What is compliance?
Compliance is the state of being in accordance with established guidelines or specifications, or the process of becoming so. Software, for example, may be developed in compliance with specifications created by a standards body, and then deployed by user organizations in compliance with a vendor's licensing agreement. The definition of compliance can also encompass efforts to ensure that organizations are abiding by both industry regulations and government legislation.
Compliance is a prevalent business concern, partly because of an ever-increasing number of regulations that require companies to be vigilant about maintaining a full understanding of their regulatory requirements for compliance. To adhere to compliance standards, an organization must follow requirements or regulations imposed by either itself or government legislation.
Regulatory compliance examples
Some prominent regulations, standards and legislation that organizations may need to be compliant with include the following:
- Sarbanes-Oxley Act of 2002. The Sarbanes-Oxley Act was enacted in response to the high-profile Enron and WorldCom financial scandals to protect shareholders and the general public from accounting errors and fraudulent practices. Among other provisions, the law sets rules on storing and retaining business records in IT systems.
- Can Spam Act of 2003. The Can Spam Act requires businesses to label commercial emails as advertising, use legitimate return email addresses, provide recipients with opt-out options and process opt-out requests within 10 business days.
- Health Insurance Portability and Accountability Act (HIPAA) of 1996. HIPAA Title II includes an administrative simplification section that mandates standardization of electronic health records systems and includes security mechanisms designed to protect data privacy and patient confidentiality.
- Dodd-Frank Act. Enacted in 2010, this act aims to reduce federal dependence on banks by subjecting them to regulations that enforce transparency and accountability to protect customers.
- Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is a set of policies and procedures created in 2004 by Visa, MasterCard, Discover and American Express to ensure the security of credit, debit and cash card transactions.
- Federal Information Security Management Act (FISMA). Signed into law in 2002, FISMA requires federal agencies to conduct annual reviews of information security programs. This is done to keep risks to data at or below specified acceptable levels.
- Occupational Safety and Health Administration (OSHA). The OSHA requirements were introduced by the U.S. Congress in 1971 to protect worker health and safety in the U.S.
- General Data Protection Regulation (GDPR). GDPR is legislation that went into effect in the European Union in 2018 that updated and unified data privacy laws. The purpose of GDPR is to protect individuals and the data that describes them and to ensure organizations that collect this data do so in a responsible manner.
IT compliance guidelines vary by country; Sarbanes-Oxley Act, for example, is U.S. legislation. Similar legislation in other countries includes Germany's Deutscher Corporate Governance Kodex and Australia's Corporate Law Economic Reform Program Act 2004. As a result, multinational organizations must be cognizant of the regulatory compliance requirements of each country they operate within. For example, GDPR applies to all organizations that are based outside the European Union, as long as they also operate in the EU.
Regulatory compliance vs. corporate compliance
There are two main types of compliance that denote where the framework is coming from: corporate and regulatory. Both corporate and regulatory compliance consist of a framework of rules, regulations and practices to follow.
- Corporate compliance applies to the rules, regulations and practices an organization puts into place for compliance -- according to both external regulations and internal policies.
- Regulatory compliance applies to the rules, regulations and practices an organization puts into place for compliance -- according to external regulations.
Corporate and regulatory compliance are very similar, with their main difference being whether their policies come from internal or external regulations.
Chief compliance officer and other compliance roles
As regulations and other guidelines have increasingly become a concern for corporate management, companies are turning more frequently to specialized compliance software and IT compliance consultancies. Many organizations have even added compliance jobs, such as the role of chief compliance officer (CCO).
The main responsibilities of a CCO include ensuring the organization is able to both manage compliance risk and pass a compliance audit. The exact nature of a compliance audit will vary, depending on factors such as the organization's industry, whether it is a public or private company, and the nature of the data it creates, collects and stores. Other responsibilities of a CCO include identifying the potential risks an organization faces, assessing the effectiveness of any risk-prevention processes and resolving any compliance issues.
Other possible compliance roles include the following:
- Compliance analysts. Compliance analysts help organizations remain compliant with regulations and prepare them for audits.
- Compliance services associates. This role focuses on identifying, prioritizing and resolving issues for clients.
- Compliance coordinator. This role focuses on preparing and completing regulatory and compliance documents, as well as making sure they adhere to federal, state and government requirements.
- Compliance director. This role focuses on ensuring organizations conform to all rules, regulations and laws placed upon them. They are also responsible for managing and correcting any violations that occur.
Best practices and strategies for corporate compliance
To ensure an organization follows compliance laws or regulations, they should follow these best practices:
- Determine compliance goals. Focus on the areas of compliance the organization needs to improve the most, such as a specific regulation, law or a violation that is costing the organization money.
- Know the regulatory environment. Laws and regulations may change over time, so having staff members -- either as a part of a compliance department or otherwise -- who keep up to date on new regulations relevant to the organization's industry is a good idea.
- Implement compliance tools. Compliance tools can automatically track data, aiding in compliance risk management.
- Hold compliance audits. An in-depth review of regulatory compliance areas ensures an organization is following compliance regulations correctly and can help identify areas an organization needs to improve.
- Review compliance regulations regularly. A regular review helps find weak points and gives an organization a chance to improve and keep its compliance efforts up to date.
- Train employees for compliance policy. If employees cannot follow compliance policies, then the organization cannot fully adhere to the policies. Employees should be trained and made aware of relevant policies and be held accountable when policies are not followed.
Learn more about compliance and its related security concerns in this article.