We all used to think “regulatory compliance” is something for banks, the financial sector, the pharmaceutical industry, healthcare, and a few others. It’s not for a business outside of those sectors. Those businesses are regulated; I’m just (fill in whatever business you’re in), I don’t need to worry about that.
In the era of GDPR, CAN-SPAM, HIPAA, CASL, PIPEDA, CIPA and the rest of the alphabet soup of privacy regulation acronyms, all businesses need to think about—and manage—regulatory compliance. The question for many is how to get started, what to worry about, and how to both achieve and maintain compliance. This guide covers the foundational elements—from GDPR and HIPAA to finance and healthcare—needed to start building a regulatory-forward mindset.
What does regulatory compliance mean to you?
The most important part of this guide is understanding what regulatory compliance means and more specifically, what it means for your company. Our regulatory compliance overview—What is Regulatory Compliance?—should be the first thing you open in a new tab and start reading. Compliance is more than crossing T’s and dotting I’s, it’s about making sure your company knows what to track, how to track, and how to fix compliance issues.
Today the biggest concern is protecting customer’s personally identifiable information (PII). The heart of GDPR, PIPEDA, CIPA, HIPAA, and CCPA is safeguarding personal privacy. The right to be forgotten, penalties for data breaches, and even how you can communicate with people, hinge on privacy. The first step to compliance, and building a compliance mindset, is learning more about the privacy laws worldwide and understanding which ones apply to you.
For most businesses, it is critical to know the requirements in any of the countries you are doing business in, such as:
- GDPR (EU)
- CAN-SPAM (U.S.)
- CCPA (U.S.)
- PIPEDA (Canada)
- CASL (Canada)
This will provide you with a strong foundation for data privacy. Many requirements found in one regulation are also in others, for example becoming compliant with CAN-SPAM lays a foundation for CASL and complying with PIPEDA gets you part way towards GDPR. This is not to say there aren’t details in each regulation to account for, but in broad strokes they all require many of the same things.
Healthcare and HIPAA Compliance
For the healthcare industry in the U.S., HIPAA is the regulation to you must fully comply with. The stakes for not being in compliance, or breaking one of the HIPAA-mandated protections, are quite severe….as in millions of dollars in fines for losing a single laptop severe. Some of the resources you should review are:
- What is HIPAA Compliance and Why Is It Important to Healthcare Security?
- Avoid Security Breaches in Healthcare with Data Visibility
- HIPAA Privacy Is About More than Just Compliance
- Escalating Risks to Healthcare Data
- HIPAA Security Rule: Protecting Privacy and Improving Patient Care
- HIPAA Compliance Checklist
GDPR Spans Far Beyond the EU
For over a year now we’ve been asked to accept cookies visiting websites. Why all of a sudden? When GPDR came into effect, anyone who had visitors from the EU needed to let EU residents know a website used cookies and give visitors an option to not accept them. So why are we seeing these notices everywhere? Because it’s easier to put up a cookie notice for the whole world than have to segment your visitors according to region.
And, as it turns out, it’s not so bad to let people know about the cookies being used on a website. One of the interesting outcomes of GDPR has been websites outside of the EU following GDPR guidelines. The end result is everyone, EU citizen or not, is a little more protected. As with HIPAA, Absolute has a number of resources for you to learn about GDPR compliance and how get started.
- Weighing Privacy with Security Under GDPR
- GDPR: The Why and How for Financial Services
- Yes, GDPR Applies to You
- Critical Actions for Finalizing Your GDPR Compliance Program
- What You Need to Know about GDPR Breach Disclosure, Response
- Ensure Compliance with GDPR Data Protection Impact Assessments
- How Ready Are You for GDPR Enforcement?
- 5 Tips for Compliance Officers Dealing with GDPR
This case study from Absolute customer KCOM on becoming GPDR compliant and increasing their overall security posture illustrates some best practices you can apply to your business.
Other Privacy Regulations
California has its own privacy legislation—Will CCPA Pave the Way to a Federal Data Privacy Law?—that came into effect January 1, 2020 and covers many of the same aspects of GPDR (controlling and opting into how your personal information is collected). New York has passed similar legislation—Personal Privacy Protection Law | OTDA—with many other U.S. States are likely to follow suit. You need to stay on top of regulations in your jurisdiction. For now, companies must be familiar with new and emerging state laws until such time data protection is addressed at the federal level, as was done in the EU.
Building a Compliance Mentality
Following rules for sending emails, how your website works, or how customer data is handled is only part of regulatory compliance. The bigger picture is developing a mentality in your company for becoming and staying compliant. It’s much more than a check the box exercise. A compliance mentality means everyone in the company thinks about:
- How data is stored
- Who has access to data
- What devices are on the network
- How new devices are added to the network
- How data on devices is managed
- What happens if something goes wrong
For example: You’re working on a big customer analysis project. You have purchase data and detailed personal information for thousands of customers. You do most of your work from the office, but during a crunch time you bring your laptop home to finish things up. You need to make sure:
- Your VPN is set up
- Your home WiFi network is secured with a password
- Your laptop has a password on it, full disk encryption, and a password on your screensaver
- You have laptop tracking and location software set up
- You don’t leave your laptop in plain view in your car
- You don’t leave your laptop unattended at a coffee shop
- If you must connect to free WiFi, you use the company VPN to protect your connection
- You don’t download personal apps on your work machine
- You are suspicious of links you click and documents you open
If you miss any one of these points, your laptop could be compromised, customer data lost, and your company is now out of compliance with any number of regulations—not to mention possibly the next unfortunate headline with “Acme Company Data Breach Linked to Laptop Left in a Cab” or “Acme Network Hacked and Crippled By Ransomware By a Phishing Attack”. Remember, damage to your brand is both costly and lasting.
This is the essential part of how to manage regulatory compliance—understanding it’s not the job of IT or the Compliance Officer or someone who is nagging you about following rules. For a company to be compliant, everyone in the company must be compliant too. A compliance mentality—whether for privacy protection or reporting like Sarbanes-Oxley—is about understanding there are rules in place your company must follow and the consequences for breaking the rules can be severe.
How Absolute Can Help
While this post focused on privacy-related regulations, many regulations outside of privacy hinge on your company having ready access to records, data, and information. If you need to show financial regulators you are following their rules, you need the data to back it up. If you can’t do that—you’re out of compliance. You need to be able to pinpoint where sensitive data sits, who has access to it, and how you monitor data.
Absolute has solutions tailored to becoming and staying compliant with a range of regulations, including solutions especially for GDPR compliance. These solutions help you track data, devices, access, and security policies across your organization—even remote and distributed workforces.
This article is for informational purposes only. The information in this article is not legal advice, is not to be acted on as such, is not intended to substitute for professional legal advice, may not be current, and is subject to change without notice. You should contact a licensed lawyer in your area to assist you in legal and regulatory matters. Absolute expressly disclaims all liability with respect to actions taken or not taken by a reader based on any or all of the information and commentary in this article.
©2020 Absolute Software Corporation. All rights reserved. ABSOLUTE and the ABSOLUTE logo are trademarks of Absolute Software Corporation. Other names or logos mentioned herein may be the trademarks of their respective owners.