Compliance with data privacy regulations has become immensely challenging, and arguably for two reasons: confidential data is today distributed across multiple clouds, as well as on-premises data centers, and companies typically face compliance with multiple regulations – not just with GDPR but with industry-specific or geo-specific regulations. No doubt you’re facing those rigors daily.
And what’s coming to light is that home-grown solutions for compliance, with few exceptions, can no longer keep up. Typically, that’s because they lack scope of coverage, the ability to keep current on compliance requirements, or the ability to compile comprehensive and transparent formal reports for auditors and authorities. The only way a company can keep up with those demands and stay sane is to deploy comprehensive data compliance automation.
Salesforce environments are a bellwether for the complexity of the regulatory environment. Consider that Salesforce customers need to comply with regulations as varied as PCI, HIPAA, GDPR, NIST and SOC. This complexity defies efforts for manual compliance. What’s more, if your network operations include the cloud, you can’t rely on cloud providers to build compliance into their offerings.
It’s been said that automation, whenever and wherever it’s applied to an efficient operation, will magnify the efficiency of that operation. So then why, even in 2019, have businesses failed to identify data compliance as one of the top two or three functions to automate in order to stay alive? Data on companies that fail to make compliance a critical priority is widespread. According to the National Archives & Records Administration, a startling 93% of companies that lost data for 10 days or more, filed for bankruptcy within 1 year, and 50% immediately.
In addition, companies invariably discover that if they don’t automate their data compliance efforts, they will leave gaps in coverage. But in many organizations, while the intent is there, the execution is lacking. According to KPMG, more than 50% of CIOs and CCOs surveyed said they had not yet automated their compliance activities. Only 1 in 5 said they had a well-defined enterprise-wide strategy to automate compliance.
Even for businesses that survive a data disaster, the losses can be monumental: according to a survey by ESG, 51% of respondents identified loss of customer confidence as the top impact of application downtime or lost data, regardless of the cause. But other aspects of compliance, such as data rights and data minimization, are just as critical to a business’ compliance posture as are assurances against downtime or lost data. And failing to maintain compliance can jeopardize customer confidence and trust – which are hard to gain back.
The short story is that businesses can’t automate everything, but they need to automate everything they can. Why? Automation introduces consistency in how audit information is gathered and presented, reducing variability from one audit to the next. Automation introduces transparency, even to the point that auditors can reduce the scope of their efforts – as automation extends to every function within the organization. Think of it this way: you want audits to become routine, replacing suspicion as an impetus for an audit. And businesses need to move beyond point-in-time compliance activities to a continuous compliance process.
Virtually every aspect of data compliance can be automated:
For compliance risk assessments, automation assigns ratings to inherent or mitigating controls in the quantitative analysis process.
For policy management, automation gives you instant understanding of what policies and procedures in your organization are current.
Automation of regulatory change processes gives you comprehensive views of regulations, laws and obligations from global regulatory sources.
Automating due diligence helps you ensure that you meet all compliance requirements when dealing with third parties such as vendors, suppliers, contractors and customers.
For monitoring and testing, automation gives you current, holistic views of risks
For visibility, automation of data and analytics: to develop a dashboard of risks across an organization.
Still, automation of data compliance is secondary to doing the legwork of mapping your organization’s prerequisites as the content of a compliance roadmap.
Here are eight prerequisites:
However you go about automating data compliance, know that transparency must be a prime objective. A compliance engine presents the unvarnished truth, points to areas requiring remediation, and takes the guesswork out of compliance. And it never takes a day off.