Whether it is GDPR, HIPAA, country or state privacy laws, as soon as personal information is involved you will have to comply with one (or even several) data protection and privacy laws or regulations. These may differ in scope and severity, but they all share common elements and govern the collection, management, security and sharing of personal information.
Failure to comply with data privacy laws and regulations goes far beyond the risk of fines from data protection authorities. It may also cause one or more of the following:
- severe negative media attention and reputational damage
- class-action litigations and civil or even criminal penalties
- operational losses or delays due to suspension or termination of key data transfers
Aligning with the security policy
Once personal information is being collected, or processed, data privacy is for a large part about the confidentiality of that data. In that sense it strongly overlaps with information security. The controls and requirements about protecting personal information are no different than those for other types of confidential information.