A Regulatory Tsunami Is Coming: Are You Prepared?
Regardless of how any business leader personally feels about data-privacy regulations, they seem destined to grow stronger.
In December, a coalition of more than 200 banks, retailers and tech companies called on Congress to draft stricter privacy legislation. Coalition members said they believed that all companies should be subject to the same rules, regardless of their size or industry, and that there should be a national standard for data-breach notifications.
The fact that private industry was itself calling for legislation is significant. Companies are now acutely aware of the financial and public relations fallout from data breaches, so much so that they are actually asking lawmakers to hold them to higher standards. The public is equally anxious about data privacy.
And it's that combination that makes it extremely likely that tougher data regulations are headed down the pipeline.
All this comes on the heels of the General Data Protection Regulation's (GDPR) implementation in the European Union last spring, plus the passage of the California Consumer Privacy Act last summer. Congressional Democrats and Republicans are currently butting heads on the issue, with the GOP interested only in a federal law that would supersede any state regulations.
What does small business think of all this? Considering that California's law goes into effect in January 2020 and that nearly every other state has proposed various data privacy legislation, small businesses are obviously eager to avoid a potential patchwork of state laws. The regulatory waters are already choppy enough.
Some industries, like finance, are accustomed to data regulations. Considering the scope of potential new regulations, that finance sector experience won’t count for much, however. For the simple fact is that every company in America needs to prepare for new compliance challenges throughout 2019.
Have you thought about what compliance means to you?
Most companies expect pending regulations to be modeled on the GDPR that now applies to every business serving customers in the European Union. GDPR levies fines for every single record that is exposed in a breach, meaning fines can run into the millions (or even billions) of euros (do the math for $U.S.).
If the size of those numbers is troubling, consider the likelihood of a fine. Forthcoming regulations will obligate companies to take a whole new approach to data and customer engagement. Adjusting to complex, wide-ranging new regulations won’t be easy. Companies may be eager to comply but find themselves in trouble because they’re unable.
The ever-increasing threat of cybercrime is another worry. Today’s hackers are both tenacious and sophisticated, making cybersecurity incredibly difficult to ensure. Following whatever regulations are released won’t make companies immune to attack or exempt from fines -- though it will make them better protected than they are today.
Making compliance simple and certain
We don’t yet know what form any new regulations might take or how they would affect individual companies. Luckily, the details are not necessary for businesses to begin building a better approach to compliance. The goal is to make managing compliance simultaneously easier and more consistent. Start with these steps:
1. Collect data from across channels.
Don’t think of data as "regulated" versus "unregulated." All data is potentially sensitive, so instead of protecting some data, companies should begin protecting all data equally. That starts with busineses being able to collect data from as many sources as possible for storage on one platform that’s been standardized for compliance.
Xerox recognized the value of standardization when, in 2017, it established an Office of Compliance, which strives to create a positive corporate compliance culture by helping employees do diligent work, and ensuring that senior leaders and all members of management send consistent messages. This office also constantly reviews and updates corporate policies to align with evolving regulatory and legal requirements.
Such top-down coordination will be essential once fast-moving data in multiple formats becomes subject to privacy laws. Think of it as a dedicated compliance team that's entrusted to stay abreast of each new development and respond accordingly.
Companies of all sizes should copy Xerox and make an effort to codify their compliance protocols -- the sooner, the better. Just make sure to stay open to the possibility of procedural changes, as forthcoming regulations will surely require flexibility as they are introduced and enacted.
2. Facilitate internal and external audits.
Audits are crucial for compliance. Complying with auditors often means turning over massive amounts of information. Alternately, conducting internal audits allows companies to find and correct issues before the regulators even arrive. In either case, companies need to have on-demand access to all their data; otherwise, any kind of audit is a burden.
Having all data on a platform accessible with unified search makes retrieval basically effortless. Nikon understands that a fast response is important -- so much so that it has developed independent systems. These systems enable the company's internal audit department to review compliance with laws and regulations, as well as with internal rules, without interference from operational divisions.
An overview of each department’s annual activities -- to determine primarily whether divisions' operations are being conducted in accordance with laws and regulations, as well as to create proposals for improvement -- is provided to the company’s executive committee and board of directors.
Picture how much easier external investigations will be to manage after your company performs numerous dry runs. Practice makes perfect. As regulations evolve over the course of 2019 and beyond, reacting and adapting fast will be key. Get a head start by instituting a system of internal audits as soon as you can.
3. Practice good governance.
Regulations dictate how a company must act both before and after a breach. Because of that increased scrutiny, companies must become hyperaware of data security. If, for instance, a breach went undetected, and therefore unreported, the resulting fine could be multiplied. Considering how unpredictable cybersecurity can be, companies need to have plans and policies detailing exactly how to act after a breach.
General Electric helps its global workforce keep compliance top of mind by employing about 800 compliance leaders and more than 600 part-time ombudsmen to serve as sounding boards.
Instead of trying to sweep compliance issues under the rug, GE confronts them head-on, ensuring that concerns are heard and addressed, and utilizing a hotline where employees can report any compliance concerns. Workers can also go to their managers with those concerns. The idea is that honest, open dialogue among all parties will stop many problems before they have a chance to start.
Every company should follow GE's lead. Sure, you likely don't have hundreds of employees to commit to the task, but having a layered network of oversight will help eliminate blind spots and stay on top of new legislation.
Avoiding hefty fines and negative publicity is important, but penalties are not the core reason to care about compliance in 2019. What is: Customers care about their private data and are tired of seeing companies misuse it.
In that way, regulators are paving a path for companies to thrive in a future economy driven entirely by data.