Security Compliance: GDPR, HIPAA, PCI DSS, and Regulatory Frameworks

Security compliance means adhering to laws, regulations, standards, and policies that protect data and systems. Different industries and regions have different requirements, and many organizations must comply with multiple frameworks simultaneously.

Key Compliance Frameworks

GDPR (General Data Protection Regulation) — EU regulation protecting personal data of EU citizens. Key requirements: explicit consent for data collection, right to be forgotten, data breach notification within 72 hours, Data Protection Officer (DPO) appointment, and fines up to 4% of global revenue or 20 million euros.

HIPAA (Health Insurance Portability and Accountability Act) — US healthcare regulation protecting Protected Health Information (PHI). Key requirements: Privacy Rule (patient data rights), Security Rule (administrative, physical, and technical safeguards), Breach Notification Rule, and Business Associate Agreements (BAA).

PCI DSS (Payment Card Industry Data Security Standard) — protects credit card data. Applies to any organization that processes, stores, or transmits cardholder data. Key requirements: encrypt cardholder data, restrict access, regularly monitor and test networks, and maintain an information security policy.

  • GDPR: EU data privacy — consent, right to be forgotten, 72-hour breach notification
  • HIPAA: US healthcare — protects PHI with Privacy Rule and Security Rule
  • PCI DSS: payment card industry — encrypt cardholder data, restrict access, test networks
  • Non-compliance results in significant fines and legal liability

NIST and ISO Standards

NIST (National Institute of Standards and Technology) — US government agency that publishes cybersecurity frameworks. NIST SP 800-53 (security controls for federal systems), NIST Cybersecurity Framework (CSF — five functions: Identify, Protect, Detect, Respond, Recover), and NIST SP 800-61 (incident response). The NIST CSF is widely adopted beyond government.

ISO 27001 — international standard for Information Security Management Systems (ISMS). Organizations can be certified against ISO 27001. It defines a plan-do-check-act (PDCA) approach to security. ISO 27002 provides implementation guidance for the controls in ISO 27001.

SOC 2 (Service Organization Control 2) — auditing standard for service providers. Reports on controls related to security, availability, processing integrity, confidentiality, and privacy. SOC 2 Type I (controls design at a point in time) vs Type II (controls effectiveness over a period).

  • NIST CSF: Identify, Protect, Detect, Respond, Recover — widely adopted framework
  • ISO 27001: ISMS standard — organizations can be certified
  • SOC 2: audits service providers — Type I (design) vs Type II (effectiveness)
  • Many organizations must comply with multiple frameworks simultaneously

Data Privacy and PII

Personally Identifiable Information (PII) is any data that can identify a specific individual. Examples: name, SSN, address, email, phone, IP address, biometric data, medical records, financial accounts.

Data privacy requirements: data classification (labeling data by sensitivity), data retention policies (how long data is kept), data minimization (collect only what's needed), purpose limitation (use data only for stated purpose), and data subject rights (access, correction, deletion).

Data roles: Data Subject (the individual whose data is processed), Data Controller (determines purpose and means of processing), Data Processor (processes data on behalf of the controller), and Data Protection Officer (DPO — oversees compliance).

  • PII: any data that identifies an individual — must be protected
  • Data classification: public, internal, confidential, restricted
  • Data retention: keep data only as long as legally required
  • Data subject rights: access, correct, delete, port personal data
  • Controller vs Processor: controller decides, processor acts

Privacy Impact Assessments and Audits

A Privacy Impact Assessment (PIA) evaluates how a project or system will affect individual privacy. It identifies privacy risks and recommends mitigations before the system is deployed.

Compliance audits: internal audits (conducted by the organization's own team), external audits (conducted by independent third parties), and regulatory audits (conducted by government agencies).

Audit findings: non-conformities (failures to meet requirements), observations (potential risks or improvement areas), and opportunities for improvement. Corrective action plans address findings with deadlines and responsible parties.

  • PIA: assess privacy impact before deploying new systems
  • Internal audits: self-assessment by organization's team
  • External audits: independent third-party verification
  • Corrective action plans remediate audit findings

Exam Tip

Know which regulation applies: GDPR (EU data privacy), HIPAA (US healthcare), PCI DSS (payment cards). NIST CSF five functions: Identify, Protect, Detect, Respond, Recover. PII definition and data subject rights are frequently tested.