Compliance and Privacy
Compliance
If you are targeting many industry verticals or international customers, you need should meet the latest security and privacy compliance and regulatory standards.
Compliance standards affect the way you collect, use and store sensitive information of clients and prospects. Companies that fail to meet compliance requirements lose the capacity to expand their business to new markets and lose business opportunities.
Many of our cloud-native clients achieved compliance with the following standards through working with the Kobalt.io team. If you’re not sure which compliance standards your organization needs to comply with, you can talk it through with our security experts in a call.
Common Compliance Standards
System and Organization Controls 2 (SOC 2) is an audit procedure applicable to all technology services or SaaS companies that collect and store customer data in the cloud. It is designed to ensure that a company’s organizational security controls and practices can effectively safeguard the privacy and security of client data. SOC 2 is often the first compliance standard that SaaS companies choose to comply with and has become the defacto standard of choice for many customers assessing the security of their SaaS suppliers.
Who needs to be SOC 2 compliant?
If you are a technology or SaaS company that stores customer data in the cloud, achieving SOC 2 compliance can help drive business demand.
The Health Insurance Portability and Accountability Act (HIPAA) is designed to establish the American health industry’s guidelines to protect the confidential use of Personal Health Information (PHI).
Who needs to be HIPPA compliant?
If your business handles protected US resident Personal Health Information (PHI) e.g. health plans, health care providers, health care clearinghouses, you need to comply with HIPAA.
The International Organization for Standardization (ISO) series of standards is common to manufacturing organizations, non-US government departments and European businesses. Many organizations that are trying to bring structure to their security operations and processes choose to adopt the ISO 27001:2018 standard.
Who needs to be ISO compliant?
Many government organizations and manufacturing companies choose to align their security standards to ISO27001/27002. In addition, the ISO 27017 is for cloud services providers and the ISO27018 is for organizations using public clouds to act as processors for Personally Identifiable Information (PII).
NIST stands for The National Institution of Standards and Technology. This Framework is a guide to help an organization develop security standards that can be used across several industries. Among the NIST standards, the NIST Cyber Security Framework (CSF) is the most widely used.
Who needs to be NIST CSF compliant?
This compliance standard is common for organizations selling to US federal government entities. If you sell to defense agencies, you need to comply with the NIST Defense Federal Acquisition Regulation Supplement (DFARS) standard.
The General Data Protection Regulation (GDPR) is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within the European Economic Area.
Who needs to be GDPR compliant?
Any entity that collects or processes the personal data of EU residents must comply with the regulation.
Law 25 (formerly Bill 64), An Act to modernize legislative provisions as regards the protection of personal information (Private Sector Act), is the new privacy legislation passed in Quebec, Canada. It aims to improve transparency, increase the level of data confidentiality and reinforce consent requirements.
Who needs to be Law 25 compliant?
All private sector companies in the province of Quebec and any businesses based outside of Quebec but doing business in that province will need to comply with Bill 64.
CCPA is the California Consumer Privacy Act. It is modelled after the GDPR.
Who needs to be CCPA compliant?
All companies that serve California residents and have at least $25 million in annual revenue must comply with the law.
California Privacy Rights Act (CPRA) strengthens enforcement of the CCPA. It allows any California consumer access to personal information a company has saved on them.
Who needs to be CPRA compliant?
All companies that serve California residents with gross revenue in excess of $25 million, that collect personal information of 100,000 or more, or derive more than 50% of their annual revenue from selling California resident information will have to comply.
Trying to determine which compliance standard is best for your organization? Download this cheat sheet to cut through the confusion and pick the right compliance.
How We Fast Track Your Compliance Journey
Kobalt.io and Vanta work together to provide our clients with value beyond compliance. With Kobalt.io cybersecurity, compliance and data privacy expertise, combined with Vanta’s best-in-class technology, our clients can quickly achieve their security compliance goals, proving trust and driving growth.
About Vanta
Vanta is the leading trust management platform that helps simplify and centralize security for organizations of all sizes. Over 4,000 companies rely on Vanta to build, maintain and demonstrate their trust—all in a way that’s real-time and transparent. Founded in 2018, Vanta is headquartered in San Francisco with offices in Dublin, New York and Sydney. For more information, visit www.vanta.com
We’re thrilled to partner with Kobalt.io and to continue building upon our partnership by continuously delivering best-of-breed compliance and security solutions to customers globally. The Kobalt.io team has true thought leadership and expertise in the cybersecurity space and delivering high-value solutions to their customers and our customers. Putting customers first and securing the internet is at the heart of what we do at Vanta. Together the Vanta and Kobalt.io partnership is deeply important for better security practices in organizations and we are excited for what’s next!
Choosing a Compliance Framework
Managed Compliance Program
Our Managed Compliance Program combines our industry-leading security, privacy, and compliance expertise with a managed Vanta solution to help you achieve and sustain compliance across one or more cybersecurity and privacy standards, such as SOC2 Type 2, ISO27001 and GDPR. The program includes:
- User education
- Security awareness training combined with phish testing
- Managed threat detection - Cloud Core
- Production environments in AWS, Azure or GCP cloud platforms
- 24/7 SecOps team watches for signs of attack and configuration or other risks - Optional add-on
- Sustainment program
- Vulnerability management
- Pentest
- Privacy services
- Monitoring for additional sources
Let us know how we can support you!
Assess your current state and key risks, ensure Vanta is properly integrated
Deploy key operational support including security monitoring, user education
Deploy customized policies and procedures that support client’s methodologies
Achieve and sustain compliance and reduce risks through program framework
Support client, auditor and executive conversations to achieve growth objectives
Before an organization chooses to do business with a service provider, it would use security questionnaires as a tool to evaluate and validate the service provider’s security controls and practices. If security standards are met, service providers can earn clients’ trust and close deals faster.
Service providers typically take a few hours or even days to complete a single security questionnaire. It is not time-efficient to have team members spend days completing multiple security questionnaires per month. This is where Kobalt.io come in to help you make the most out of your team’s time.
How we do it
By following the workflow above, Kobalt.io can help you complete security questionnaires faster, shorten the deal-closing process and help achieve compliance at the same time.
Benefits
- Accelerate the process of closing deals
- Deployment of SOC2 readiness program to build trust with clients and partners
- Enhancement of security maturity and ability to positively respond to questionnaires
- Implementation of policies and controls that gives a solid foundation for future client requirements
Privacy
Utilize data with confidence and reap the rewards
As businesses transform and innovate in a data-driven world, they face a growing number of privacy and data protection laws, both locally and cross-border. This leads to uncertainties surrounding data usage, resulting in missed business opportunities and breaches.
Kobalt.io has a suite of privacy services that can help you effectively map out your due diligence and compliance obligations under local and cross-border privacy laws. These services allow you to protect your clients and use data confidently.
Privacy Services
Privacy Gap Assessment
A 360 degree review of your business’ privacy program to identify areas of improvement. The findings can help your team make better decisions on privacy management strategies.
Assessment areas include privacy policies, data processing procedures, privacy breach containment education and training.
Privacy Impact Assessment
A due diligence document to make sure that your business protects the personal information it collects or uses for a flagship product (e.g. a SaaS solution) or an app – from its initial collection, to its use, disclosure, retention and destruction. Conducting a Privacy Impact Assessment can be a critical path item to selling to many larger organizations.
With a refined process of handling personal data and evidence of due diligence, you gain a competitive advantage and earn clients’ trust.
A designated DPO that works alongside your team at a fraction of the cost of hiring an internal DPO. Outsourcing DPO can help you save money and time for training, and avoid your team members from wearing too many hats that affects their quality of work.
Privacy Training
Stay up to date with privacy regulations and best practices. This course will help you and your team navigate the world of privacy in the workplace.
Benefits of excellent privacy management
- Earn client trust and loyalty by demonstrating due diligence.
- Ensure your organization’s continuous compliance and data safety.
- Reduce the impact and risks of privacy breaches.
Book a time to chat with us
Frequently Asked Questions
To ensure that you are lawfully processing personal data in order to run your business and not over-collecting information that you don’t need. Any unnecessary collection or processing of personal information may be considered a privacy breach.
No, because you still need to examine all of the other ways in which personal information is being processed. This includes evaluating the consent forms and notices that you deploy whilst using your product, knowing when you are permitted to collect with consent and when consent is not required, ensuring your policy is tailored for customers in other jurisdictions and ensuring any internal processes to collect personal data are compliant.
Yes, because even if you are not collecting personal information from consumers, you are still gathering personal data relating to your employees and need to know how to handle that information. You are still legally bound to safeguard their personal information. Additionally, you are still gathering some personal information in the form of cookies on your corporate website.
Yes, we are SOC 2 compliant. We do our best to protect our clients, partners and employees by implementing strong cybersecurity controls and policies.
Any individual or entity processing personal data of individuals in the EU (or “data subjects”), including public authorities, agencies, and other organizations, is subject to GDPR.
The nature of your processing activities will determine how GDPR specifically affects your business. Regardless of the size or structure of your company, there is a good probability that you fall under its purview.
If you are not sure whether GDPR applies to you, best is to assume that it does!
If companies operating outside of the EU handle, process, or retain personal data relating to individuals in the EU, or if they process personal data on behalf of EU companies, then they must adhere to GDPR. Therefore, regardless of where you are located, you must ensure GDPR compliance if you do business with individuals and organizations in the EU. Additionally, some businesses won’t partner with companies that aren’t GDPR-compliant.
To make sure you are compliant, you must carefully examine and account for all of your current data processing endeavors. Take the example of using consumer data for marketing: have you received express consent to do this? Is that consent explicit, conspicuous, documented, and revocable? If not, you will need to make changes to your current procedures to ensure you are compliant.
What will preparing for GDPR compliance cost my company?
Much depends on your current level of efforts in terms of data protection. Do you currently make an effort to adhere to best practices in areas like mapping, processing, transparency, and security? If so, implementing and operationalizing the new requirements of GDPR might not be a costly ordeal.
The complexity, volume, and sensitivity of the personal data you possess, as well as whether your current technology enables you to appropriately safeguard the data and respect data subject rights, will determine how much you will need to invest in new technology and processes.
This should not be seen as a burden necessarily. All these steps are designed to shield you from the possibility of sanctions, levies, or penalties. Investing in compliance can help establish your business as a data privacy “champion” and safeguard you from the threat of punishment. In an age where you and your competitors run on customer data, having GDPR compliance can provide you with a crucial competitive edge by building customer trust and loyalty for the long run.
The GDPR mandates that you keep data protection in mind from the outset, whether it is a new analytics project, an update to your dispatch procedure, or the creation of a new marketing database. This is what we refer to as “privacy by design”. You are effectively hardwiring data protection into your processes, tools, and projects from the earliest possible stage rather than thinking about it afterwards as an add-on. This is how privacy becomes organic and part of the overall design of your project or software.
The rationale behind this strategy is that you can spot privacy problems and address them before they escalate into serious issues, thereby sparing your business time, effort, resources, and money while protecting your customers’ rights.
A robust corporate privacy policy will include the following:
- The types of personal information you are collecting, from whom, and the purpose of that collection
- The steps your business takes to protect personal data
- How your business intends to store and back up personal data
- Geographically-specific privacy notices, tailored to the requirements of those jurisdictions
- Explanations and instructions on how data should be stored and backed up
- Explanation on how the company ensures personal data is kept accurate
- What situations and to whom the company or employees may disclose and release data
- How the business informs people about the personal data it owns
- Procedures to comply with when transferring personal data out of country or overseas
- The contact person at your business who can answer questions relating to customer personal data
The CPRA (California Privacy Rights Act) applies to for-profit companies doing business in California that gather customer data (or have others do so on their behalf), decide why and how the data will be processed, and meet any of the following criteria:
- Have a gross annual revenue of over $25 million;
- Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
- Derive 50% or more of their annual revenue from selling California residents’ personal information.
Beginning on January 1, 2023, these limits will alter. Businesses must acquire, trade, or distribute the personal information of 100,000 or more customers or households each year starting in 2023 in order to reach the second level. Additionally, the final level will cover companies whose yearly revenue from the sale or exchange of consumer data is at least 50%.
The CPRA also imposes separate obligations on service providers (which process personal information on a business’s behalf) and other recipients of personal information from businesses.
Any healthcare provider who electronically transmits health information in connection with certain transactions, such as claims, inquiries about benefit eligibility, referral authorization requests, or other transactions for which DHHS has established standards under the HIPAA Transactions Rule, including health plans, healthcare clearinghouses, and other healthcare providers, is subject to the Privacy Rule.
Individually identifiable health information is maintained or sent by a covered company (or one of its business partners) in any format or medium, including oral communication. This information is referred to as protected health information (PHI). Common identifiers like name, address, social security number, birthdate, or any other data that can be used to identify the person are examples of individually identifiable health information.
Not necessarily.A fine is for noncompliance with data privacy regulations, not for the actual act of being breached itself. The repercussions of not adhering to data privacy laws can be eye-watering. For instance, firms that violate the GDPR may be subject to fines of up to 20 million euros or 4% of their annual revenue, whichever is higher.
Fines can be up to $250,000 for violations or imprisonment up to 10 years for knowing abuse or misuse of individual health information.
Software and other items used by the healthcare sector that make it simpler to comply with HIPAA requirements are typically referred to as HIPAA-ready. Clinics, hospitals, clearinghouses, and insurance providers that abide with HIPAA rules are referred to as being “HIPAA-compliant.” With that said, a lot of goods are advertised as being “HIPAA-compliant”; nevertheless, compliance is actually achieved not by the product itself but rather by the rules, procedures, settings, and security measures implemented by people. Products marked as “HIPAA-ready” or “HIPAA-compliant” indicate that they have one or more features that make using them in a compliance environment simpler.
It does if the gadget gathers, keeps, or sends PHI to a Covered Entity or Business Associate company. More medical gadgets, wearables, and IoMT (Internet of Medical Things) devices come equipped with WiFi and Bluetooth as well as built-in microprocessors that can store PHI data and transmit it to the cloud so that a healthcare organization may access it.
Learning, training, and reskilling the workforce is a never-ending thing. Consider investing in a modern, online, customizable Learning Management System (LMS) software to meet your particular needs.
In order to take use of knowledge from multiple domains, increase alignment, and enhance NIST advice, NIST coordinates across programme and research areas. This Framework is intended to assist companies of all types better manage privacy risks within their various environments. When creating this Framework, NIST drew from its body of work in security and privacy risk management.
There are a number of factors that can determine how long it takes. The most important aspect is the certification’s scope, which includes the organization’s size, the number and complexity of its processes, the number of its locations, and the number of its personnel. Then there is the organization’s current level of information security capability and expertise. In general, more time and effort are required as size and complexity increase. Well-run projects with experienced personnel can take 2 to 3 months, although over 6 months is not uncommon.
Annex A in ISO 27001:2013 lists 14 ‘control objectives’, each of which comprise a set of security controls. These control objectives are:
A.5 Information security policies
A.6 Organization of information security
A.7 Human resource security
A.8 Asset management
A.9 Access control
A.10 Cryptography
A.11 Physical and environmental security
A.12 Operations security
A.13 Communications security
A.14 System acquisition, development and maintenance
A.15 Supplier relationships
A.16 Information security incident management
A.17 Information security aspects of business continuity management
A.18 Compliance
Not necessarily. GDPR governs how entities process personal data, whereas ISO 27001 is an information security standard. Although it may be presumed an organization that has achieved ISO 27001 certification will have taken some GDPR-related security concerns into account while processing personal data, it is not assumed that complying with ISO 27001 or GDPR alone indicates that an entity or organization is automatically compliant with both standards.
There isn’t a public register of certified companies. But certified companies will have been issued with a certificate by their certification body. It must be noted that a business or entity that has ISO certification is not automatically compliant with applicable privacy laws.
The NIST framework’s five areas serve as the cornerstones for building an all-encompassing, effective cybersecurity strategy. They include recognise, safeguard, detect, react, and recover.
Use of the NIST Framework is voluntary for industry.
The NIST Framework will help an organization to better understand, manage, and reduce its cybersecurity risks. It will make it easier to decide which tasks are most crucial for ensuring crucial operations and service delivery. It is especially beneficial in communicating both inside and outside the company because it offers a common language to discuss cybersecurity risk management. The NIST Framework can also be easily used by organizations to inform suppliers and customers about their present or desired cybersecurity posture.
According to Presidential Policy Directive (PPD) 21, “systems and assets, whether physical or virtual, so vital to the United States that the inability or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters,” are considered to be critical infrastructure (for the purposes of this Framework). Transportation, financial services, communications, healthcare and public health, food and agriculture, chemical and other facilities, dams, significant manufacturers, emergency services, and many other industries are included in the applicable infrastructure. In addition, utilities that provide energy and water are also included.
Yes. The method was created for use by all sizes of organizations, from the smallest to the biggest.
