CHAPTER 10: LEVERAGING
REGULATORY COMPLIANCE
A well-prepared, well-organised, trusted adviser is likely to gain an audience from senior managers to talk through proposals for enabling the organisation to outperform its competitors, while removing non-compliance risk to the bottom line.
Identify a relevant law or regulation that has IT- related compliance requirements: the UK’s Data Protection Act (‘DPA’), HIPAA and GLBA in the United States, PIPEDA in Canada, and so on. Identify the gaps between your current actual practice and what the law requires you to do, focusing on the bigger issues, the areas of non- compliance which are likely to trigger the bigger problems. Under the UK’s DPA, for instance, the absence of a Fair Processing Notice on all websites is likely to be less of a risk than the absence of FIPS 140-2 encryption on all mobile devices that carry personal data. Identify what you would have to do in order to reduce the risk of a breach to an acceptable level (and, remember, an acceptable level is unlikely to be one of zero risk) and work out the cost, in both capital and revenue terms. Identify and approximately cost any disruptions there might be to the organisation while the solution is rolled out. Rework your proposed solution until its costs are below the likely level of a penalty, plus damages, plus brand value diminution.
Now you can create a proposal for positioning your organisation ahead of its competitors, in terms of it being a safer supplier to its customers as a result of meeting the core requirements of a key law, as well as reducing potential damage to the bottom line, at a cost significantly lower than the damage your solution helps avoid.
Such a proposal, in the UK, would benefit from making your board allies aware of the problem some time ahead of providing them with a solution. This means collecting data. Here is some relevant information about UK data breaches:
You might also want to make your board aware of the ICO’s official powers. The ICO can:
Of course, you would want to make clear that the ICO, at the moment, does not have sufficient resources to fully take advantage of its powers and that it is therefore much more selective in how it goes about its job. More importantly, though, you would want to draw your board’s attention to the last item in the list above: the power to levy fines. With effect from 6 April 2010, the ICO has had the power to impose substantial fines, up to a maximum of £500,000, on organisations that ‘deliberately’ or ‘recklessly’ commit serious breaches of the DPA. It would probably also be worth pointing out that something characterised as a ‘deliberate or reckless breach’ of the DPA is likely also to impact on executive careers, as well as the corporate bottom line.
This power will be expanded under the EU General Data Protection Act (GDPR), which will enable the ICO, as the supervisory authority, to levy fines of up to €100 million or 5% of turnover, whichever is greater. While it’s hard to say that the ICO is toothless, the GDPR will certainly provide it with the power to impose much more notable penalties.
Under the current law, the ICO has provided explicit guidance on how it uses its power to levy fines. It will impose a monetary penalty if:
The ICO has also said that:
Its power will be used as both a sanction and a deterrent against non-compliance with the statutory requirements.
The words that should worry any senior executive are: ‘or ought to have known’ and ‘failed to take reasonable steps’. From the point at which you draw the Board’s attention to weaknesses in your DPA compliance regime, weaknesses that indicate a serious contravention of the principles and which could cause substantial damage or distress, the Board is ‘on notice’ that it has a problem that must be addressed. Failure to address it could lead to a significant corporate fine, negative bottom-line impact, bonus reductions and, possibly, career damage for individual executives.
You have a proposal to put forward, which (fully costed) will cost the organisation less than it might otherwise lose in fines and other damages, and which would enable the organisation to present itself in a positive light to its customers, employees and suppliers.
6 Data security incident trends, https://ico.org.uk/action-weve-taken/data-security-incident-trends/.