Regulatory compliance is an organization's adherence to laws, regulations, guidelines and specifications relevant to its business processes. Violations of regulatory compliance often result in legal punishment, including federal fines.
Examples of regulatory compliance laws and regulations include the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), Federal Information Security Management Act (FISMA), Sarbanes-Oxley Act (SOX), EU's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
Why is regulatory compliance important?
As the number of rules has increased since the turn of the century, regulatory compliance management has become more prominent in a variety of organizations. The development has led to the creation of corporate, chief and regulatory compliance officer and compliance manager positions. A primary job function of these roles is to hire employees whose sole focus is to ensure the organization conforms to stringent, complex legal mandates and applicable laws.
Regulatory compliance processes and strategies provide guidance for organizations as they strive to attain their business goals. Audit reports proving compliance help companies market themselves to customers. For example, Service Organization Control 1 reports enable vendors to prove compliance with regulations such as SOX. Being transparent about compliance processes helps clients build trust in business processes, as well as potentially improve the profitability of the company in the process.
Some regulatory compliance rules are designed specifically to ensure data protection. Poor data breach compliance processes can hurt customer retention and negatively impact a company's bottom line. With the frequency of data breaches continuing to increase, consumers are placing more trust in companies that closely follow regulatory compliance mandates designed to protect personal data.
Data privacy-specific regulatory compliance mandates, such as GDPR and CCPA, have become more common as companies' handling of consumers' personal data has come under scrutiny.
What are challenges that come with regulatory compliance?
Companies that do not follow mandatory regulatory compliance practices face numerous possible repercussions, such as being forced to participate in remediation programs that include on-site compliance audits and inspections by the appropriate regulatory agency. Noncompliant organizations usually face monetary fines and penalties. Brand reputation can also be damaged by companies that experience repeated -- or particularly glaring -- compliance breaches.
Following compliance rules can be costly from an infrastructure and personnel standpoint. As companies are required to spend capital in order to comply with compliance laws and regulations, they must also try to appease stakeholders and maintain business processes by turning a profit. These financial challenges surrounding compliance are particularly acute in highly regulated industries, such as finance and healthcare. Other business strategy-associated challenges that come with maintaining regulatory compliance include the following:
- determining how emerging regulations will influence business direction and existing business models;
- incorporating and developing a compliance culture and promoting this culture throughout the organization;
- deciding on and hiring compliance roles and accountabilities, as well as the compliance functions required by legal, compliance, audit and business departments; and
- anticipating compliance trends and integrating regulatory processes that increase efficiency.
Constantly evolving consumer technologies also pose compliance complications for companies. The use of personal mobile devices by employees in the workplace, for example, creates compliance concerns because these devices store sensitive, compliance-relevant company data. The proliferation of the internet of things has led to huge growth in the number of endpoints and interconnected devices, and lacking security for mobile and IoT devices creates compliance vulnerabilities in organizations' networks. For digitized companies to remain compliant, they must stay on top of required updates and immediately patch existing software when vulnerabilities are detected.
How is compliance different across industries, countries?
Some industries are more heavily regulated than others. For example, the financial services industry is subject to regulatory compliance mandates designed to protect the public and investors from nefarious business practices. Energy suppliers are subject to regulations for safety and environmental protection purposes. Government agencies are required to follow compliance regulations that mandate equality and ethical staff behavior.
Healthcare companies are also subject to strict compliance laws because they store large amounts of sensitive and personal patient data. Hospitals and other healthcare providers must demonstrate they have taken steps to comply with patient privacy rules, such as providing adequate server security and encryption. HIPAA outlines data privacy and security mandates designed to secure patients' medical information. The HIPAA Breach Notification Rule, for example, requires compliant organizations and their business associates to notify patients following a data breach. In addition to healthcare providers, cloud service providers (CSPs) and other business associates of healthcare organizations must also comply with HIPAA privacy, security and breach notification rules.
Regulatory compliance mandates vary by country. SOX is U.S. legislation, but similar regulations include Germany's Deutscher Corporate Governance Kodex (DCGK) and Australia's Corporate Law Economic Reform Program Act 2004 (CLERP 9).
Multinational organizations must be cognizant of the regulatory compliance rules of each country they operate within. For example, GDPR went into effect in 2018 and applies to all data produced by EU citizens, whether or not the company collecting the data is located within the EU. GDPR also applies to all people whose data is stored within the EU, regardless of if they are EU citizens.
GDPR expanded the data privacy rights of consumers by including transparency mandates that force businesses to inform customers how their personal data is used. For example, companies operating under GDPR compliance rules are required to notify all affected parties and supervising authorities of a data breach within 72 hours.
Under CCPA, California residents are provided the right to know what data is being collected about them, whether that information is sold and the ability to refuse that data being sold. The act also mandates consumers can access any of their personal information collected by CCPA-compliant companies.
A 2018 Vermont law requires data brokers to disclose to individuals exactly what data is being collected and enables those individuals to opt out of data collection. Several other states in the U.S. are considering their own data privacy regulations to varying degrees, while countries such as Australia, Argentina and Canada have established comprehensive data privacy laws at the federal level.
How do companies ensure regulatory compliance?
Regulatory compliance requires companies to analyze their unique requirements and any mandates specific to their industry and then develop processes to meet these requirements. Typical steps to achieve regulatory compliance include the following:
- Identify applicable regulations. Determine which laws and compliance regulations apply to the company's industry and operations. These include federal, state and municipal rules.
- Determine requirements. Identify the requirements in each regulation that are relevant to the organization, and consider plans on how to implement these mandates.
- Document compliance processes. Clearly document compliance processes, with specific instructions for each role involved in maintaining compliance. This information will be useful during regulatory audits.
- Monitor changes, and determine whether they apply. Compliance requirements are updated constantly. Changes must be monitored to determine if they are relevant to the company. If they are, implement updated procedures, and train the appropriate staff on these updates.
In-house compliance audits should be conducted regularly to review the organization's adherence to regulatory guidelines. These in-house audit reports should closely evaluate compliance processes and their associated policies, such as user access controls.
In-house audits also help prepare for externally conducted, formal compliance audits carried out by independent third parties. These audits are required under some regulatory compliance mandates and are designed to measure if an organization complies with specific state, federal or corporate regulations.