In today’s world, in order to do and sustain business, all large and small companies are required to show and prove constant compliance. The task may be somewhat easier for large companies to achieve by hiring more employees; however, small businesses do not typically have the luxury to hire more people at competitive rates with large companies.
Having worked for several small businesses over the past decade in addition to helping non-profits, I have seen several compliance challenges, pains and disruptions to business – and even fear! Simplifying work items is a big step in the right direction. Below are five practical methods that can be effective for small businesses in their quest to achieve compliance:
1. Establish a common language. Whether it is GDPR, SOX, HIPAA, or some other regulatory requirement, establishing a common language is critical. In an ideal world, a privacy and security program is unified, though that is usually not the case. Work with your Chief Privacy Officer and Chief Security Officer together to establish standard language when describing goals, action items, and writing policies and procedures. Different terminology increases confusion. Strike an appropriate balance between technical and business speak.
2. Prioritize training and education. Most practitioners will mention training and education as one of the key elements for a successful privacy or security program. Small business often conduct an annual training session for all employees to check their training requirements. However, in today’s environment, that isn’t going to cut it. Training employees, including vendors and contractors, needs to be a continuous program, and it also has to be focused. Establish focus group trainings for management, committees, developers, quality assurance team members, and business managers. Email blasts, posters and news flashes highlighting relevant incidents are helpful.
3. Do due diligence on documentation. Everyone hates documentation, whether they are business teams or developers. All businesses have something valuable to protect, including personal information, proprietary product information, employee data and more. Documenting business processes to show how that valuable information flows, what happens to it, and who has access to that information will assist in identifying compliance action items. Most of the time the information is not even required but is collected nonetheless, adding liability. Several tools can build documentation from product code and the comments in the code.
4. Don’t forget internal reviews and audits. Once a process is established, policing it is important. Audit the documentation, processes, data and information collected to ensure established controls are implemented correctly and are working, and to identify gaps that need to be remedied.
5. Continuous evaluation is needed. Once the above steps are in place, keep the loop open to allow employees to provide feedback and allow the documentation to work instead of being treated as overhead. Then, implement solutions and address gaps noticed in the audits.
All of these steps allow the controls implementation to become efficient and lean. In order to get to that point, these steps need continuous repetition to become part of the organization’s DNA.
I have shared similar thoughts in an article on LinkedIn. Nothing is a sure shot or quick fix; it takes a lot of disciplined work, training and re-evaluation to succeed.