How do you ensure that your business complies with every law, rule, and regulation that governs its operations? Are you doing everything you can to write sound policies, monitor compliance, and respond to issues? Specifically, how are you keeping your enterprise data safe?
Here are five best practices for compliance professionals:
1. Stay current and try to anticipate what’s coming.
The landscape of compliance changes constantly. If you wait until a new regulation is passed to learn about what’s happening in your industry or jurisdiction, you’ll be behind in implementing the practices needed to comply.
Making a daily habit of reading a variety of newsfeeds, trade publications, and industry newsletters is a great first step. It’s also important to stay abreast of topics adjacent to your specific focus: regulatory updates, legal rulings, cybersecurity protections, and data privacy rights to name a few.
2. Think broadly when defining reasonableness.
As a compliance professional, your goal can’t realistically be perfection; mistakes can and do happen. Instead, the goal is to establish reasonable practices that will prevent misconduct, decrease the likelihood of mistakes, and detect problems promptly when they occur.
But what does it mean to be “reasonable”? First, reasonableness must be defined. Where compliance professionals sometimes get into trouble is in interpreting their obligations—and therefore defining what is “reasonable”—too narrowly.
For example, there are two types of data privacy and cybersecurity rules to consider: sectoral rules that affect only some industries and comprehensive rules that affect everyone within a jurisdiction. Businesses must attend to both areas of law in deciding what they must comply with and how they can design their practices to ensure that compliance.
Bottom line: in deciding what’s reasonable, you need to look across every industry or economic sector that your business encompasses as well as every jurisdiction your business reaches.
3. Document, document, document.
A company’s legal compliance is only as good as its proof of that compliance. That means businesses need written policies and audit trails so they can establish what they’ve done and why they did it. Compliance can never be done on an ad hoc basis.
When drafting your policies, establish what is reasonable and spell out exactly what steps you’re taking to attain that standard. If you draw inspiration from existing laws, rules, or regulations, cite that source in your policy so you know where that decision came from.
Finally, all of these efforts need to be documented in an audit trail to show regulators that even if something slipped past the safeguards, best efforts were made to prevent it and continued efforts are in place to remediate it.
Again, it’s not about proving perfection but reasonableness.
4. Understand the technology you’re using and the data you’re generating.
With the nearly overnight shift to remote work that occurred at the beginning of the COVID-19 pandemic, businesses were forced to implement new technologies rapidly, often without undergoing as thorough of a vetting process as they usually would. Today, employees have more ways to communicate online than ever before, from chat applications and ticketing systems to project-management and cloud-based document management platforms. All of those tools generate data of various formats and are stored in various places.
The explosion of available technologies begs the question: do you know what apps your employees are using?
You should. If there is an audit or investigation, regulated organizations need to account for all data sources being used by employees for business purposes, which points to the necessity of a comprehensive, up-to-date data map. While it’s deceptively difficult to create a solid data map, that map will inform everything else you do regarding data compliance.
Another thing to consider when generating and maintaining your data map is your organization’s “shadow IT”—technology that is being used without the IT department’s knowledge. This has grown more as an issue with the workforce being more mobile. Now people are using personal devices, third-party apps, and SaaS solutions alongside their company devices, allowing enterprise data outside the protected systems.
5. Monitor and adapt.
Compliance, like training or security, is never an endpoint. It’s ongoing, and if you’re not constantly alert for changes, your organization can find itself out of sync with regulatory requirements.
That’s why compliance professionals must plan for regular monitoring and assessments of their compliance and data security programs.
How often do you need to reassess your compliance and data security programs? This depends on the rules and regulations your organization is subject to within your industry and your jurisdiction. Assessments, archiving, and other compliance activities may happen monthly, quarterly, biannually, or annually. The only constant is that it’s not something you do once and never think about again.
Compliance is an ever-shifting landscape, shaped by newly emerging rules and regulations, revisions to existing statutes, regulatory agency rulings, court decisions, and more. It’s a challenge to keep up with everything, but by following these seven best practices, you can set your business up for success.