While regulatory compliance is a broad topic, the definition is simple—regulatory compliance about making sure an organization is following the rules for its industry. To be in compliance, you are required by an outside authority (often a government) to perform certain obligations to comply with regulations, and there are consequences for not doing so.
Regulatory compliance should not be confused with corporate or internal compliance, the mandate between an internal and external policy may differ significantly from each other. Staying in compliance with regulations—either legislated by government, a trade association, or certification body (e.g. ISO)—protects a company from potential legal entanglements and fines.
In the past regulatory compliance focused on accounting and disclosure practices—like Sarbanes Oxley—today consumer privacy and IT security are in the spotlight—like GPDR. This sea change in perspective caught many companies unawares. Seemingly overnight, how you handled customer data and how you ran your internal IT security was of great interest to government regulators. And as we’ve seen with the fallout from the Equifax hack, when you run afoul of privacy and IT security regulations, the consequences are significant.
If you’re fully compliant, it represents a big step in the right direction for data protection. However, compliance should be viewed as a minimum standard—an organization should strive to reach higher. Meeting the letter of the law might keep you out of hot water most of the time, but just doing the bare minimum won’t build trust with consumers or regulators. Going above and beyond the basics means your organization has committed to working to a higher standard. It’s the difference between doing enough to get a “C” in class and getting an “A”.
If you think about SOX (Sarbanes-Oxley), one of the earlier compliance acts, you’re required to understand the risks, and you need to have controls and processes to address those risks to prevent a financial mistake. It means you need to understand your environment, its associated risks and how to mitigate risks. SOX was one of the first regulatory compliance acts in which risk was the main driver—and mitigating risk (especially from a privacy perspective) is prominent in many regulatory compliance acts today.
Learn more about mitigating risk and data security in the financial sector.
The General Data Protection Regulation (GDPR) was developed with risk in mind and focuses on the need to understand the risks of processing certain types of information. In this case it is the risk to people’s privacy and data. Making sure companies manage the risk of storing sensitive information is an essential part of GDPR.
Because many regulations, especially privacy-focused ones, have similar requirements, once you have your risks and compliance methodologies in place, you can leverage them to not only comply with one regulation but comply with many. If a new regulatory compliance law comes up in the future, you may already be compliant—or nearly there. For example Canada’s CASL anti-spam laws are very similar to CAN-SPAM in the US, so if your organization met the CAM-SPAM requirements, you were well on your way to CASL compliance as well.
On the other hand, if you’re not compliant, the costs can be staggering. There may be fines, reputation risks, impacts to stock price, revenue, or a loss of customers. Over and above that, there are industry risks to consider. If you’re not compliant with PCI regulations for credit card processing, for example, your ability to process transactions may go away.
It is always better to be compliant with regulations than hope you don’t get caught and have to face the consequences.
There are numerous challenges companies face in order to remain compliant, but the primary obstacles impact finance, HR, and IT.
The biggest compliance challenge is it can be expensive. Let’s face it: many organizations are running lean as it is, and now they’re faced with an edict of “You shall manage risk” or “You must have documented processes for handling all customer data”. Organizations must decide whether to outsource or dedicate internal resources to compliance. Some companies may require compliance-centric positions such as Regulatory Compliance Officer or Manager. People whose sole focus is making and keeping a company compliant with a myriad of regulations.
For the IT department, the never-ending stream of new technologies creates considerable compliance challenges. As employees increasingly use their own devices at work—BYOD (bring your own device)—IT must manage these endpoints storing sensitive, compliance-relevant company data. Compounding the issue is the massive growth of IoT (Internet of Things like thermostats and speakers)—meaning even more endpoints and interconnected devices (which may or may not be secure) on an organization’s network.
Keeping up with updates, patching software quickly, and staying on top of vulnerabilities are essential for maintaining compliance.
If you don’t know all the devices connected to your company network, much less which ones are storing sensitive data—how can you be fully compliant?
One of the most prominent examples of regulatory compliance today, is HIPAA. Through ongoing regulations, HIPAA compliance is a living entity health care organizations must implement into their business in order to protect the privacy, security, and integrity of protected health information. And if you aren’t compliant with HIPPA, for example losing just a single laptop with patient data on it, the costs can be in the millions of dollars.
“gives consumers sweeping control over their personal data. It grants them the right to know what information companies like Facebook and Google are collecting, why they are collecting it, and who they are sharing it with. The New York law “protects you from the random collection of personal information by state agencies. The law enables you to access and/or correct information on file which pertains to you. It also regulates disclosure of personal information to persons authorized by law to have access for official use.”
Much like GDPR, the New York and California laws have real teeth and are part of a fundamental shift towards protecting personal privacy and information online.
Protecting privacy is more critical than ever and is a critical element for regulatory compliance.
Privacy laws give organizations parameters to work within and help ensure accountability. However, in the face of resource constraints and rapidly evolving threats, IT is often caught in the crossfire in choosing where efforts should be focused.
If you need a path to get you compliant, keep track of sensitive data in your company, and stay abreast of ever-advancing technology, we’re here to help with solutions to prove compliance and manage data according to GDPR regulations.
Regulatory compliance is an essential part of your company’s larger cybersecurity ecosystem. Learn more about cybersecurity in our Cybersecurity 101 post.
This article is for informational purposes only. The information in this article is not legal advice, is not to be acted on as such, is not intended to substitute for professional legal advice, may not be current, and is subject to change without notice. You should contact a licensed lawyer in your area to assist you in legal and regulatory matters. Absolute expressly disclaims all liability with respect to actions taken or not taken by a reader based on any or all of the information and commentary in this article.
©2020 Absolute Software Corporation. All rights reserved. ABSOLUTE and the ABSOLUTE logo are trademarks of Absolute Software Corporation. Other names or logos mentioned herein may be the trademarks of their respective owners.