Data Privacy Services: Privacy Regulations and Compliance

Eric M. Wright CPA, CITP

With the ever-evolving data privacy landscape and a growing number of state and international privacy laws, it can be very cumbersome to identify which of these apply to your organization and furthermore how your organization must comply. Dependent on your organization’s business model, industry and many other factors, you will likely need to comply with at least one and potentially more of the data privacy regulations listed below, which is not an exhaustive list. We have helped organizations across industries, both domestically and globally, to both prepare for and achieve compliance with these data privacy regulations:

The General Data Protection Regulation (GDPR) 
The GDPR is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018 to protect and empower all EU citizens with respect to data privacy, reshaping the way organizations across the globe approach data privacy. The GDPR can levy harsh fines against those who violate its privacy and security standards, with penalties equivalent to the greater of  €20m or 4% of total revenue.

California Privacy Rights Act (CPRA)
In November 2020, over 9.3 million Californians voted to approve the CPRA of 2020 with the passage of Proposition 24. The CPRA is the strongest consumer privacy law ever enacted in the United States and achieves broad general parity with the most comprehensive laws in other jurisdictions including the GDPR.

CPRA builds on existing California law passed in 2018 (the California Consumer Privacy Act (CCPA)) and applies to personal information collected after January 1, 2022 which will be enforced January 1, 2023. CPRA builds upon CCPA, in a number of ways:

  • Sensitive data: New definition, limits on use and sharing
  • New enforcement agency: California Privacy Protection Agency
  • Expanded breach liability
  • Required audits and risk assessments for high-risk processing
  • Restrictions on automated decision-making and profiling
  • Consumer data correction
  • Strengthened opt-in rights for children’s data
  • Necessity-based limitations for data retention
  • New obligations for service providers

California Consumer Privacy Act (CCPA)
The CCPA gives consumers more control over the personal information that businesses collect about them. This law secures new privacy rights for California consumers, including

  • The right-to-know about the personal information a business collects, how it is used and shared;
  • The right-to-delete personal information collected;
  • The right-to-opt-out of the sale of their personal information; and
  • The right-to-non-discrimination for exercising their CCPA rights.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
HIPAA was developed to protect the privacy and security of certain health information. To fulfill this requirement, the U.S. Department of Health & Human Services (HHS) published the HIPAA Privacy and Security Rules. The Privacy Rule establishes national standards for the protection of certain health information.

The Security Rule establishes a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalized the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals “electronically protected health information” (e-PHI).

The Privacy Rule is to protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. Given that the health care marketplace is diverse, the Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ e-PHI. Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.

Gramm-Leach-Bliley Act (GLBA)
The GLBA is a Federal law, known as the Financial Modernization Act of 1999, which applies to financial institutions, including higher-education institutions. The intent of GLBA is to protect the security, confidentiality and integrity of customer information, where customer information is any record containing non-public personal information…about a customer of a financial institution, whether in paper, electronic, or other forms that are handled or maintained by or on behalf of the institution.

Additional Schneider Downs Data Privacy Services

Business Process and Data Flow

A critical component to understanding how an organization’s data (oftentimes consumer data) travels throughout its lifecycle is to develop business processes and data flow diagrams. Learn More

Data Privacy Control Assessment

Regardless of whether your data privacy program was recently established or tenured, it’s important to assess its ongoing effectiveness in today’s ever-evolving technological world. Learn More

Data Protection Impact Assessment 

A Data Protection Impact Assessment (DPIA) is a process to help identify and minimize data protection risks to an organization. Learn More

NIST Privacy Framework Compliance

The NIST Privacy Framework is intended to be leveraged as a foundation to help organizations identify and manage privacy risk to build innovative products and services while protecting individuals’ privacy. Learn More

Privacy by Design

Our approach to Privacy by Design ensures that privacy and security controls are aligned with an organization’s tolerance for risk, its compliance with regulations, and its commitment to building a sustainable privacy-minded culture.  Learn More

About Schneider Downs Data Privacy Services

At Schneider Downs, our IT Risk Advisory Practice has a team of professionals who specialize in data privacy. Our team not only understands the evolving data privacy regulations but also the technologies that allow for opportunities to enable controls in the effort of reducing and protecting the data footprint and ongoing risks of non-compliance.

Learn more about Schneider Downs Data Privacy Services or contact us for more information.

Learn how we’ve Solved Big Problems For our clients

Big Problem: Company Impacted By Ransomware.

Big Thinking: Restore System On-site And Avoid Six-figure Ransom.

Read Case Study

Big Problem: Inefficient Tax Credit Realization.

Big Thinking: Identified A $900,000 Tax Credit, Nearly Twice As Much As Prior Years.

Read Case Study

Our Thoughts On

Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.


Every moment counts. For urgent requests, contact the Schneider Downs digital forensics and incident response team at 1-800-993-8937. For all other requests, please complete the form below.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.