What are the data security regulations that I need to comply with?

If you are not in the IT, Legal, or Audit department, first seek out a data security, privacy, or IT auditor staff member. If you have more than one of these individuals on staff, you may need to talk to multiple people to get you started. Certainly you will need to work with one or more of these people (if you have them on staff) to obtain necessary compliance.

There are many regulations surrounding data security and whether you need to comply with them depends upon what type of data you process, how you collect, process, and store it, what type of company you are, where you are located and more. Here are some of the types of regulations that exist today:

> PCI-DSS: If you accept credit card payments for any type of purchase, you must comply with this regulation.

> Sarbannes/Oxley (SOX): If you are a publicly traded company, you must comply with this regulation.

> GDPR: If you process personal data from EU residents (even temporary residents), you must comply with this regulation. Canada residents are also protected by “CASL” and US residents are protected by the “CAN-SPAM” act.

> GLBA (Gramm-Leach-Bliley Act): Compliance to this regulation is required by banks and financial institutions.

> HIPAA: The Health Insurance Portability and Accountability Act applies to all companies who collect, store and process personal medical information.

Note: when researching regulations/laws that your company needs to comply with, be sure to search for state and local laws as well as federal and international. Many states like California and Massachusetts have their own relevant compliance requirements.