The recent implementation of GDPR has made IT compliance a board level topic. Whilst GDPR itself is concerned with data privacy, It has forced organisations to think more widely about the implications of their business processes and to understand that they need to have controls in place to ensure that not only are they acting correctly, in line with regulations, industry standards and best practice, but they can prove that they are doing so.
Compliance spans every aspect of business. Used correctly it can help to ensure that an organisation moves forward in their desired direction, and can provide commercial advantage by opening up new markets and providing reassurance to staff and customers alike. The aim should be to develop governance policies that support the organisation’s objectives and strategic plans, which could be in operational functions and/or in company values and behaviour, and then to implement them effectively. Doing this requires sustained board level commitment, resources and time. Compliance is part of business as usual (BAU), not a one-off activity each time new legislation comes around.
After working with a wide range of organisations across the public and private sectors, we have identified the five biggest corporate challenges in compliance. Here we look at how they can be addressed.
- Maintaining compliance in a changing landscape
The most important lesson that organisations should learn from GDPR is that regulations do not stand still, but are continually changing. Just because GDPR policies are now in place, organisations cannot sit back and put a tick in the compliance box for handling Personally Identifiable Information (PII). Data management will change as organisations change, along with their ever-expanding range of customers and suppliers. Similarly, technology and cyber threats do not stand still, nor does company strategy, so governance, risk and compliance need to at least keep pace.
To address this, organisations need to have processes in place for understanding existing regulations, translating them into policy and practice, and for ensuring constant adherence to those regulations. They require a process for capturing new regulations well in advance in order to incorporate them into their existing governance. Additionally, they need to ensure that they fully understand their specific operating landscape in respect of assets, threats and vulnerabilities, from changes in government policy to cyber security risks, and ensure that these are addressed in their compliance polices and processes.
- Skills shortage
Compliance requires support and buy-in throughout an organisation. Implementing it effectively requires a team comprising different levels of capabilities to plan, design, build, operate, monitor, react and improve.
This requires specific skills and experience, some of which may not be available in-house, particularly in SMEs, so it may mean engaging in external organisations to supplement internal knowledge. This could include an initial audit to assess the current situation; support for implementing specific systems where the organisation does not have existing in-house expertise; and working with experts on specific standards and regulations which the organisation would like to achieve.
- Time and resourcing
Compliance is not a one-off activity, but has to be part of business as usual, as it requires continual service improvement to steer the organisation in the right direction. This means ensuring it is included in employee job roles as a core activity, not a series of tasks that are carried out when needed to show compliance, without any focus on their real value to the organisation. All staff should be trained so that they are fully aware of their responsibilities, the threats that exist and threat vectors. This means putting place cyber security training and awareness, with acceptable use policies that are linked to HR policies.
Achieving and maintaining industry standards, which may be included in compliance activities, is a costly undertaking. Once an organisation has met a standard and obtained the badge, its customers will expect this standard to be maintained, which will require regular audits and updates and hence time and resources. However, achieving specific standards may open up new business opportunities and hence revenue streams. This value add needs to be understood and embraced by organisations, with new compliance supported by a fully justified business case.
One approach we have successfully implemented in our organisation to streamline governance is to consolidate our security, quality, environmental and service management systems (ISO27000, ISO9001, ISO14001, and ISO20000). This means that we now, in certain areas, have single policies to manage instead of multiple policies across different systems.
- Response and remediation
Although compliance is part of business as usual, handling any non-compliance or security breach that may occur is reactionary, and resources may need to be diverted from other activities to ensure that the issue is resolved promptly.
In order to ensure a rapid response, organisations need to understand the priorities if a breach occurs and what the appropriate actions are. This requires a major incident process that needs to be implemented for both security breaches and data protection breaches, with inbuilt levels of communication to ensure that users, customers and governing authorities are informed and managed within the required legislative timescales and with the required scope of information. Then the corrective and preventive actions need to be identified and adopted, with continual service improvement embedded to make sure that lessons are learnt and actioned.
- Risk management
Risk management is an important aspect of compliance and needs to be incorporated into policy and practice. Every organisation has its own appetite for risk, which depends on three factors: its ethical stance and culture; the legal and potentially moral frameworks it operates in; and its security requirements, which will depend to some extent on the sector in which it operates.
The organisation needs to invest in the right level of resistive strength to balance against the increasing threats and threat vectors, taking into account the cost to the business if a threat succeeds. Its chosen stance should be reflected in tailored management systems such as an Information Security Management System (ISMS) or a Quality Management System (QMS), where IT security is key to business development and sustainability; a Service Management System (SMS) for those who wish to focus on customer satisfaction; and an Environmental Management System, for those who want to assure their community and ethical values and align these systems with the appropriate ISO best practises.
A business investment
Compliance is vital to every organisation, and should be considered as an investment that adds value to a business, not a burden. By tackling these five challenges, organisations can ensure that they build it into the way they work. Addressing changes in legislation such as GDPR then become much less onerous and can be seen as an opportunity.
By Neville Armstrong, Security and Compliance Manager, Fordway
European Data Protection Summit will take place on June 3rd in Central London and will play host to 800 DPO’s, Security Professionals and senior business decision makers looking for; information, updates, clarity, advice and solutions. For more information, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.