Compliance is now a major part of any business, yet it's an area many businesses struggle with. Whether it's uncertainty about which regulatory rules and frameworks will apply to you or difficulty finding the right expertise, it can be a confusing area to navigate.
However, it's not an area any business can afford to take lightly. If you're in any doubt about the importance of an effective compliance program, consider these figures:
- Non-compliance costs more than twice as much as maintaining compliance.
- Non-compliance costs firms an average of $4,005,116 in lost revenue.
- Spending on incident response has almost doubled since 2011, reaching around $1 million.
It's clear that the cost of failing to consider compliance can greatly outweigh the time and expenses needed to ensure rules are being followed. But with so many different frameworks that set out guidelines and requirements to consider, how do you know where to focus your efforts?
Not every regulation will apply to every firm, though there are some universal requirements that cover issues such as the personal data of employees and customers. Therefore, it's vital to know which frameworks you need to be prioritising, what it takes to be compliant, and the potential costs if you don't.
What's more, maintaining compliance isn't just about avoiding financial penalties. In many cases, demonstrating that you're following certain frameworks will be essential in enabling you to do business, because if you can't prove you're compliant with certain standards, you may be blocked from key services or platforms.
With this in mind, here are some of the most important regulatory frameworks you need to be aware of.
1. Sarbanes-Oxley Act (SOX)
The Sarbanes-Oxley Act (SOX) is one of the main regulations in the US for those working with financial details in public firms. Passed in 2002 in the wake of scandals such as Enron, it's designed to tackle fraud by mandating more transparency and accuracy in how companies report their accounting. As well as fines for the company for non-compliance, executives can be held personally accountable for any inaccurate financial disclosures, with heavy fines and even imprisonment as options for enforcement.
2. National Institute of Standards and Technology (NIST)
The National Institute of Standards and Technology (NIST) is not a single set of standards, but rather a series of guidelines for ensuring sensitive data is kept secure. While it’s not a legal requirement, being able to prove that you're following NIST standards is essential for any enterprise that handles confidential information, as it demonstrates you’re taking the necessary steps to guard against the latest cybersecurity threats and have a plan in place for responding in the event of a data breach.
3. Statement on Standards for Attestation Engagements No. 16 (SSAE-16)
Statement on Standards for Attestation Engagements No. 16 (SSAE-16) is a standard for the auditing and reporting of financial details. As well as outlining a range of best practices for business processes and controls, it's also a mandatory part of the SOX compliance process. This means that specific stakeholders will have to review service organization controls (SOC) for any applications and processes within the scope of SOX - such as financial management tools - to identify potential risks.
4. Payment Card Industry Data Security Standards (PCI-DSS)
PCI-DSS is vital for any business that accepts credit or debit card payments. These rules identify the steps companies must take to ensure the cardholder data they collect is secure, and is split into 12 key requirements covering everything from network security to encryption and testing processes. Although it's an industry standard rather than a law, firms that fail to comply can face large fines from payment providers and even have their ability to accept or make payments withdrawn.
5. General Data Protection (GDPR)
One of the most wide-ranging compliance regulations introduced in many years, the EU's General Data Protection Regulation (GDPR) sets out strict standards for how companies handle personal data for both their employees and customers. It covers everything from what companies can do with personal information to the rights of individuals to view their own data, as well as tough reporting requirements for any breaches.
6. California Consumer Protection Act (CCPA)
Like GDPR, the California Consumer Protection Act (CCPA) sets out rules for the protection and handling of personal data, and is referred to as California's version of the GDPR. Where the GDPR may not apply to US firms that only operate domestically, CCPA may be more relevant for many US firms who interact with Californian residents, even if they aren't based in the state. In some respects, the CCPA's rules are even stricter than GDPR, such as when it comes to the information of children, so it’s vital that firms make this a top priority, regardless of industry.
7. International Organization for Standardization (ISO)
Another set of guidelines rather than a single regulation, the International Organization for Standardization (ISO) is a list of internationally-recognized frameworks, with a range of subsections covering various industries and requirements. For example, the ISO 9000 rules set out quality management standards and will be highly relevant to manufacturers, while the ISO 27000 guidelines focus on information security. Being able to prove compliance with the relevant frameworks will be essential for any company; if you don’t have certification you may be unable to attract business.
8. Health Insurance Portability and Accountability Act of 1996 (HIPAA)
For firms in the healthcare sector, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is one of the most important regulations, as it governs the handling of highly sensitive personal medical information. It covers hospitals, pharmacies, insurance providers and any other organization that collects, stores or processes this data and there are tough penalties for organizations that don't meet the requirements.
9. Privacy Shield
The replacement for the previous EU-US Safe Harbor agreement, which was invalidated by a European court in 2015, Privacy Shield governs the security of data being transferred between the US and EU. It's vital for any firm doing business internationally, as showing you comply with its standards makes it a lot easier for US firms to collect personal data from EU citizens while remaining compliant with the relevant local data protection laws.
10. Federal Risk and Authorization Management Program (FedRAMP)
Cloud computing is now a common way of doing business for many firms, but for US government agencies, there are a range of privacy and security concerns that may arise if they want to store or process data in the cloud. The Federal Risk and Authorization Management Program (FedRAMP) seeks to give agencies a way to do this safely by setting out key guidelines to help evaluate the risks of such services. If you work with a government agency or help process data for these organizations, FedRAMP requirements must be a part of your procurement processes.