With all the rules and regulations surrounding compliance alphabet soup, it will take more than one person to bring your company in line. We’ve laid out the three company divisions needed to up your compliance game, especially when it comes to HIPAA, PCI and GDPR.
Your first line of defense against compliance failures is the technology you use and the team that maintains it. Consult with your IT team to discuss:
- Email Encryption: How are emails and files that go in and out of your office protected from hackers? What if they contain revealing identifying information? Is that data safe as it travels through the internet?
- Data Encryption: How do you collect and retain credit card information? Are there gaps where that information is stored or transmitted in an identifiable way?
- Firewalls: Are you confident that a flimsy screen door protects your company data and communications from hackers? Do you have a multi-level security system in place that prevents intrusions?
- Backups: How often, when and where is your precious company information backed up? Do you test your backups to prove that they’re effective? Is your current backup plan compliant with regards to customer data?
- Data Availability and Storage: Who has access to your data? Only certain individuals in your company should have access to data, such as financial records or payment information. How do you restrict access on your network or within line of business applications to ensure safety?
- Physical Access: Who accesses your computer systems and servers? Do you train your staff to lock their systems every time they leave their desks? Are you using privacy filters on appropriate screens to avoid wandering eyes?
Internal Compliance Officer
While this may not need to be a full-time role, you should have a compliance champion on staff. Your IT company can set you up for success. However, they are not around to police your staff every hour of the workday.
The Compliance Officer’s responsibility is ensuring that your staff follow important compliance policies. They keep documentation up-to-date and work with authorities if necessary. In particular, they are responsible for:
- Managing Employee Bad Habits: Watch for employees leaving computers unlocked or sending credit card data willy-nilly throughout the organization.
- Training: Conduct/coordinate online or in-person training to keep compliance top-of-mind. We recommend quarterly training at the very least. Also, it’s imperative that a new employee gets proper education as part of the onboarding process.
- Documentation: Maintain all records and documents required for compliance, like backup plans and communication standards.
- Following Regulations: Work with federal and state regulators as necessary to prevent or mitigate an issue and coordinate the support of your IT and legal teams.
Even with the best technology and the most experienced compliance officer, it’s still possible to fail if your employees are not on board. In the end, it comes down to successful employee implementation and clear communication. To get employee buy-in, here is what we recommend:
- Get on the same page. When you first make tweaks to your company’s security protocols, explain why to your team. Consider their perspective. Suddenly, they all need to remember 16-character passwords now. Then, they replace those passwords every 90 days. Furthermore, they’re learning to work with 5-minute time outs on their systems. Your employees will appreciate and understand that it’s not because you’re paranoid. You can utilize your IT team to conduct this meeting.
- Send regular reminders. It’s simple to fall into what’s “easier” rather than compliant. Consider sending a weekly or monthly compliance tip to all staff members to keep it fresh in their minds.
- Conduct ongoing training. This training should be mandatory. Involve your IT team. Vary the content or delivery enough to stay interesting. Quarterly training should be sufficient unless some regulation change calls for extra sessions.
- Multi-departmental planning. Different teams have different uses for data. A good example is what data the sales department uses may not be within compliance with the accounting department’s own operation. Each department must give their input during the development process. This will ensure a smooth operation within the rules and regulations. Compliance is not a one-man game. It involves the whole company and IT team engagement to truly be successful.