Regulatory Compliance

How to get to grips with the three pillars of compliance

This is a contributed piece by Dr. Jamie Graves, CEO of ZoneFox

Talking about compliance as an exercise – or even as a distinct process – now seems hopelessly old-fashioned. If they ever existed at all, the days when information managers were able to simply ‘do’ compliance and then forget about it for another six months are long gone.

Just as the law has changed, so too has the nature of compliance. Nowhere is this more clearly illustrated than with the upcoming General Data Protection Regulations, or GDPR. For the first time, there’s an across-the-board notification duty, so if a personal data security breach occurs, the regulator needs to know about it – and quickly.

Among other changes, security now has to be hardwired into your infrastructure and processes (also known as privacy by design), as the regulation ushers in a series of new rights for individuals. As the owner of the data, it’s your job to ensure these rights can be exercised.  

The EU’s GDPR rule comes into effect in a year but while some clarity is emerging, doubt reigns. Check out: What we know, and don’t know, about GDPR

To stay on the right side of the law, compliance is now everyone’s business: it’s not about ticking boxes, but about building a culture of compliance throughout your organisation. From day-to-day interactions with customers, through to upgrading your security measures, compliance should shape and determine your decisions across the board.

So how do you approach compliance? How do you then become compliant? And how do you stay compliant – not just in 2017 but looking further ahead? Let’s look at these three pillars in turn:

Approaching data security compliance

A powerful tactic for beginning the journey towards compliance is to integrate it into your risk assessment process, as there has always been a marked overlap between risk management and compliance. The line always taken by legislators and regulators – whether they’re representing the EU or our own Information Commissioners Office (ICO) – is that a robust legal framework should be seen as a positive thing. In other words, the law exists not just to safeguard customers, but to also make businesses better able to manage security risks.

Compliance readiness usually involves taking positive steps to strengthen your security posture. So, in this respect, it’s true that there is a ‘carrot’ element to compliance: take it seriously and you can make your business stronger.

But of course, along with any carrot comes the stick: get compliance wrong and there’s the possibility of being hit with a penalty – along with all the financial and reputational repercussions which follow. And with GDPR ushering in maximum fines of up to four per cent of global annual turnover, that ‘stick’ is getting bigger.

From insular US firms to spammy marketers: Who will GDPR hit the hardest? 25 experts weigh-in on what GDPR might mean in practice.

This has numerous implications. Firstly, for any legal or regulatory changes, your preparation and readiness project should always involve revisiting your risk assessment. Furthermore, regulatory risk should be treated as a distinct risk category, and you should have a separate section devoted to it in said risk assessment, making it easier to identify the new obligations of laws as they are introduced. Lastly, you should consider how a new law affects other areas of your risk assessment – which is especially relevant to impact evaluation. For example, data theft from an insider might not just lead to losing customers, but also an ICO investigation.

You also need to ensure that compliance awareness training filters through your entire organisation – not just those involved with information management. Penalties for non-compliance fall on the organisation in its entirety, but often it is the day-to-day actions of ordinary members of staff that give rise to breaches in the first place.

To avoid these kinds of situations, it is important to revisit your code of conduct and guidelines. People will follow rules more closely if they know the reasoning behind it, so giving this context is important. Make sure people know why they have to follow these, and what the repercussions of non-compliance could be. One way to really hit home these compliance points is to contextualise training around real-life examples.

Becoming compliant

The first aspect of becoming compliant is to refer to the guidelines. Ignorance of the law isn’t any kind of defence, which is why tracking legislation and regulation as it develops is an important part of information security.

For the most part, big changes are usually well signposted. The ICO and industry-specific regulators are the natural first port of call for guidelines. That said, the more you are able to ‘read around’ the topic, the easier it becomes to pinpoint the practical steps you need to take to ensure compliance.

Organisations need to then make sure they are making purchasing decisions in a compliance-friendly way. A change in the law can provide the call-to-action an organisation needs to review its IT framework. But many businesses see this as a limited, reactive process; buying the solution needed to fill the compliance gap.

Specific business needs should be the focus – and finding the solution that best fits them. What risks are you faced with, from a technical, business and regulatory approach? Does the solution make your organisation better equipped to address these risks? And does the solution actually add any value to my organisation? These are the kinds of questions that you need to be asking when making purchases, not simply if it ticks the right boxes.

Staying compliant

As we’ve said, compliance can’t be ‘done’; it is an ongoing process, which demands several steps to be carried out.

Monitoring your compliance culture should be an ever-present task. An organisation’s culture manifests itself through the behaviour of its people. Are employees still playing fast and loose with customer data? Are they drifting towards potentially problematic scenarios? User and Entity Behaviour Analytics (UEBA) technology is concerned with behaviour and can be one way to detect the tell-tale signs of cultural issues.

Stress testing is another activity that should be regular. The risks that you will face are not static and will adapt and improve. Therefore, you need to regularly check that your security processes remain appropriate to combat these.

Laws and regulations are built to last; they tend to be worded in deliberately general terms – leaving the onus on you to ensure you are following best practice at any given time. So, a proactive approach is key here: the need to constantly survey the start of the art to ensure your framework is still fit for purpose.

For many, compliance – especially while in the headlights of major step changes such as GDPR – can be seen as a term simply too big to tackle. But by breaking it down into these three pillars, it’s easier to form a step-by-step approach to becoming and staying compliant.


« Can a different desk really make you more productive?


Expert advice on how to succeed in your tech career »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?