. Enabling the global market to work effectively and efficiently is essential to global trade and revenue.
With the European Union’s General Data Protection Regulation (GDPR) going into effect in May 2018, coupled with significant public attention to data breaches and potential privacy violations – our collective attention to data protection and ensuring companies who hold individually identifiable data are acting responsibly has increased. In fact, in honor of Data Privacy Day on January 28, the European Commission issued a press release discussing international transfers and the heightened attention data protection has been generating since last May. This reinforces the importance of getting international transfers right, particularly given the potential fines and public relations issues.
Legislation being passed and proposed abroad, in U.S. states, and at the U.S. federal level, all contain different requirements for when and how such data can be obtained, shared, and used. The good news is that they all are based on the same or similar underlying frameworks and principles. As the standard bearer for comprehensive risk-based data protection standards, HITRUST® pays close attention to these developments and actively monitors data protection laws, regulations, and proposals in the U.S. and abroad.
Recognizing this and acknowledging the likely continued reliance global businesses will have on these frameworks, HITRUST focused on the underlying principles in reorganizing the privacy category in the HITRUST CSF® Version 9.2.
The new control objectives for the privacy category include: transparency; individual participation; purpose specification; data minimization; use limitation; data quality and integrity; and accountability and auditing. They also include mappings to U.S. law, the GDPR, and the Singaporean Personal Data Protection Act of 2012 (PDPA), as well as references to the Fair Information Practice Principles (FIPPs), the Organization for Economic Cooperation and Development (OECD) Privacy Principles, and the Asia-Pacific Economic Cooperation (APEC) Privacy Framework.
HITRUST CSF Version 9.2 further addresses the needs of companies working to comply with international laws by expanding on its language regarding the GDPR and integrating the PDPA.
‘Assess Once, Report Many’ Approach
Few, if any, businesses have the resources to have multiple compliance programs with respect to data protection. Both the European Union and Singapore’s InfoComm Media Development Authority (IMDA) have expressed strong support for businesses to have a third-party review of their data protection schemes to help them identify and address weaknesses as well as ensuring compliance with the laws themselves. Being able to assess once against the HITRUST CSF and report to Singapore, the European Union, other regulatory entities, and business partners is essential to an effective and efficient data protection assessment program.
HITRUST has submitted an application to the European Data Protection Board (EDPB) and the Irish Data Protection Commissioner to have the HITRUST CSF recognized as valid standards against which to certify data processing activities under Article 42 of the GDPR.
We are also developing an application that will be sent to Singapore’s IMDA to take part in its Data Protection Trustmark Certification. Under this program, businesses can receive certification from the IMDA for compliance with the PDPA. The IMDA requires businesses to work with an assessment body for analysis of their program and the independent assurance to the IMDA that the entity truly is as compliant as it claims.
HITRUST will continue monitoring data protection laws and best practices internationally to help our clients stay on top of upcoming laws and policies as well as ensuring the HITRUST CSF remains an up-to-date and reliable tool for our clients to use in assessing their data protection programs. This is the core of the “assess once, report many” purpose of the HITRUST CSF – to allow our clients to do one assessment that can be used with many parties, including business partners, customers, and regulators, to demonstrate the strength of their data protection programs.