Making Sense of Compliance

Most organizations face the need to comply with—and demonstrate compliance with—a growing number of relevant laws, statutes, and industry standards; not doing so can lead to severe penalties. For example, infringements of Europe’s General Data Protection Regulation (GDPR) can result in fines of up to 4% of annual revenues; Canada has recently introduced legislation with even higher penalties, and other countries and jurisdictions now have similar laws. Worse than the legal penalties, perhaps, is the reputational damage an enterprise is likely to suffer.

Proof of compliance (or lack thereof) is often found in IT computing resources, such as databases and applications. As the amount of data grows, and the number of data sources (ranging from corporate databases to unstructured sources like e-mail to social media) increases, so technology is required to monitor and report upon these resources.

In most organizations, the compliance function falls under a Chief Compliance Officer or under the legal department. However, in developing a long-term compliance strategy, IT leaders should work with counterparts in other departments or groups including legal, finance, and HR to create a comprehensive view of the laws, regulations, and standards to which their company is subject. Additionally, corporate governance (such as bylaws), shareholder agreements, and the company’s business strategy—mission, vision, and goals—will help shape the IT compliance posture. The compliance strategy can then be expressed as a set of high-level goals or policies, supported by specific initiatives or controls with measurable metrics.