A Programmer’s Guide to Compliance Regulations
An important part of the planning phase of the software development life cycle is understanding what regulations will apply to your software. If you are an independent programmer looking to build your own startup, you need to understand these regulations so you can avoid heavy fines, criminal lawsuits, or a potential suspension of your business.
If you work for a company, this will help you to build applications that are compliant by design. This way, you and your supervisors will save a significant amount of time, because you won’t have to go back and make as many changes to your first version of the application.
Remember, you are working as part of a business, so having an understanding of the business requirements of the software you write will help make you a more valuable programmer. Depending on where in the world you are, where your customers are, and the industry that your application will be used in, this will affect the regulations that govern how your application must handle consumer information.
If you are unaware of these laws or you fail to comply, you and your company can face fines, potential jail time, and you can be forced out of business until you get into compliance.
Now, it's relatively easy to make changes to how you handle information at the beginning of an application’s life cycle, but if you have hundreds or thousands of users and you have to go back to fix these issues, it can be much more difficult.
In this post, I offer you a list of some of the main industry regulations a programmer needs to be aware of when building an application. This is not an exhaustive list, but these regulations affect a large number of businesses due to having international jurisdiction.
Additionally, I’ve included regulations that affect a large number of North American (U.S. and Canada) and European businesses. If you want to know more about the businesses that would affect you, consider searching by your location, your industry, and the location of your expected customers, so that you can find all the regulations that will apply. You can click on the name of any of the regulations to get a detailed breakdown of the regulation.
Payment Card Industry Data Security Standard (PCI-DSS)
This regulation affects all companies globally that accept or process credit cards or accept, transmit, or store cardholder information. In the event of data breach, all of those companies are directly accountable to the card company and the banks that handle the money involved in the transaction.
This means that the specifics of your compliance requirements and any fines/penalties that you receive will be affected by the card company that you use. You can read here about one retailer that received a $13.2 million fine from Visa via PCI-DSS. Cardholder information includes cardholder name, expiration date, magnetic strip data, primary account number (PAN), and card PINS.
Compliance with PCI-DSS requires an attestation of compliance, quarterly network scans, and an approved PCI assessment. If you’re an independent programmer or working at a small company, you are required to have internal and external vulnerability scans done, which will test your application and the network that it is hosted in for its level of security.
If the scans find any serious security vulnerabilities, you will be required to fix them in order to pass this part of the compliance test. If you’re employed as a programmer, your responsibilities end at ensuring that your application can pass the vulnerability scan, but if you’re an independent programmer you will be required to complete an attestation of compliance.
This means that, besides attesting to being PCI-DSS compliant, you will be required to have an external audit done if you have over six million transactions per year. If you have less, you can complete a self-assessment questionnaire.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA was passed by Congress in 1996. The privacy aspect of HIPAA is overseen and enforced by the U.S. Department of Health and Human Services (HHS) office. HIPAA affects all companies that collect or process any protected health information (PHI) from U.S. citizens, as well as these companies' business partners.
PHI is any individually identifiable health information, held or transmitted by a covered entity or business associate, in any form or by any medium. Failure to meet HIPAA compliance can result in fines between $100 to $50,000 per violation or per record.
The maximum financial penalty is $1.5 million per year, but you can also face jail time depending on how bad the violation is. CHSPSC, a Tennessee-based management company received the biggest fine in HIPAA’s history of $2.3 million due to five violations including the breach of over six million records.
Some of the items that count as PHI are patient names, telephone numbers, geographic locations, Social Security numbers, and biometric identifiers. If your application is going to be used within the healthcare industry, HIPAA will be an important regulation to understand.
There are three components to HIPAA compliance: a privacy rule to protect consumers’ rights, a security rule to mandate how companies must protect consumers’ information, and enforcement rules that mandate consequences for noncompliance. To be compliant with this regulation, it’s important to get consent from the users if you are going to use their information for anything other than treatment, payment, or health care operations.
Additionally, the HIPAA security rule requires that you have certain security features in place such as unique user identification, encryption and decryption, and proper user authentication. You can find the full list of requirements here.
Personal Information Protection and Electronic Documents Act (PIPEDA)
This regulatory requirement applies to private sector organizations that collect personal information in Canada. Its purpose is to ensure the protection of personal information in the course of commercial business.
For example, it requires that companies communicate the purpose of the information they collect from users in a clear and understandable way, so that people know what they are signing up for. Failure to comply with PIPEDA can result in fines of up to $100,000 and, in severe cases, possible imprisonment if you attempt to hide your noncompliance or coerce employees into being noncompliant.
PIPEDA is overseen by the Office of the Privacy Commissioner of Canada. Compliance requires that you follow the following 10 fair principles that govern the collection, use, and disclosure of personal information as well as providing access to personal information.
- Accountability — You must acknowledge accountability for complying with these principles and appoint someone to be responsible for this.
- Identifying purposes — You must have a clear purpose for every piece of information you collect from a user.
- Consent — You must obtain consent from a user to collect information for a specific purpose. If you collect information and want to use it for something new later on, you must get fresh consent.
- Limiting collection — The collection of information must be limited to the purposes identified by your company.
- Limiting use, disclosure, and retention — Personal information can only be disclosed for the purposes it was collected and should only be retained for as long as needed to fulfill that purpose.
- Accuracy — Personal information must be kept as up-to-date as possible. Allow users the option to update their information as needed.
- Safeguards — Personal information should be protected by security safeguards, relative to how sensitive the information is.
- Openness — You must make the details about your policy and practices for protecting personal information easily available to the public.
- Individual access — Individuals should be able to access their complete data profile (all the information you collected on them) and be able to challenge the accuracy of that information. This should be free of charge and done within 30 days of the request.
- Challenging compliance — An individual should be able to challenge your business’s compliance with any of these principles and have it addressed by the person directly responsible for your company’s compliance (rule 1).
General Data Protection Regulation (GDPR)
GDPR is a privacy law set out by the European Union (EU). GDPR is a list of regulations around handling consumer information.
It affects all companies that are based in the EU or collect information from any EU residents, regardless of what country that business is operating in. It focuses on making companies accountable for protecting their customers’ information and giving customers a greater level of control over their private information.
GDPR is overseen by the Information Commissioner's Office (ICO), an independent UK body set up to uphold information rights. Failure to comply with these requirements can result in fines of up to 20 million euros or up to 4% of the offending company’s annual revenue, whichever is greater.
For lesser offense, the fine will be halved, it will be 10 million euros or up to 2% of annual revenue. There are six main points that a programmer should be mindful of to be compliant with GDPR.
- You must obtain consent to collect information and allow people to withdraw that consent at any time.
- You must give consumers the ability to request their full data profile (all the information you have on them) free of charge, and they must be allowed to update that information.
- Users must have the ability to obtain their information from you and use it elsewhere.
- Timely breach notification: You have 72 hours to notify any affected users.
- Right to be forgotten: Users have a right to request the deletion of any information you have on them.
- Privacy by design: Your application must have good secure practices built into the application and any systems associated with it.
Stay Out of Trouble by Knowing These Regulations
Having a good understanding of regulatory requirements will benefit you whether you are an independent programmer looking to create a company or if you are a salaried employee building software for a company.
Regulatory requirements are different in every situation, based on location, location of the consumer, and the given industry. Common requirements include having built-in security features, collecting user consent, and anonymizing personal information wherever possible.
Failure to comply with these regulations can result in spending a significant amount of time making changes to your application after launch, paying heavy fines, and in the worst cases a suspension of your business and possible imprisonment.
If you take time to familiarize yourself with the regulatory requirements that affect you as a programmer, you will greatly increase your value to any company you work for, you will save your managers a significant amount of time and headaches, and they will love you for it.