A Brief Definition of Regulatory Compliance
While regulatory compliance is a broad topic, the definition is quite simple – it’s all about making sure an organization is following the rules for its industry. With regulatory compliance, you are required by an outside authority to perform certain obligations or comply with regulations, and there are consequences for not doing so.
Regulatory compliance should not be confused with corporate or internal compliance, as the mandate between an internal and external policy may differ significantly. Essentially, being compliant can save a company from potential legal entanglements.
Why Is Regulatory Compliance Important?
Today, concerns surrounding privacy and IT security are of top importance with regulatory compliance. Especially over the last five years, people are catching on to how often privacy is being abused. While compliance regulations have existed for many years now, they weren’t created with privacy in mind — it’s only recently where we see a merging with IT security.
If you’re fully compliant, it represents a big step in the right direction for data protection. However, compliance should be viewed as a minimum standard — an organization should strive to reach higher.
What does this mean? It means doing the right things and having sound controls. If you’re doing those things, the compliance should come naturally.
If you think about SOX (Sarbanes-Oxley), one of the earlier compliance acts, at the end of the day you’re required to understand the risks, and you need to have controls and processes to address those risks to prevent a financial mistake. It means you need to understand your environment, its associated risks and the controls to mitigate risks. SOX was one of the first regulatory compliance acts in which risk was the main driver — and mitigating risk (especially from a privacy perspective) is prominent in many recent regulatory compliance acts.
The recent General Data Protection Regulation (GDPR), for instance, was developed with risk in mind and focuses on the need to understand the risks of processing certain types of information.
Once you have your risks and compliance methodologies in place, you can leverage them to not only comply with one regulation but comply with many. Besides, compliance can be used as a stepping stone for your organization as a whole. Further, if there’s a new regulatory compliance law coming up in the future, you may already be compliant.
On the other hand, if you’re not compliant, the costs can be damaging. There may be fines, reputational risks, impacts to stock price or revenue, or a loss of customers. Over and above that, there are industry risks to consider. If you’re not compliant with PCI regulations for credit card processing, for example, your ability to process transactions may go away.
The risk of continuing to do business may even be at stake.
There are numerous challenges companies face in order to remain compliant, but the primary obstacles impact finance, HR, and IT.
It’s unfortunate, but the biggest challenge for compliance is that it can be expensive. Let’s face it: many organizations are running lean as it is, and now they’re faced with an edict of “You shall manage risk.” Then, organizations must decide whether to outsource or dedicate internal resources to compliance. From a human resources standpoint, it can be time-consuming. In some companies, these developments may require the introduction of compliance-centric positions such as Regulatory Compliance Officer or Manager.
For the IT department, the never-ending stream of new technologies creates considerable compliance complications. As employees continue to incorporate their own devices in today’s BYOD (bring your own device) landscape, we must understand that those endpoints store sensitive, compliance-relevant company data. Compounding the issue is the massive growth of IoT — meaning even more endpoints and interconnected devices (which may or may not be secure) on an organization’s network.
Keeping up with updates, patching software quickly, and staying on top of vulnerabilities are all requirements for maintaining compliance.
Endpoint management is a crucial component of regulatory compliance.
Regulatory Compliance Examples
One of the most prominent examples of regulatory compliance, especially today, is HIPAA. Through ongoing regulations, HIPAA compliance is a living entity that health care organizations must implement into their business in order to protect the privacy, security, and integrity of protected health information.
If your organization has anything to do with the healthcare industry, you’ll want to check out our HIPAA compliance checklist.
The Sarbanes-Oxley or SOX Act of 2002 mentioned above was created to oversee corporate fraud from a financial perspective. Along with protecting whistleblowers, SOX banned company loans to executives, and holds CEOs personally accountable for financial missteps.
The Dodd-Frank Wall Street Reform and Consumer Protection Act was created to reorganize and improve financial regulation and also created the Consumer Financial Protection Bureau. It may be one of the most complex pieces of legislation written.
Two new regulatory compliance acts to look out for, especially pertaining to privacy, are the California Consumer Privacy Act and the New York State Personal Privacy Protection Law. The California act, which takes effect in 2020, “gives consumers sweeping control over their personal data. It grants them the right to know what information companies like Facebook and Google are collecting, why they are collecting it, and who they are sharing it with. The New York law “protects you from the random collection of personal information by state agencies. The law enables you to access and/or correct information on file which pertains to you. It also regulates disclosure of personal information to persons authorized by law to have access for official use.”
How Can I Learn More?
As 2020 approaches, protecting privacy is going to be more critical than ever and will be a critical element for regulatory compliance.
Privacy laws give organizations parameters to work within and help ensure accountability. However, in the face of resource constraints and rapidly evolving threats, IT is often caught in the crossfire in choosing where efforts should be focused.
If you need a path for harmonious co-existence between working within the law and advancing technology, we’re here to help.
Watch our IT on Trial — Guilty Until Proven Innocent? webinar to learn legal and ethical considerations for data privacy, the value legal frameworks provide to technological advancement, and get predictions about the direction and increasing importance of privacy laws.
This article is for informational purposes only. The information in this article is not legal advice, is not to be acted on as such, is not intended to substitute for professional legal advice, may not be current, and is subject to change without notice. You should contact a licensed lawyer in your area to assist you in legal and regulatory matters. Absolute expressly disclaims all liability with respect to actions taken or not taken by a reader based on any or all of the information and commentary in this article.
©2019 Absolute Software Corporation. All rights reserved. ABSOLUTE and the ABSOLUTE logo are trademarks of Absolute Software Corporation. Other names or logos mentioned herein may be the trademarks of their respective owners.