"You’ve got to use the cloud to protect the cloud," said Amazon Web Services Security Consultant Hart Rossman back in 2015. Companies were looking for a way to manage the increasing workload brought about by business compliance with national and international privacy and data security mandates like HIPAA, SOC2, ITAR, GDPR, and soon, CCPA.
Implementing compliance is one thing, but staying in compliance with these laws is a different beast. According to a Reuters survey, updates and changes to compliance laws come in at a rate of more than 200 per day — about one every seven minutes. No wonder Rossman gave the warning five years ago that they were going to need to automate to keep up.
Some companies will spend 10% of their revenue on compliance issues within the next few years, the Reuters report continued. But the cost of non-compliance is higher. In the EU, the GDPR levies fines of up to €20 million. HIPAA non-compliance fines could be as much as $50,000 per violation (or per record) and might involve some prison time.
Business compliance technology to the rescue
Regulatory compliance is obviously serious business. It’s also just about impossible if companies try to do it manually. Luckily, various technologies exist to help. In this post, we’ll look at three types of technology and see how they make compliance not only possible but easy.
No one can keep up with reading, understanding, and implementing new rules popping up every few minutes. If ever there were an argument for Artificial Intelligence (AI) machine learning, it’s here. It can:
- Combat fraud
- Monitor transaction histories
- Identify signs of cyber attacks
- Track hacked ATMs
- Find evidence of money laundering
- Detect terrorism financing
For applications like GDPR compliance and CCPA, AI can also sniff out privacy violations across multiple sources in disparate locations. Since personal information is often spread out through corporate systems, it’s very easy to miss something when trying to keep it secure.
The CCPA, for example, stipulates that consumers have the "right to be forgotten." That means that people can request to have all private information scrubbed from a company’s systems. But the data might reappear when restoring data from a backup, or a bit of data could be overlooked. And those kinds of compliance issues puts a company at risk. AI can find those relationships across systems and help ensure companies stay in the clear.
Since the GDPR, and other business compliance laws like Japan’s ITAR and the USA’s SOC 2 are massive documents (the GDPR alone is over 3000 pages) that change and update frequently, AI is practically a must.
It’s up to humans to keep an eye on AI. Here’s why.
The potential for AI is enormous, but it’s not a perfect solution. Article 22 of GDPR stipulates that decisions hiring or financial transactions cannot be left solely to AI. That’s to help ensure there are human eyes on such decisions to prevent AI from making biased decisions or discriminating based on race, age, health information, religious or political beliefs, or income. By its very design, AI works by profiling—without human intervention, there could be repercussions for processing sensitive data.
So there’s an interesting plot twist: AI may inadvertently create GDPR and HIPAA violations by doing the very thing they were intended to prevent. We have a bit more thinking to do. Machines will not replace humans. They will instead let us keep tabs on human ethics machine learning doesn’t understand.
AI and HIPAA: the only possible solution—and an ethical conundrum
Nowhere is privacy and sensitive personal information more sacred than in healthcare. In the USA, HIPAA laws were put into place in 1996 to address the handling of such confidential information—before AI was a consideration for compliance. In fact, rapid and continuous change is a hallmark of HIPAA. The only way for companies subject to HIPAA compliance (and there are more of them than you’d think) to keep up is with AI.
The creators of HIPAA could not have imagined that a time would come when people would willingly hand over private health information to non-medical companies. Or that social media would routinely take it, using the same AI that healthcare companies use to manage compliance issues. But that’s precisely what happened:
- Companies that offer consumer DNA testing have access to the most personal health data possible. But they aren’t subject to HIPAA. While these genetic testing companies promise privacy, they aren’t mandated.
- Social media has used AI to glean from user posts if a person might be at risk for suicide. It was a noble cause with unintended consequences: Collecting mental health data about people without their knowledge is a definite HIPAA violation, but companies that do it aren’t subject to HIPAA.
So what do we do?
AI is here to stay. It’s the only solution for maintaining compliance in a wildly-changing landscape. We want to be able to use technology to discover essential information. Should we subject more companies to HIPAA compliance, or do we regulate the use of AI machine learning when it comes to healthcare? The jury is still out about that, but the use of AI to stay in compliance with HIPAA is a must.
A surprising compliance tool: visitor management
Visitor management software keeps companies in compliance without a lot of additional effort. It automates many of the tasks required when non-employees are on the premises. For example, even the innocuous pen-and-paper sign-in logbooks can quickly become compliance issues because they’re left out where anyone can read them, companies typically store books for years, and they’re vulnerable to theft and loss.
Secure, digital visitor management gives companies more options. Since so many regulations require consent to collect personal information, it allows visitors to opt-in or out. Visitor management lets companies automate data privacy policies and maintain compliance by:
- Obtaining consent electronically to collect and store personal information
- Using the sign-in process to provide custom instructions for those who do not consent
- Showing data policies to visitors when they sign in (required by the GDPR)
- Auto-deleting visitor data within 24 hours to comply with CCPA, GDPR, and others
- Encrypting private information from sign-in in a secure database
- Maintaining visitor logs automatically, to speed up and ease audits
- Storing other documents needed for regulatory compliance, like NDAs and consent forms
Since a visitor management system is something you might already have for other reasons, like branding and security, taking advantage of its compliance capabilities makes good sense.
Automated data protection: a compliance officer’s new best friend
Regardless of which mandates a company needs to comply with, the goals are the same. The particulars of each regional law may differ, but they all are designed to protect people from cybercrime, privacy invasion, and misuse of personal data. All of them give people the right to more control over their own information. And all of them are silent about how to implement and maintain business compliance.
That’s left up to individual companies. So compliance personnel have choices about what and where to automate to best suit their companies’ needs. It’s possible to automate almost every aspect of data compliance:
- Compliance risk assessments automation can rate the controls in place by conducting a quantitative analysis.
- Regulatory change process automation looks at all the changes to various laws as they come in, and find affected data and make the appropriate adjustments
- Policy management automation provides immediate insight into which policies are current
- Monitoring and testing automation gives you current, big-picture views of risks
- Transparency automation of data and analytics: creates dashboards for compliance staff and auditors to understand at a glance
- Due diligence automation helps ensure that third parties like suppliers and contractors also meet all compliance requirements
Corporate compliance is a complex, time-consuming requirement, fraught with changing laws there are stiff penalties for breaking. Still, you’d be hard-pressed to find anyone who doesn’t agree that these global mandates are worth it.
Each mandate will evolve. New ones will come on the scene to tie the regional laws to a global big picture. Debates over ethical considerations will continue. One thing is certain—automation, artificial intelligence, and visitor management will be there to help companies solve the important compliance issues they face.
Ready to learn more? Read Envoy’s Corporate Compliance guide.