In most organizations, the decision to make a financial investment typically fall into three categories: 1) It makes us money – New business models; 2) It saves us money – Process improvements; and 3) It keeps us out of court – Fines, penalties and lawsuits.
While spending to ensure compliance with corporate and regulatory policies might continue to be in third place, companies of every size are being forced to pay more attention to their compliance and security posture.
The current administration’s changes to labor laws, the General Data Protection Regulation (GDPR) and data breaches are dominating news headlines, and they are the same issues causing organizations to take a proactive approach to compliance.
Changes to Labor Laws
Politics aside, when laws and regulations change, companies must adjust to comply with those changes. Yet another revision to I-9's went into effect on September 18 and fines for noncompliance are increasing with Equal Employment Opportunity Commission lawsuit filings up 75 percent over last year. Along with the changes to I-9s, there are also changes to how employers must re-verify work authorization documentation for foreign workers. As companies work through these changes, they now must start to consider implications from the end of DACA and potential changes to healthcare.
While a self-audit of processes and documentation might seem like the answer, this can be a drain on human resource departments. Companies must take advantage of technology advancements in onboarding solutions that provide E-Verify and I-9 management as well as automatic updates that adjust to legislative mandates. Organizations should also move to digital employee document management with features that provide proactive notification of important missing or expiring documentation and secure data rooms to give auditors access to the information needed. With increasing penalties and shorter windows to respond, a reactive, manual approach to audits will result in fines and high costs to respond promptly.
Tired of hearing about the GDPR? Well, get used to it because the May 25, 2018, deadline for compliance is rapidly approaching. There continues to be uncertainty in some organizations around compliance. That uncertainty can be costly because GDPR carries heavy penalties of up to $20 million or 4 percent of annual revenues. Statistics show many companies do not understand the impact of GDPR on their business. For those U.S. companies that know they need to comply with GDPR, only 2 percent were fully prepared. U.S. companies who "offer goods or services to, or monitor the behavior of, EU data subjects” must comply with the regulation. Per the GDPR FAQs, “It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.”
There are many consultants, law firms and cloud providers assisting organizations with GDPR compliance, but in most cases ongoing compliance will require either new technology or modifications to existing applications. Better data governance tools for transparency, record keeping and reporting will be needed to meet personal privacy requirements around access, deletion and audit history.
According to the latest report from the Ponemon Institute, 47 percent of data breaches are the result of malicious or criminal attacks with human error (28 percent) and system glitches (25 percent) making up the balance. System glitches include both IT and business process failure and are a clear indicator that organizations are not doing all they can to prevent data breaches and that they are not compliant with internal or external policies. While the 2017 global average cost of a data breach dropped 10 percent to $3.62 million, the average number of records exposed in a breach and the number of breaches increased. The cost of a data breach combined with lawsuits, fines and damage to reputation can harshly affect a company. Over time large enterprises may recover from a breach, but for small businesses, a cyber-attack could put them out of business.
Increased spend on data security technologies and services can no longer be avoided. Over-worked IT departments are turning to vendors with expertise in information security to bolster their data security programs. Proactive, regular vulnerability scans identify weaknesses and give organizations time to mitigate the risk before hackers can exploit it.
Smart organizations are making the necessary changes and investment to move away from a reactive approach to compliance. What many companies are starting to understand is a proactive approach to compliance increases their chances for success, saves them money and will help support new business models. Perhaps compliance is becoming a business enabler and not merely an expense to ensure companies are protected.