Compliance Series: Part 3
With all the rules and regulations surrounding the compliance alphabet soup in play today, it will take more than one person to bring your company in line. We’ve laid out the multiple roles needed to up your compliance game, especially when it comes to HIPAA, PCI, and GDPR.
Your first line of defense against compliance failures is the technology in use and the team you have to maintain it. Consult with your IT team to discuss:
- Email Encryption: How are emails and files that go in and out of your office protected to avoid nefarious hands and revealing identifying information?
- Data Encryption: How do you collect and retain credit card information? Are there any gaps where that information could be stored or released in an identifiable way?
- Firewall: Are you protecting your company data and communications using a screen door that is easily opened by hackers, or are you using a multi-level security system preventing intrusions?
- Backups: How often, when and where is your precious company information backed up? Can you test your backups to prove that they’re effective? Is your current backup plan compliant with regards to customer data?
- Data Availability and Storage: Who has access to your data? Only certain individuals in your company should be able to access all data, like financial records or payment information. How are you restricting access on your network or within line of business applications to ensure safety?
- Physical Access: Who can actually access computer systems and servers? Do you train your staff to lock their systems every time they leave their desks? Are you using privacy filters on appropriate screens to avoid wandering eyes?
Internal Compliance Officer
While this may not need to be a full-time role within your organization, you should have a compliance champion on staff. Your IT company can absolutely set you up for success, but they are not around to police your staff every hour of the workday.
The Compliance Officer is responsible for ensuring that your staff follows important compliance policies, maintains vigilance surrounding compliance, keeps documentation up to date, and works with authorities if necessary. Specifically, they:
- Watch for employees falling into bad habits, like leaving computers unlocked or sending credit card data willy-nilly throughout the organization.
- Conduct/coordinate online or in-person training to keep compliance top of mind. We recommend quarterly training, at least, in addition to proper education as soon as a new employee comes on board.
- Maintain all the documentation required for compliance, like backup plans and communication standards.
- Liaison with federal and state regulators, as necessary to prevent or mitigate an issue (with the support of your IT Team and legal team).
You can have the best technology, the most intense compliance officer, and still completely fail at successful compliance if your employees are not onboard. At the end of the day, it comes down to successful employee implementation and clear communication. In order to get employee buy-in, here is what we recommend:
- Gather everyone together: When you first make tweaks to your company’s security protocols to ensure compliance, explain why to your team. If they suddenly all need to remember 16-character passwords, replace those passwords every 90 days and have 5-minute time outs on their systems; they’d appreciate learning it’s not because you’re paranoid. You can utilize your IT Team to conduct this meeting.
- Send regular reminders: It’s simple to fall into what’s “easier” rather than compliant. Consider sending a weekly or monthly compliance tip to all of your staff to keep it top of mind.
- Conduct ongoing trainings: These trainings should be mandatory, involve your IT team, and vary enough to stay interesting. Quarterly should be sufficient unless some regulation change calls for additional meetings.
- Multi-departmental planning: Different teams have different uses for data. For example, what makes the salesperson tick may make it impossible for accounting to operate within compliance. When it comes to collecting information that must be compliant, every department must be involved in process development to create smooth operation within rules and regulations.
Compliance is not a one-man game. It involves the whole company and IT team engagement to really be successful. Next blog, we’ll cover the processes necessary to build a compliance-friendly environment.