Treating compliance as an exercise now seems terribly old-fashioned. Gone are the days, if they ever truly existed, when information managers were able to simply ‘do’ compliance and then forget about it again.
Alongside the nature of compliance, the law has also changed. This evolution is clearly illustrated by the upcoming General Data Protection Regulations, or GDPR. For the first time a sweeping notification duty will be implemented, so if a personal data security breach occurs, the regulator needs to be immediately informed.
GDPR means compliance is now everyone’s business: it’s not about ticking boxes, but about actively building a culture of compliance within your organisation. GDPR demands a series of new rights for individuals which means that security now has to be hardwired into your infrastructure and processes. As the data’s gatekeeper, it’s your job to ensure these rights can be exercised.
So how do you approach compliance? How do you become compliant? And how do you remain compliant in the future? Let’s look at these cornerstones in turn:
Approaching data security compliance
To successfully achieve compliance, one useful solution is to integrate it into your risk assessment process, as there is an overlap between risk management and compliance. Legislators and regulators always advocate – whether they’re representing the EU or our own Information Commissioner’s Office (ICO) – that a robust legal framework is a positive thing. In other words, the law exists not only to safeguard customers, but to also make businesses better equipped to manage security risks.
In this respect, there is a ‘carrot’ element to compliance: take it seriously and your business can become stronger. However, along with any carrot comes the stick: get compliance wrong and there’s a possible fine of up to four per cent of your global annual turnover – along with the accompanied – and potentially very damaging – reputational repercussions.
This has numerous implications. Firstly, for any legal or regulatory changes, your preparation should always involve revisiting your risk assessment. Furthermore, regulatory risk should be treated as a distinct category in order to make it easier to identify the obligations of new laws. Lastly, you should consider how a new law affects other areas of your risk assessment. For example, an internal data breach might not just lead to losing customers, but also an ICO investigation.
Compliance awareness training is not just for those within information management, but needs to filter throughout your organisation. A penalty for non-compliance affects the entire organisation, but often it is the day-to-day actions of ordinary staff members that first give rise to breaches.
To avoid these kinds of situations, it is important to revisit your code of conduct and guidelines. If people know the context behind rules, they will follow them more closely. Contextualising training around real-life examples will help everyone understand what the repercussions of non-compliance could be.
When becoming compliant, ignorance of the law cannot be used as a defence. Therefore, tracking legislation and regulation as it develops is an important part of information security.
However, big changes are usually well signposted. The ICO and industry-specific regulators are the natural first port of call for guidelines. That said, the more you research the topic, the easier it becomes to pinpoint the practical steps needed to ensure compliance.
Organisations need to then make sure they are making purchasing decisions in a compliance-friendly way. A change in the law can provide the call-to-action an organisation needs to review its security ecosystem. But many businesses see this as a reactive process; buying the solution to fill the compliance gap.
Specific business needs and finding the best solution should instead be the focus. What risks are you faced with? Does the solution make your organisation better equipped to address these risks? And does the solution add any value to your organisation? These are the questions that you should be asking when making purchases, not simply to tick right boxes.
As we’ve said, compliance can’t be ‘done’; it is an ongoing process.
Monitoring your compliance culture should be an ever-present task. An organisation’s culture manifests itself through the behaviour of its people. Are employees still drifting towards potentially problematic scenarios? User and Entity Behaviour Analytics (UEBA) technology can be one way to detect the tell-tale signs of cultural issues.
Stress testing is another necessary activity. The risks that you will face are not static and will adapt, so you will need to regularly check that your security processes remain appropriate to combat the evolving threat landscape.
Laws and regulations tend to be worded in deliberately general terms – leaving the onus on you to ensure you are following best practice. So, a proactive approach is key: the need to constantly stay updated with cutting edge technology to ensure your framework is still fit for purpose.
For many, compliance – especially while in the headlights of major step changes such as GDPR – can be seen as a term simply too big to tackle. But by breaking it down into these three cornerstones, it’s easier to form a step-by-step approach to becoming and staying compliant.
Dr. Jamie Graves, CEO, ZoneFox
Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.
Reserve your place today and gain access to the entire event free of charge. With all sessions available to view live or on-demand, you can build a personalised agenda based on your key focus topics and make the event fit around your work schedule.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.