Every IT team, no matter the size or industry of their organization, must be aware of compliance mandates and operate to meet their appropriate requirements.
Defining compliance
Keeping data secure, available, recoverable and documented is something every organization must do each day. Whether it’s done by playbooks or reporting, companies need to be compliant with regulatory guidelines and corporate standards”
Compliance mandates come from various sources, including the government, industry regulators and internal mandates, but simply put, compliance is following a set of expectations and requirements. In the data protection world, maintaining compliance is about being able to meet data security mandates and provide information on-demand to document if you are, or are not, meeting these compliance expectations.
During the Compliance and Data Protection webinar at the Veeam Enterprise Data Protection Summit, Veeam Vice President of Public Sector and Compliance Strategy, Jeff Reichard discussed the importance of compliance for organizations.
“Basically, meeting any compliance mandate is a combination of people, process and technology,” Reichard said. “You have to train your people; you have to make sure that you’ve got processes in place to manage whatever your mandates are; and you have to have the correct technology to enforce that.”
Regulatory compliance in action
Regulatory compliance can cover all aspects of business. But one thing common across all industries is the mandate to protect data. While most data-focused regulatory statutes do not spell out the “how to” back up, protect and restore your data and applications if something goes wrong, they often mandate that organizations must do so in general terms and require that an organization demonstrate they are compliant or face penalties.
Below are some common examples of how broad compliance rules and laws include provisions related to data protection, recovery and security:
- Health Insurance Portability and Accountability Act (HIPPA): This law is commonly known for keeping health information confidential between the patient and a provider, but that’s not its only requirement. It also has mandates on how long and securely patient information needs to be stored, including backups, and that organizations have disaster recovery plans.
- Sarbanes-Oxley Act (SOX): SOX established internal security controls, that is, requirements on data security and required more transparency into how public companies manage their financial records. It also requires those companies to have a specific data disaster recovery plan in place to protect all the sensitive information that the companies collect.
- General Data Protection Regulation (GDPR): GDPR is a newer law in the European Union that mandates more transparency into how organizations manage people’s personal data. An organization must be able to provide reports on what data they have collected connected to a specific person if they request it. It also established the “right to be forgotten,” which means an individual can request an organization delete personal data connected to that individual. It also requires data backup and recovery accommodate these time restrictions and people’s rights.
Differentiating between regulatory compliance and corporate compliance
Regulatory compliance is what we’ve been focused on so far — a government, or governing body, passes a law or regulation that organizations follow to remain in good standing, retain certification, or be assessed some penalty. The other form of compliance is corporate compliance. The two forms are often related and intertwined. If regulatory compliance is an external factor for organizations, corporate compliance mandates often are built from these expectations and wrapped in internal operational procedures to ensure compliance.
Corporate compliance is the internal policies and strategies implemented to remain compliant with the regulatory side, but also uphold a business’s culture and operational processes. In many cases organizations may have requirements that go well beyond what regulators require.
Many organizations now have Chief Compliance Officers (CCOs) as part of the leadership team to help guide the day-to-day work of maintaining compliant operations. Their work can entail developing compliance schedules, keeping an eye on ever-changing regulatory requirements and creating and refining internal standards to ensure the organizations stays on track on its own compliance structure.
In the compliance webinar, Gianluca Mazzotta, vice president of EMEA sales at Veeam, pointed out that while the office of the CCO may ultimately have responsibility for compliance design and oversight, all levels of an organization need to be transparent and involved to meet regulatory obligations.
“The executives have to understand consequences and legal risks if something bad happens, and the organization falls out of compliance,” Mazzotta said. “So, of course, risk management has to be involved, and all the C-levels have to be involved as well. But we have to understand that all the other layers of the company have to be involved in terms of enablement.”
Corporate compliance best practices
There are key components that can ensure your corporate compliance structure is strong. Maintaining compliance protects the organization from imposed penalties and consequences but also protects the organization’s reputation. People do business with companies they trust.
- Set specific goals: Organizations should have goals they want to meet. That could mean hitting requirements set by a law, or even improving internal standards that are already in place.
- Communicate: Communication companywide is an essential ingredient to keeping compliance clean and on schedule. Let employees know why the work they are doing is important. Communicate the values of the company and ties those core values to your corporate compliance standards. Train employees during onboarding and provide continuous education to reinforce those values.
- Empower employees: Front line workers are the ears. They are the ones tasked with generating those data reports and enacting disaster recovery plans. If something is wrong, they need to know they can comfortably speak up.
- Have established procedures and schedules: Plan a schedule for reporting and auditing so you’re always aware of compliance status. Some tasks may be yearly and others daily or hourly depending on their criticality or risk value. The bottom line is having to ask, “Are we in compliance?” is a horrible way to start any conversation.
- Stay relevant on new regulations: Remaining compliant on the regulatory side is not a static situation — new regulations are being put in place (or removed) over time. Organizations need to continually review their own policies to make sure they are staying up to date or even ahead of new compliance requirements.
To learn more about corporate data protection compliance and how Veeam can help, check out the webinar with Jeff Reichard, and his conversation with Gianluca Mazzotta and other data protection thought leaders. You can also visit Veeam for more information.