Compliance, Particularly for Privacy, Requires Data Process Mapping & Disposition

Michael Rasmussen

Compliance used to be simpler. An organization was given a set of requirements and it had to check the boxes that it met the requirements and compliance was achieved. The complex nature of business today and the focus on information in the digital economy has driven compliance requirements to a new level of intricacy and depth.

Today data weaves in and out of business processes, throughout the organization and across third party relationships. Organizations need to understand how all information, especially personally identifiable information (PII), enters, moves throughout, and is used in the organization, and how it is shared and used in third party relationships (e.g., outsourcers, services providers, vendors, suppliers, consultants, brokers, dealers, agents).

Privacy is a significant compliance challenge with specific requirements, associated content and processes that organizations should consider.

Privacy compliance is about managing risks across the full lifecycle of data and its web of processes, transactions, relationships, and interactions. Compliance professionals struggle to interact with business units to inventory all uses of personal data and ensure compliance to a set of requirements that are constantly evolving. Continuously changing regulations and business environments encumber organizations as they aim to stay compliant. Trying to keep change in sync with growing, evolving, and shifting business needs and use of personal data bury compliance professionals in mountains of tasks and processes in a struggle to keep pace with changes.

Privacy regulations, such as the European Union General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) require that an organization has a thorough understanding of how data is collected, used, and flows throughout the organization and across business relationships. This requires that organizations map out data process flow diagrams to document compliance and how information is collected, used, and disposed of. It also requires that policies on information use and disposition be in place to govern information throughout the lifecycle and define what controls are put in place to protect this information.

The requirement for data process mapping and information flow is not unique to privacy related regulations. Over the past several years there has been growing pressure for data process mapping in context of Sarbanes Oxley (SOX) compliance as well. The Public Company Accounting Oversight Board has been putting pressure on external auditors that in turn put pressure on publicly traded companies to have data process maps documented in addition to the written control narratives for SOX compliance.

Today’s dynamic, distributed and disrupted business environment is forcing organizations to rethink how they approach and document compliance. Foundational to this is to leverage an online business process mapping capability that makes it easier to gather information from process owners, document compliance to regulators, rapidly and easily search for information and monitor disposition requirements of information. Technology for documenting compliance and processes makes compliance more efficient, effective and agile to the demands and needs of a dynamic regulatory and business environment.

More in Privacy & Security

Comments

SHARE YOUR COMMENTS HERE