Boston Data Privacy Compliance Consulting Services

Appolo Compliance helps organizations in the greater Boston area manage privacy programs to meet Massachusetts legal compliance requirements. Under Massachusetts law, organizations must comply with minimum standards to safeguard personal information contained in both paper and electronic records.

Data Protection & Customer information Security

In response to the rapid uptick in breaches involving personal data, more privacy regulations are coming into effect at the local, state, federal, and international levels. As these privacy regulations come into effect, companies are quickly recognizing that effective privacy management is not just a key compliance activity but also a key factor in business enablement in the digital economy.

We design privacy programs that promote the protection of customer information as well as the information technology systems.

Compliance & Risk Assessment Process

We partner with our clients to help them conduct periodic risk assessment of their Information Systems sufficient to inform the design of their privacy and cybersecurity programs. Such risk assessment is updated as reasonably necessary to address changes to our clients’ Information Systems, Nonpublic Information or business operations. These risk assessments allows for revision of controls to respond to technological developments and evolving threats to protect Nonpublic Information and Information Systems.

Our Risk Assessment Process

Massachusetts Governance & Compliance Regulations

Massachusetts law establishes detailed minimum standard to safeguard personal information contained in both paper and electronic records.

General Data Protection Regulation (GDPR)

The General Data Protection Act (GDPR) became law in the European Union (EU) in May 25, 2018. The GDPR covers organizations with assets and employees in the EU, to companies who target and sell to individuals in the EU, and to data that is stored in the EU. The GDPR, provide individuals more control over their personal data by granting them the following rights. Individuals covered by the GDPR have the right to be informed regarding an organization’s collection and use of their information. The right to access your personal data and request rectification. The right to restrict processing of personal data. The right to data portability. The right to not be subject to automated decision-making. And the right to request that all information within an organization’s control be deleted.

Under the GDPR, sensitive personal data is afforded more protection than personal data. Sensitive personal data includes, race or ethnic origin, political opinions, religious belief, genetic data, biometric data, health data and sexual orientation. The GDPR defines a data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. If and unauthorized individual gains access to personal data, a data breach has occurred.

Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Protection and Accountability Act of 1996 (HIPAA), as updated by the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) protect medical information within the United-States healthcare industry. HIPAA does not preempt stricter state privacy laws. The Privacy Rule standards address the use and disclosure of individual health information also know as protected health information (PHI) by organizations subject to the HIPAA. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations knows as covered entities must put in place to secure individuals electronic protected health information(e-PHI). Within the Secretary of the U.S. Department of Health and Human Services (HHS), the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.

Covered entities must designate a privacy official who is responsible for the development and implementation of privacy protection, and as the point of contact for any privacy related issues. Under the Privacy Rule, individuals have the right to access and copy their own PHI from a covered entity or a business associate. Individuals have the right to receive an accounting of certain disclosures of their PHI that have been made. Covered entities must implement administrative, physical and technical safeguards to protect the confidentiality and integrity of all PHI.

201 CMR 17 (Mass. Privacy)

201 CMR 17 requires businesses holding personal information of Massachusetts residents plus sensitive data element to:

  • designate an individual who is responsible for information security,
  • anticipate risks to personal information and take appropriate steps to mitigate such risk,
  • develop security program rules,
  • review the security program at least once a year,
  • contractually obligate third-party service providers to maintain similar procedures, and
  • document responses to incidents.

Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS) was enacted by the PCI Security Standards Council (PCI SSC) to combat financial fraud. Specifically, to protect against criminals stealing and using personal consumer financial information from payment card transactions and processing systems. PCI DSS created standards of practice for businesses that process credit card data. These standards of practices enhanced cardholder data security and facilitates the broad adoption of consistent data security measures globally. PCI DSS applies to merchants and other entities that store, process or transmit cardholder data and/or sensitive authentication data. Cardholder data refers to any information printed, processed, transmitted or stored in any form on a payment card.

The PCI SSC is enforced by the founding members of the council: American Express, Discover Financial Services, JCB, MasterCard and Visa Inc. PCIS DSS provides an enforceable security standard without the involvement of a government agency.

Gramm-Leach-Bliley Act (GLBA)

GLBA applies to financial institutions. GLBA regulates financial institution management of nonpublic personal information defined as personally identifiable financial information provided by a consumer to financial institution. GLBA requires financial institutions to protect consumers’ nonpublic personal information. Banking and related financial institutions that fail to comply with GLBA requirements can be subject to substantial penalties. At the state level, state attorneys general can enforce GLBA. Stricter state laws are not preempted under GLBA.


CMMC stands for “Cybersecurity Maturity Model Certification” and is a unifying standard for the implementation of cybersecurity across the Defense Industrial Base (DIB). The CMMC framework includes a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. CMMC is designed to provide increased assurance to the Department that a DIB company can adequately protect sensitive unclassified information, accounting for information flow down to subcontractors in a multi-tier supply chain.

California Consumer Privacy Act (CCPA)

The CCPA became law in California on June 28, 2018. The CCPA gives consumers more control over the personal information that businesses collect about them. Moving forward, businesses that target California residents must protect certain consumer privacy rights. Under the CCPA, California resident have numerous privacy rights. These include, the right to know what personal information is collected. The right to request their personal information be deleted. The right to opt out of the sale of their personal information. And the right to non-discrimination for exercising the rights provided by the CCPA.

The CCPA provides consumers a private right of action and is the first U.S. statute to allow consumers to recover statutory damages as a result of data breaches. Under the CCPA, California residents have special remedies for data breaches including statutory damages between $100 and $750 per incident. The CCPA is enforced by the California Attorney General’s office.

Serving Greater Boston Businesses

We are committed to helping organizations in the greater Boston area identify areas where compliance is difficult in practice, and design policies to close gaps between stated policies and actual operations.

About Boston

Boston is a great sports town. Boston is also one of the most innovative cities in the United States because of the many educational institutions which call Boston home. As the economic center of the New England region, Boston attracts a lot of business from neighboring states. Appolo Compliance is committed to helping organizations in the greater Boston area establish privacy programs to comply with privacy laws.