Community Celebration of Thanks at The Heights Center - PhotosAll Posts Next Post ››
Display your art at the Alliance!
For Small and Medium-Sized Enterprises (SMEs), knowing the basics of data privacy is essential.
Often, SMEs lack the resources to fully deal with compliance challenges. In this article, we will take a
look at the some of the most common regulations companies must comply with, and the consequences
The California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act was passed in 2018 with the intention of giving consumers more
power over the information that businesses collect about them. Among the new rights granted to California
-The right to know about the personal information a business collects about them, and how it is used and
-The right to delete personal information collected from them.
-The right to opt-out of the sale or sharing of their information.
-The right to non-discrimination for exercising these rights.
In January of 2023, an amendment to the CCPA, also known as the CPRA, meant additional protections
for consumers in California. These include the right to correct inaccuracies in the personal information a
business has about them, and the right to limit the use and disclosure of sensitive personal information.
Compliance with the CCPA means responding to requests from your clients to exercise these rights, and
giving them notices explaining your privacy practices.
Other State Specific Laws
California is not the only state with its own privacy law. As of 2023, there are over thirteen states who
have enacted or will enact their own data privacy regulations. Some of these states include Virginia,
Tennessee, Florida, Texas, Indiana, Iowa, Colorado, Utah, Montana, and Oregon. These regulations
are meant to empower consumers, and allows them to have more control over their own data. Addition-
ally, these state regulations require businesses to implement certain controls to protect client data. As an
organization, it is imperative to stay up to date on legislation that is specific to the state in which you
operate as well as the states in which your clients may live.
General Data Protection Regulation (GDPR)
The General Data Protection Regulation was designed to protect the information of European Union and
United Kingdom residents. When an organization collects or processes data from the UK or the EU, they
must comply with the GDPR. Even if your organization is based in the USA, you will need to have a GDPR
policy in place. This includes having written data protection policy, defined compliance measures, and
implementation of that plan. It is important to have proper cybersecurity measures implemented to avoid
violating the GDPR.
Industry Specific Regulations
There are also industry specific regulations that must be considered when designing a compliance plan.
For healthcare organizations in particular, the most recognizable legislation is the Health Insurance
Portability and Accountability Act, or HIPAA. HIPAA provides numerous protections to patients of
medical establishments and their sensitive information. It is especially important for healthcare providers
to note that HIPAA lays out provisions for cybersecurity that must be followed in order to comply. These
include the execution of response and mitigation procedures and contingency procedures, as well as
reporting all cyberthreat indicators.
Another important regulation is the Gramm-Leach-Bliley Act, which applies to financial institutions and
any organization that collects or processes client financial information. The FTC has also implemented the
Safeguards Rule to further extend consumer data protections as it pertains to financial institutions. The Safe-
guards Rule, much like HIPAA does for medical institutions, requires covered organizations to develop and
maintain and information security plan designed to protect customer information.
Penalties for Non-Compliance
Data protection regulation is not to be taken lightly. Failure to comply with regulations can lead to serious
penalties like fines. For example, organizations who do not comply with the Gramm-Leach-Bliley Act can
face fines of $100,000 for each violation, and individuals can face up to 5 years in prison. Companies found
noncompliant with the General Data Protection Regulation can be fined upwards of 20 million Euros, or 4%
of the business’s total annual worldwide turnover. These kinds of fines can be detrimental to SMEs, which is
why it is incredibly important to stay up to date on new regulations and have compliance measures in place to
prevent severe losses.
How Inceptus Can Help
Compliance challenges can be difficult for SMEs to deal with, and establishing compliance programs for data
privacy can be overwhelming. Thankfully, Inceptus provides cybersecurity solutions that help take enterprises
off the ground and on the road to compliance. As your trusted cyber advisors, Inceptus provides vCISO and
Security Consulting, Security Risk Assessments, Policy and Procedures, and more to better assist you in reach-
ing compliance measures while also ensuring that you are able to maintain best-in-breed cyber practices.