Email

Navigating global data compliance and regulations in 2023

Navigating legislation on data privacy can be like finding your way through a maze full of booby-traps. We’ve got the map to guide you and the data you need to know now.

PUBLISHED ON

PUBLISHED ON

Protection from loss, theft, and corruption – these are the goals of data privacy regulations.

Adhering to these regulations makes you a trusted sender but it takes resources to keep up with the evolving policies around data privacy. As a dedicated data processor ourselves, we respect every bit of data we touch, and this index will be your guide to existing global legislation and what to expect for the year ahead.

What is data compliance?

Data compliance is the process that determines legislation and governance to oversee data privacy. That’s a fancy way of saying data legislation tells you how to manage the data within your organization. Data regulations cover the access and management of data pertaining to:

  • Consumer privacy

  • Data security

  • Data storage requirements

  • How to handle unauthorized access and cybersecurity attacks

Data compliance covers nothing short of fundamental security rights, and there are a lot of angles we can look at – from the rights of the individual to the operation of businesses.

Why data compliance matters

We know firsthand that data is a complex business topic, but consumer data is much more than just information or numbers. There are human beings connected to every piece of data you obtain. That’s why it’s worth protecting and all more important that it does not get in the wrong hands.

Of course, that data is also very valuable to the companies that collect it, helping them grow their business and build better user experiences. Data legislation not only protects the privacy of everyday people but the security of an organization’s data assets.

In a survey conducted by Mailjet by Sinch, it’s clear that GDPR has established itself as a necessity, but a substantial 25% of those surveyed were unsure of the specific data legislation that applied to them. There’s a lot to go through between countries and definitions but keep reading and we’ll set the record straight on these policies.

Graph showing which countries data is coming from.

Data and compliance: Parties involved

There are three distinct parties affected by data legislations; data subjects, data controllers, and data processors, each with their own role to play. Though these three players are each represented in all current data legislation, they are not represented in the same way for each.

Before we break down who has to follow which rules, let’s get some basic definitions out of the way.

Who are the data subjects?

Data subjects are individuals whose personal data is collected, stored, sold, or processed by a business or organization. As an email sender your data subjects are your subscribers, or anyone whose email address you store.

Legislation that represents the data rights of consumers first emerged in 2016 with the European Union’s (EU) General Data Protection Regulations (GDPR) (effective date in May 2018). In the U.S. there is currently no comprehensive federal data protection legislation. So far, only a handful of states have put forth their own legislation, including California, with the California Consumer Privacy Act (CCPA) which became effective in January of 2020.

Who are the data controllers?

Data controllers determine the purposes and means by which personal data is processed. If you are a company that collects and stores personally identifiable information (PII) and you have your own users/customers, then you are a data controller. You are also a data controller just by processing the data of your own employees. Data controllers are decision-makers that call the shots on how the data they collect is managed and used.

Who are the data processors

A data processor is the one who carries out the actual processing of the data. A good example of the data roles would be to consider your favorite ecommerce store. The users/customers are the data subjects, the store is the data controller managing the products, and a company like Mailgun is one of the data processors working with that company to enable their automated transaction emails.

You are not necessarily limited to one data role. Mailgun, for example, is a data processor when it comes to enabling automated email but we are also a data controller in terms of collecting and storing our customer’s own data, and a data controller in our partnership with our payment provider. There can also be sub-processors who process data for the data processor on behalf of the data controller.

Consumer privacy laws

Now that we’ve got the definitions out of the way, let’s talk about the data laws that may affect you.

There are a growing number of legislations out there, and depending on the specific laws, data subjects, controllers, and processors have varying rights. If you’re a U.S. based business, these are the three overall guiding rules that will likely affect you the most:

General Data Protection Regulation (GDPR)

The GDPR was the first significant legislation that focused on the protection of data rights by mandating transparency and restoring data control to the individual. The GDPR imposes hefty fines for violations and governs data use with the mentality that individuals loan their data to service providers as opposed to surrendering it upon signup. It seeks to ensure utmost protection to consumers.

Key facts to remember:

  • Effective since May 25, 2018.

  • It harmonizes data protection laws throughout the EU.

  • It affects any business that processes data of EU citizens regardless of where they reside.

Want to learn more about GDPR? Check out our post General Data Protection Regulation (GDPR): Why should you care?

California Consumer Privacy Act (CCPA)

The CCPA only protects the rights of individuals who are California residents. If you are already GDPR compliant, becoming CCPA compliant will not require significant additional effort.

Key facts to remember:

  • Effective since Jan. 1, 2020.

  • This legislation provides data protection rights for California residents.

  • The CCPA affects organizations that conduct business in California.

Want to learn more about CCPA? Check out our post California Consumer Privacy Act (CCPA): Why should you care?

Health Insurance Portability and Accountability Act (HIPAA)

HIPPA includes rules for emerging technologies to manage health data like email, digital payment providers, and telehealth services. 2022 brought proposed updates affecting protected health information (PHI), flow of information, and patient access rights. The HIPAA Privacy Rule aims to improve care coordination and data sharing (alongside the rise of telehealth) and will require extensive infrastructure updates and additional training for health care providers and business associates.

Key facts to remember:

  • Originally passed in 1996.

  • It protects the disclosure of personal health information.

  • HIPAA applies to covered entities and business associates within the United States, even with respect to non-United States citizens or residents.

Want to learn more about HIPAA? Check out our post HIPPA compliance and email: What you need to know

Comparing global data policies: reference table

GDPR, CCPA, and HIPAA are the big three when it comes to regulating individual consumer data, but they aren’t the only legislation, and operating without some of the other compliance standards can make it challenging to operate your business across borders.

We know that all this policy talk might be starting to feel a bit like a textbook. We’re not in the business of lecturing but we do have the facts. If you are unsure which data legislation applies to you, we've created a table that helps you get the knowledge fast.

Legi­sla­tion

Fine­s

Prot­ected data­ subj­ects

Affe­cted data­ cont­rollers and proc­essors

Legi­sla­tion

G­DPR: The EU’s­ Gene­ral Data­ Prot­ection Regu­lation

€20M­­ or 4% of annu­­al glob­­al turn­­over (whi­­chever is grea­­ter).

Any EU citi­zen whos­e pers­onal data­ is coll­ected, held­, or proc­essed by an orga­nization.

Glob­­al busi­­nesses that­­ proc­­ess pers­­onal data­­ of EU citi­­zens incl­­uding nonp­­rofits that­­ acce­­pt dona­­tions from­­ EU citi­­zens.

Fine­s

C­CPA: Cali­fornia’s Cons­umer Priv­acy Act

$100­­-$750 per cons­­umer per inci­­dent. $240­­0-$7500 per civi­­l viol­­ation.

Only­ resi­dents of Cali­fornia.

Busi­­nesses oper­­ating in CA that­­ have­­ reve­­nue of $25M­­ or more­­, or proc­­ess data­­ on 50,0­­00 resi­­dents or more­­.

Prot­ected data­ subj­ects

H­IPAA: Heal­th Insu­rance Port­ability and Acco­untability Act

Civi­l mone­tary pena­lties (CMP­) are impo­sed rang­ing from­ $100­ to $50,­000 per affe­cted PHI reco­rd, with­ a maxi­mum fine­ of $1.5­ mill­ion per inci­dent.

All medi­cal reco­rds and othe­r indi­vidually iden­tifiable heal­th info­rmation used­ or disc­losed by a cove­red enti­ty in any form­.

HIPA­A affe­cts heal­th care­ prov­iders, heal­th plan­s, and heal­th care­ clea­ringhouses, and Busi­ness Asso­ciates carr­ying out work­ on beha­lf of a cove­red enti­ty.

Affe­cted data­ cont­rollers and proc­essors

U­K GDPR­: Grea­t Brit­ain’s enac­tment of the GDPR­ afte­r Brex­it. The­ GDPR­ is reta­ined in dome­stic law as the UK GDPR­, but the UK has the inde­pendence to keep­ the fram­ework unde­r revi­ew.

The UK GDPR­ has two tier­s of fine­s; the stan­dard maxi­mum fine­ is £8.7­ mill­ion or 2% of the tota­l annu­al worl­dwide turn­over and the high­er maxi­mum fine­, £17.­5 mill­ion or 4% of the tota­l annu­al worl­dwide turn­over.

Gove­rns the proc­essing of pers­onal data­ from­ indi­viduals loca­ted with­in the Unit­ed King­dom.

The UK GDPR­ appl­ies to cont­rollers and proc­essors with­in the UK. It cove­rs orga­nizations base­d outs­ide the UK if thei­r proc­essing acti­vities rela­te to moni­toring, or offe­ring good­s or serv­ices to indi­viduals in the UK.

L­GPD: Braz­il’s Gene­ral Pers­onal Data­ Prot­ection Law

Up to 2% of the net turn­over of the econ­omic grou­p in Braz­il, in its last­ fisc­al year­, limi­ted to BRL 50 mill­ion (app­rox. USD 10.5­ mill­ion) per viol­ation.

Appl­ies to any natu­ral pers­on loca­ted in Braz­il whos­e data­ has been­ coll­ected or proc­essed, rega­rdless of wher­e the comp­any that­ coll­ects the data­ is loca­ted.

The LGPD­ appl­ies to any data­ proc­essing that­ take­s plac­e in Braz­il, for the purp­oses of offe­ring good­s and serv­ices or to proc­ess data­ of peop­le who are loca­ted in Braz­il.

P­IPEDA: Cana­da’s Pers­onal Info­rmation Prot­ection and Elec­tronic Docu­ments Act

Orga­nizations that­ comm­it offe­nses may be subj­ect to fine­s of up to CAD 100,­000.

PIPE­DA prot­ects the pers­onal info­rmation of indi­viduals. An indi­vidual does­ not have­ to be a Cana­dian citi­zen or a resi­dent of a spec­ific prov­ince.

PIPE­DA appl­ies to priv­ate-sector orga­nizations acro­ss Cana­da that­ coll­ect, use or disc­lose pers­onal info­rmation in the cour­se of a com­mercial acti­vity.

A­PPI: Japa­n’s Pers­onal Info­rmation Priv­acy Act

Up to 100,­000,000 Japa­nese yen ($90­7,715) or a crim­inal puni­shment of up to 1 year­ in pris­on.

The APPI­ aims­ to prot­ect the pers­onal data­ of Japa­nese citi­zens.

APPI­ appl­ies to all busi­ness oper­ators that­ hand­le the pers­onal data­ of indi­viduals in Japa­n. Rega­rdless if the comp­any is loca­ted with­in the coun­try.

P­IPL: Chin­a’s Pers­onal Info­rmation Prot­ection Law

The PIPL­ impo­ses a maxi­mum fine­ of up to 50 mill­ion Yuan­ (7.8­ mill­ion USD)­, or 5% of the annu­al reve­nue of the prec­eding fina­ncial year­.

The PIPL­ aims­ to prot­ect the righ­ts and inte­rests of indi­viduals, regu­late pers­onal info­rmation proc­essing acti­vities, and faci­litate reas­onable use of pers­onal info­rmation.

PIPL­ requ­irements cove­r all comp­anies hand­ling the data­ of Chin­ese citi­zens, whet­her they­ are a dome­stic or inte­rnational busi­ness, and whet­her larg­e or smal­l.

Data security standards

We can’t give you a data policy article without talking about these: PCI DSS, SOC2, and ISO are data compliance standards. While these often overlap with the global legislation we’ve covered, there are separate compliance entities that govern them.

These data security standards are essentially audits that result in compliance certifications. Once obtained, these standards let data controllers know that an organization is a responsible partner.

As a responsible data processor, we pursue ISO and SOC2 to prove our security. Learn more here.

Working with organizations that have achieved these standards can save you the trouble of needing to obtain them yourself. For example, Mailgun doesn’t need to be PCI compliant because we sub processor the payment services, and partner with payment processors that are respecting their own obligations.

Let’s learn a bit more about these standards.

PCI Data Security Standard (PCI DSS)

The PCI DSS is about creating confidence and security when processing payments. This standard is governed by the PCI Security Standards Council and is a set of security standards formed in 2004 by Visa, Mastercard, Discover Financial Services, JCB International, and American Express. It protects cardholder data and authentication data for individuals and reduces the risk of data breaches.

The PCI DSS has four main objectives:

  1. Protect stored cardholder data.

  2. Use and regularly update antivirus software or programs.

  3. Restrict access to cardholder data by business need-to-know.

  4. Track and monitor all access to network resources and cardholder data.

SOC2 Type I and II Compliance

System and Organization Controls (SOC) are internal reports that provide proof of security. Technology service providers like Mailgun voluntarily get this certification to prove their security processes can be trusted. Another audit-based compliance standard, SOC2, holds providers accountable for their data processing methods and cyber security controls.

Mailgun has SOC2 Type I & II, which are stringent and comprehensive reports that test the effectiveness of security controls and ensure they’re working.

  • SOC 2 Type I: Tests to ensure email security controls are in place (you need this for Type II).

  • SOC 2 Type II: Tests to ensure controls are in place and they are working effectively.

ISO standards

ISO standards establish baseline securities. If every country had different approaches to security best practices, it would be nearly impossible for companies to create security infrastructure. The solution is a shared international standards body which manages compliance by consensus. The International Organization for Standardization (ISO) has developed and published 25K standards since 1947 (Mailgun has achieved two).

ISO compliance proves you can handle different scenarios and control variables that help protect data and prevent malicious cyberattacks, data breaches, and other security disasters. These standards can also be specific. For example, ISO27701 is a rare certification within the email space containing 40 privacy controls that are closely mapped to GDPR standards.

From the information we've shared, you may think that existing legislation covers just about everything but that’s not the way the cookie crumbles. In truth, there are many more policies coming down the pipeline.

What are the limitations of compliance laws?

As you can tell from our very large table early in this post, not all data legislation is created equal. Currently, data compliance is regulated by individual countries ­– and in the U.S. by individual states – and that can make things muddy for establishing effective business practices. Here are the main things to keep in mind:

  • Data jurisdiction: Where your company exists doesn’t necessarily matter. Data jurisdiction is determined more by where your data subjects are located.

  • Data impact: Not all organizations are large enough to be represented in legislation. For example, in California the CCPA only affects you if you process data on 50,000 residents or more.

  • Penalties: There is no consistency regarding how violations are fined. Some will charge a total percentage of net turnover, while others charge per affected subject for each violation.

Data regulations heading into 2023

Data policy isn't just changing, it’s changing fast.

In the U.S., an Executive Order was recently signed by President Biden in early October implementing the European Union-U.S. Data Privacy Framework, which takes us closer to fixing cross border data transfer protections. In other words, it’s likely that federal data laws are imminent for the U.S. that will be comparable to Europe’s GDPR and make data policies between the U.S. and the EU more seamless.

While we don’t have a timeline yet for federal policies, we do know a few things to expect in the coming year.

In California, data laws are about to change again as of January 1, 2023, with the introduction of CPRA, an amendment to the CCPA which will extend data protection for California residents even further.

Under the CRPA, residents will gain the right to correct inaccurate personal information that a business has collected on them, as well as the right to limit the use and disclosure of sensitive personal information collected about them.

We also expect privacy acts to be enacted for these states:

  • Virginia Consumer Data Protection Act, effective January 1, 2023

  • Colorado Privacy Act, effective July 1, 2023

  • Connecticut Data Privacy Act, effective July 1, 2023

  • Utah Consumer Privacy Act, effective Dec. 31, 2023

Other countries currently creating policies

These countries are developing legislation that we may see in 2023 or within the next couple of years.

Australia

Australia’s updated Privacy Act addressing digital concerns and enhances online privacy and other measures. The bill (proposed in 2021) will give effect to the Australian Government's commitment to strengthen the Privacy Act 1988. It enables the introduction of a binding online privacy code for social media and certain other online platforms, increases penalties and enforcement measures, and aims to bring data policies for Australia closer in-line with standards established by the GDPR.

India

India’s Personal Data Protection Bill (PDPB) was proposed in 2019 and was recently withdrawn (As of August. 2022) with stark criticism from stakeholders that believed the bill would give the government too much power over the data of its citizens. New legislation is expected that will be more comparable to evolving global standards.

No matter how policy evolves, we’ll be keeping a close eye on the effects and changes so we can continue to keep your data safe.

Data compliance matters at Mailgun

Data represents people, and at Mailgun we respect people.

It’s no surprise that data – an endless resource ­– takes a lot of explanation and research to understand. As a data controller in technology, no one knows this better than us. If the links in this post don’t direct you to the information you need, or if you want to know more about how Mailgun manages your data, check out our data and compliance guide.

Learn about email security and compliance

Email security and compliance

Email security isn't easy. But you need to protect your business, brand, employees, and subscribers. Find out about the benefits of continually improving email security and compliance from our industry experts, and learn to tell if your technology partners have what it takes to do the same.

Related readings

California Consumer Privacy Act (CCPA): Why should you care?

The CCPA is the most comprehensive data regulation in the U.S., and while it may not affect you now, it may indicate what future federal data laws might look like.

Read more

General Data Protection Regulation (GDPR): Why should you care?

GDPR compliance and data privacy: everything you need to know to comply with the EU data laws.

Read more

Why you shouldn’t count on the ADPPA and Privacy Shield 2.0

You have to protect EU citizen data that’s transferred to and stored in the United States. But how do you know for sure if you and your vendors are GDPR compliant? Will a new legal framework and a potential federal privacy law help at all?

Read more

Popular posts

Mailgun iconSee what you can accomplish with the world's best email delivery platform. It's easy to get started.Let's get sending
CTA icon Mailgun Icon