Question: How can my organization establish a compliance program to meet the requirements of the Massachusetts Privacy Law 01 CMR 17.00?
In a previous blog post on the pending Massachusetts Privacy Laws we outlined what was required to comply with the regulations, which probably left you a bit worried and uncertain about your next steps. To help clear any previous confusion, we will delve into more details about managing a compliance program, to help avoid the risk of random acts of non-compliance that might get you and your company into serious legal trouble.
Basically a compliance program is a management directed, budgeted, operational business function — think program management 101. The program should cover include at a high level all the standard operational or business functions:
Communication: As with anything in business, communications can never be over emphasized, even if their importance is often overlooked. The point is to keep the program on everyone’s mind. Use standard communications tools such as: announcements, posters, emails, newsletters, surveys and quarterly compliance reporting. To really drive home the importance, link compliance communications to employee performance so that the desire to stay current is personally beneficial.
People: Staff attitudes will determine the success of your compliance program; technology alone will not keep you data safe and secure. Do not assume that everyone has a common understanding of compliance as you launch your program. Staff training will help with common understanding and expectations, but you still need written job descriptions. Written roles and responsibilities are critical for setting expectations for meeting compliance objectives. Identify a group coordinator role whose job it is to disseminate information and coordinate communications with the compliance program manager.
Processes: The processes needed for developing and deploying a compliance program include: writing policies, conducting risk assessments, establishing regular compliance activities, being ready for any compliance incidents and maintaining a planned events calendar. Focus your business processes support compliance on the way your company uses and stores personal information (PI). The policies should indicate that PI can only be stored in approved locations and that PI can only be used within approved guidelines. Establish a hot line or question box so you can quickly respond to any compliance concerns related to a particular business practice. Err on the side of caution. It is far more prudent to delay a response to verify the need, then to respond rapidly with possibly inappropriate information and expose your company to a potential fine or lawsuit.
Technology: You have probably spent a great deal of resources maximizing information sharing to grow your company’s products and services. So does that mean that you need to restrain this activity in the future? Not exactly; compliance does not imply curtailing information sharing per se, but you do want to look at PI with a new pair of eyes to decide when, with whom and where you will share PI. Being accountable does not mean you are restricted in your use of the information, it just means that you must protect and use it in a more aware manner. To achieve this objective, you need controls. We will visit this notion of controls in a future blog, for now controls=protections.
Compliance Metrics: Your compliance program is alive and changing on a minute by minute basis. It is important to develop compliance metrics to monitor the success of your program. The indicators are based on what you consider the most important factors to measure. A few examples might include, the percentage of people trained in compliance, days since last review of access logs or incidents that have been noted.
Don’t just sweep compliance under the rug and hope it goes away – it won’t. You will not reach compliance after a breach. Be proactive to be safe.