sending out a paper plane
Writing a data compliance policy is one thing. Putting it into action? That's a whole different animal PHOTO: Andrey Larin

UK Information Commissioner Elizabeth Denham addressed one of the most significant impacts of the upcoming European Union General Data Protection Regulation (GDPR) during a recent data protection conference in Europe: A company with a significant data breach can incur a fine of up to four percent of global annual revenue.

For some companies, this means data breach fines could potentially reach billions of dollars. 

Denham went on to share her vision of enforcement considerations under the new law. She acknowledged expecting anything along the lines of perfect security is unreasonable, because 'perfect security' does not exist. 

Companies will experience breaches. And when necessary, the Information Commissioners Office (ICO) will investigate not only the security policies and procedures that companies have in place, but also the technical controls they have implemented to mitigate risk. 

In other words, paper-based policies won't be enough if companies cannot also demonstrate they are actually doing what those policies say. If a company can demonstrate it is in compliance with its policy every step of the way, then it’s unlikely it will face severe penalties. 

Compliance Defined

But what do we actually mean when we speak about compliance? 

According to Merriam-Webster, compliance is defined as:

  1. The act of process of complying to a desire, demand, proposal, or regimen or to coercion.
  2. Conformity in fulfilling official requirements.
  3. A disposition to yield to others.
  4. The ability of an object to yield elastically when a force is applied.

While information managers, general counsels and policy officers may find each definition applies in some way, option two is most accurate in this context. Whether an organization is subject to external regulatory compliance or its own specific policies, compliance typically means conforming to requirements, and in most situations, being able to prove that your organization has done so. 

Businesses usually achieve this by developing organizational policies that map out expected behaviors. Many factors go into the determination of an organization’s policies, including statutory and regulatory requirements, company or organizational best practices, and market demands. 

Regulated organizations like government agencies, financial services businesses and healthcare providers must develop internal policies in order to ensure compliance with the law. Retailers and public companies have more flexibility, but may still need to follow government agency guidelines like the Federal Trade Commission (FTC), which regulates privacy under the powers of its authority to protect the public from unfair and deceptive trade practices. 

Putting a Compliance Policy into Practice

The real challenge comes from the intersection of policy and practice. Regardless of the source of the mandate, all organizations face one challenge: Once they have created their policies, how do they enforce them and measure their effectiveness?  

On the surface, this may seem like a simple task. But in practice, the dilemma is that creating a policy without any mechanism (automated, manual or third-party) involves a great deal of trust and assumption. How do we know if people will live up to our expectations? How do we know if those expectations are even reasonable? 

Aside from legal and statutory requirements, we must also understand how policies relate to operational practices, people and technologies within our organizations in order to be truly effective.

How to Bring People, Processes and Technology into Your Compliance Policy

A model that integrates policy with people, processes and technology should include a combination of education, monitoring and enforcement. 

  • Education needs to extend beyond the traditional, once-per-year privacy and security training. It should focus on operational implementation and training on how employees should use corporate systems provided to do their jobs effectively and securely. Investments in ongoing education encourage better adoption and build a more responsible workforce
  • Monitoring should be an ongoing practice rather than an occasional review. While educating and empowering employees to do the right thing with information is important, it’s equally important to verify they are doing so. “Trust and verify” should be the mantra of a responsible compliance program 
  • Enforcement is a critical component of a good compliance program. Technical controls (or enforcement) can take place in the implementation of both transparent and non-transparent measures. Transparent controls are invisible to an end user and non-transparent controls are visible. An example of a transparent control is an employee putting unencrypted protected health information on a public site and the data is automatically redirected and/or encrypted. In this scenario, a non-transparent control would be the employee receiving a pop-up notice stating that they must move the data to another location or encrypt it. Both types of controls serve an important purpose in your workforce's education and in the improvement of your compliance posture.

As part of this methodology, organizations should explore how technology and policies can make it easier for employees to do the right thing. 

The organization should actively review policies as necessary to ensure they are effectively and accurately measured, while reporting on conformance. This will ensure not only the highest degree of compliance, but also provide data so an organization can react quickly should processes require any change amidst the rapidly evolving business environment.

An Investment in Trust

Enterprises — whether regulated or not — must be vigilant in creating policies, training programs and automated controls to prevent and monitor appropriate access, use and protection of sensitive data. 

Doing so will not only mitigate the risk of regulatory and statutory penalties and consequences, but goes far in preventing unnecessary erosion of employee or consumer confidence in the organization as the result of a breach or loss of sensitive data.