On May 25th, the European Union passed the General Data Protection Regulation compliance deadline. The GDPR was created by the EU in response to advances in cloud computing and data analytics, as large corporations and agencies gathered, processed, and handled the information of individuals all over the world. The European Union has sought to ensure the privacy of its citizens in this measure, but the regulations do not just affect those people or organizations located within the borders of the EU. Only 30% of companies were compliant at the May 25th deadline, according to the Association for Intelligent Information Management’s survey. This is nothing new for regulatory compliance, despite an increasing momentum for regulation in nearly every vertical.
Over the past decade, a number of comprehensive regulations have come into effect due to scandals involving several financial institutions. Both Sarbanes-Oxley and Dodd-Frank addressed record keeping practices that prevent fraud against investors by financial institutions. Affected companies turned to technology to enable and ensure compliance with regulations that pertained to their particular business. These companies wished to comply with applicable regulations while minimizing any disruptions to their daily business operations in a cost effective manner.
This technology includes software for securing data storage, retrieval, data capture, and producing copies of data when requested by a regulating body. Hardware is also involved in data capture and data storage and retrieval. Several software products have emerged to provide compliance in the wake of the recent regulations. Non-compliance can be expensive as well as disruptive to business. HIPAA violations can result in fines up to $250,000 and 10 years in prison. Violations for Sarbanes-Oxley regulations can reach $20 million or 20 years in prison. Companies in the US and the UK reported a significantly higher GDPR budget than their European counterparts, perhaps reflecting a stronger initial privacy starting place for European companies. Those that were not initially prepared for compliance estimate budget increases of over one million euros. Other penalties include being unable to obtain or hold certain certifications or bonds. This could result in everything from lost revenue to complete loss of business. Therefore, compliance is vital to the continuation of business.
Compliance and Technology
Businesses are acutely aware that both government agencies and self-regulating industrial bodies will strictly enforce new regulations. These regulations are subject to revisions at any point that the regulating body sees or perceives a need to reassess them. Typically, these revisions result in more restrictive regulations and increased penalties. Understanding the specific requirements of each regulation is essential to avoid penalties (either monetary or criminal). As an example, SEC Rule 17a-4 states that broker-dealers must preserve all electronic records in a format that is non re-writable and non erasable. The rule also states that broker-dealers are able to produce the electronic records on demand.
This rule does not specify a particular media for storage, only that it meets the aforementioned requirements. Therefore, software such as cloud storage or network storage systems is available for these purposes. Other rules, such as SOX, involve the process of information management along with the monitoring and reporting on the content of retained information. Companies can acquire software products that manage the required information while providing the ability to monitor the content of the records. These products would also include the ability to produce records on demand in the event of litigation or audit.
The Upside of Compliance
Although most organizations regard the ever-increasing list of regulations to be a formidable challenge, the technologies available for compliance may also provide other substantial benefits from the management of information. These software products give users a better understanding of the underlying process of business through increased efficiency. Compliance software can also provide improved support in the area of litigation discovery. Companies typically settle litigation out of court because settling is typically more cost-effective for all parties. Software solutions for compliance can provide for quick, accurate access to data requested in a legal discovery process.
And this easily accessible data would also be advantageous during an audit. Compliance software ensures business continuity during a disaster such as fire or flood. Additionally, compliance software provides improvements in a company’s operational efficiency by reducing the need for paper storage as well as providing quick access to any needed documents for customer service. These efficiency improvements will translate into increased revenue for the company not only through cost savings, but also through improvements in customer satisfaction, customer retention, and through the addition of new customers.
Recommendations to Ensure Compliance
– Know the regulations that pertain to your company or business.
– Develop an enterprise compliance strategy that incorporates both processes and content since both are required for compliance.
– You should fully document all retention policies, procedures, and schedules. This will not only show regulators that you have them in place, but it will also communicate these policies and procedures to your employees so that they can comply with them.
– Determine the specific technological requirements that will enable your company to implement the compliance strategy plan and support your retention policies and procedures.
– Determine if your current technology is sufficient for your requirements. Note any deficiencies and determine how to correct them.
– Research any needed technology and incorporate it into your compliance strategy plan.
|SEC 17a-4||Electronic records must be stored in a format that is non-rewritable and non-erasable. Defines what records are required for compliance.||Financial brokers, dealers and exchange members||Retention periods specified for each type of record. The latest revision allows for storage in a central location as long as records are available to regulators on demand.|
|Sarbanes-Oxley 404||Provides for monitoring of the production and changing of financial records||All publicly traded companies, public accounting firms, auditors, brokers, securities analysts||Provides requirements for audit committees, financial reporting, insider trading, change disclosure and management’s assessment of controls for public companies|
|Sarbanes-Oxley 409||Mandates the disclosure on the material changes in the financial condition or operations of issuers in a timely and current manner||All publicly traded companies, public accounting firms, auditors, brokers, securities analysts||The same as for Sarbanes-Oxley 404.|
|Dodd-Frank||Gives the SEC authority to oversee credit rating agencies, insurance companies and hedge funds||Financial institutions, non-bank financial firms, insurance companies (except auto) and credit rating agencies||Give SEC authority to break up an institution that becomes “too big to fail”|
|Affordable Patient Care Act||Requires companies with over 200 employees to automatically enroll new full time employees in coverage, requires disclosure of the value of the benefit of coverage provided by the employer||All public and private companies||Provides tax penalties for failing to comply with the health care coverage mandate, creates an excise tax on certain medical equipment|
|General Data Protection Regulation||Requires companies storing or handling EU citizen data to disclose information gathering to citizens, secure and then purge data after time without use, and make data freely available to the subject||All companies storing and handling EU citizen data||Requires compliance from international companies and can fine companies up to 10 million euros ot 2% of global revenue|