Depending on where your organization does business, you might have to deal with laws and regulations within your home state, in other states and regions across the country, or even internationally.
Further complicating matters is the fact that regulations are living things that are constantly evolving. If you don’t know the latest changes to GDPR, for example, you may very well be exposing your business to serious risk. And it’s not just big headline regulations that you need to worry about. Smaller ones are happening at the state level in places like New York, Maine, and Nevada, that could pose their own compliance challenges to your organization. If you don’t know how the California Consumer Protection Act might affect you, for instance, you could be in for a world of trouble.
The reality is that ensuring your business is compliant is no small feat. And yet it’s incredibly important because the stakes are high.
Fail to be compliant and you risk fines, reputational damage, and, in some jurisdictions, even the possibility of jail time.
Even if you think your company is on top of all of the laws and regulations that could potentially impact your business, that may not actually be the case.
So, are you compliant?
Want a quick, informal test to see whether you’re compliant or not with all of the right regulations? Read on and you’ll find four clear signs that you may have underestimated your compliance needs and could be putting your organization at risk.
- You can’t answer other people’s questions. Imagine receiving an RFP as part of your presales negotiations that contains a question about a law you don’t know. It could happen, right? But if you were truly compliant, or working with a third-party compliance expert, you’d have a comprehensive understanding of all of the laws and regulations, and which ones do and don’t apply to your organization. If you can’t answer a question about a particular law or regulation, you very well may not be compliant with it.
- You get a request you don’t know how to respond to. If you’ve ever found yourself in the position where you’ve just received a request for information from a patient or an authority and you don’t know how to respond, you might not be compliant. Say, for example, that the ICO (UK Privacy Commission) contacts you about an Article 15 DSAR request. Would you know what to do? Would you know where all of your sensitive personal data is stored and processed so that you could provide what the ICO wanted? Do you even know who the ICO is? If requests like these leave you scratching your head, there’s a good chance that you’re not compliant with everything that you need to be.
- You receive a finding from a third-party organization. If your company is pursuing a certain designation, such as HITRUST certification, and you receive a finding, you’re non-compliant. A finding is a notice indicating that you’re not compliant with a specific standard because you were unable to deliver a critical piece of compliance information about your compliance infrastructure. Examples could include the level of encryption you’re using or whether you’re managing data disposal in a way that’s compliant with NIST SP 800-88. By the way, if you don’t know what NIST SP 800-88 is, you’re probably not compliant with it.
- You randomly hear about a change to a law you’ve never heard of. Let’s say you’re watching the news and happen to hear about a change to a law that you haven’t come across before. Maybe it’s the California Consumer Protection Act, or maybe it’s New York or Nevada. If you’re just learning about the law from TV or from a newspaper, there’s a very good chance that you’re not compliant.
Don’t get caught unprepared
If any of the scenarios above sound like they might be possible at your company, you need to take action to safeguard your business.
Fundamentally, there are two ways to approach compliance. The first is to have compliance experts in house whom you can call up at any time, day or night, and who can immediately answer any questions you have about the regulatory environment. Better yet, they should be able to tell you how your company is performing against all of the regulations that are relevant in the locations where you do business, and where the risks and opportunities for your business lie. While this is certainly an effective approach, the reality is that it’s also costly and not particularly efficient.
The second option is to partner with organizations that provide holistic compliance services and keep their eye on the regulatory ball for you. In doing so, they can provide the deep expertise you need to ensure compliance in a way that’s fast, efficient, and cost-effective. At ClearDATA, we do just that. We’re uniquely focused on security, privacy, compliance, and risk. Plus, we bring decades of knowledge and experience from the healthcare industry to bear on everything we do. That means you don’t have to wonder if your environment meets regulatory compliance frameworks. We’ll help you interpret and map regulations, as well as provide 24/7 visualizations in our Compliance Dashboard.