In 2024, data security remains a top priority for organizations of all sizes. New regulations have emerged in recent years that aim to protect consumer and business data from breaches and misuse. As someone responsible for my company’s data security strategy, I closely track how these evolving regulations impact our practices.
The Data Protection Act of 2021
The Data Protection Act of 2021 (DPA) introduced sweeping reforms to data privacy laws. The DPA gives consumers more control over their personal data and places stricter requirements on companies housing user data.
As a result, our organization has made several changes:
- Appointing a Data Protection Officer to oversee compliance.
- Allowing users to access, correct, and delete their data. Users can now download their data in a portable format.
- Minimizing data collection to only what is needed for service delivery.
- Anonymizing user data where possible.
- Getting explicit consent from users before collecting or sharing their data.
- Reporting data breaches within 72 hours. Failing to report breaches can lead to steep fines.
- Using encryption and access controls to secure data. The DPA mandates baseline security standards.
Adhering to the DPA has led us to value data minimization and consent. We collect less user data overall, and are transparent in how it is used.
Updates to the Financial Data Protection Law
As a business in the finance sector, our company must also comply with the Financial Data Protection Law (FDPL). In 2022, the FDPL expanded to include:
- Mandatory encryption for financial data. All financial data must use industry-standard encryption, both in transit and at rest.
- Restrictions on using financial data for marketing purposes.
- Requirements to monitor access to sensitive financial data. Unauthorized access attempts must be investigated.
- Right to erasure for financial data. Consumers can request deletion of their financial information.
To meet these new requirements, we have:
- Implemented end-to-end AES 256 encryption for financial data. We use separate keys for data in motion vs. at rest.
- Limited internal access to financial data to roles that require it. Access is logged and audited.
- Built workflows for financial data deletion requests. Users can request data removal online.
Though complex, the FDPL updates have improved our financial data security posture.
How the Anti-Fraud Law Shapes Security
The Anti-Fraud Law introduced in 2023 aims to curb rampant fraud through security requirements for companies. Key provisions include:
- Mandatory reporting of fraud attempts and breaches.
- Investigation requirements for suspected fraud episodes.
- Protections for whistleblowers who report suspicious activity.
- Minimum security standards for companies handling sensitive data. These include:
- Multi-factor authentication for all users.
- Automated vulnerability scanning and patching.
- Encryption for data at rest and in transit.
- Perimeter security including firewalls and intrusion detection.
To comply, our organization has implemented security measures such as:
- Multi-factor authentication via YubiKeys for all staff.
- Quarterly vulnerability scans using Acunetix. We patch high and critical vulnerabilities within 14 days.
- Deployment of new FortiGate firewalls to filter malicious traffic.
- Log analysis using Splunk to detect fraud markers and cyber attacks.
- SSL certificates to encrypt all web traffic. Internal traffic is encrypted as well.
The Anti-Fraud Law has significantly improved security across our attack surface. Though costly, the safeguards put in place have already prevented multiple fraud attempts.
How Compliance Drives Our Security Posture
Evolving regulations have profoundly shaped our security and data practices by introducing new requirements for encryption, access control, auditing, breach reporting and more. While adapting has not been easy, the steps taken to achieve compliance have greatly improved our overall security posture.
Looking ahead, our security team stays on top of upcoming regulations and standards. We are prepared to make the changes needed to comply, while protecting customer data and our reputation. Though regulations continue to evolve, their mandate for stringent security provides an opportunity for companies to get ahead.