Every time you sign a HIPAA privacy form at your doctor’s office, get locked out for mistyping your password too many times, or receive a notification about updated privacy policies online, you’re experiencing something to do with compliance management. IT professionals and corporations alike are required to maintain compliance with global regulatory mandates regarding data security, workplace security, and privacy. In recent years, regions, countries, and states have implemented multiple policies. (Think: GDPR in Europe, SOC 2, HIPAA, and ITAR in the United States, CBPR in the APAC region, CCPA in California, and APPI in Japan) that all companies doing business with anyone in these regions must comply with.
While these mandates are a little different from one another, they all have one thing in common: they protect individuals’ privacy and give people more control over their personal information. These laws require that companies put protocols in place and provide a framework to ensure that sensitive data stays secure. Putting together formal plans and hiring dedicated professionals to enact these policies is compliance management. Though compliance touches many parts of a company’s operations, more often than not, many of these duties fall within the jurisdiction of IT.
Workplace security: the real final frontier
In many cases, compliance involves almost every department in a company. Here are some of the different ways companies use personal information, by team:
- Finance: Personal addresses, credit card numbers, bank account numbers
- Marketing: Email addresses, cookies, browsing histories, click-tracking, mailing preferences, social media activity, and in some cases, names and images
- HR: Social security numbers, names and addresses, phone numbers, self-identification, immigration, and other demographic information
- Operations: Customer names, client contacts, purchasing histories, visitor management logs
As workplace technology advances, this opens the door for leaks, mistakes, hacking, and data mining on every computer system in the world –– and with it, the need for better compliance management. It’s up to IT compliance and governance to ensure we can continue to store and use personal and sensitive data responsibly and protect that data effectively. Workplace security teams and compliance need to work together to identify, monitor, report, and audit to achieve and remain in compliance.
Compliance management: the team all companies need to have
We’ve said before that any advance in technology results in the creation of jobs. With the rise of compliance management, companies are creating new titles and responsibilities. These positions are not optional in some cases—the GDPR regulation, for example, requires the support of a data protection officer (DPO).
A data protection officer is responsible for creating and managing a company’s data protection strategy and implementation. GDPR Article 39 states that a DPO’s responsibilities include:
- Training employees on compliance requirements from various mandates
- Auditing procedures and policies assessments and audits to ensure compliance
- Working as the point of contact between the company and the governing body for each mandate
- Keeping records of all data processing activities within the company
- Informing the public about how their personal information is being used and what the company is doing to protect their data
- Seeing that any data subjects’ wishes about their personal data are honored according to the policies that affect them–up to and including removing data on request.
A DPO is equal parts technologist, legal eagle, compliance communications champion, and community organizer. The role itself will be in high demand in the coming years, and people who possess these hard and soft skills will become key corporate leaders.
However, the most important reason to have a DPO is to ensure and enforce ethical, safe, and responsible behavior at every level of the company. Ethics is one of the main motivations for these mandates’ existence, providing guidance about what companies can and cannot do with data.
Beyond this, however, DPOs need specific training. Fortunately, this specialized training is readily accessible, so IT professionals and compliance risk managers can get the education they need:
Who else is on the team?
Compliance management and risk management go hand in hand. Compliance is everybody’s job, so a compliance and risk management team should consist of representatives from all areas of the company, representing a wide variety of potential violations or risk scenarios.
Together, under the leadership of the DPO and risk management officer, the compliance teams set up and monitor a compliance plan. The team also reviews internal and external audits, helps discover new vulnerabilities, and makes recommendations to management for policy changes and strategic ways to mitigate emerging threats. Naturally, IT staff is deeply involved, carrying out tactical operations.
Creating a culture of compliance
Another crucial reason teams are comprised of people from every business unit in the company is to create a ripple effect for every employee. The message that compliance is everybody’s responsibility is an important one to socialize — because it’s the only way it can be useful. So, in addition to their regulatory duties, the compliance management team needs to work together to:
- Create a culture of accountability across the company—including among top management
- Enable a system for anyone to be able to report compliance concerns
- Look at workplace technology to help with compliance issues, including predictive modeling, active monitoring, and internal auditing.
- Address any issues as they come up, but also document everything from inquiries and complaints to breaches and vulnerabilities.
- Self-monitor the team’s efforts to ensure ongoing effectiveness.
- Ensure that all employees receive compliance training, including an understanding of risks, as well as a solid education about corporate ethics and compliant behavior. Many organizations create their learning modules in their learning management system (LMS). Others may bring in specialized teachers, or send employees through online courses.
Speaking of workplace security documentation…
Deloitte Risk Management recommends that companies outline a framework and methodology to assess current and new risks. The framework depicts the organization’s risk exposures and categorizes them into risk domains. Board directors, executives, and managers can then use objective and subjective methods for assessing risks. When decision-makers pay particular attention to scenarios outlined in the framework, they can get a better understanding of compliance breach impacts from several angles, including:
- Legal impacts
- Financial impacts
- Business impacts
- Reputational impacts
TIP: The Alacar Group’s Developing A Compliance Risk Assessment Framework is a valuable resource to help you get started.
Formalizing compliance is essential
It’s equally important to document how a compliance program works, including its governance, organizational structure, and processes. In addition to technical requirements, these policies should include a code of conduct for ethical behavior that applies to everyone in the company.
"Some organizations choose to address governance and structure across multiple documents," the legal firm told The Wall Street Journal. "However, it’s vital that compliance plans or policies must be easily available to staff — not simply stuck in the compliance officer’s binder or posted to an internal site that not everyone can access."
TIP: Many companies offer templates to start formalizing your compliance documents.
Corporate compliance is here to stay. Becoming compliant is a feather in your organization’s cap because it shows that your company cares about data privacy and honors the rules and regulations set in place by governing bodies all over the world.