What Your Compliance Officer Should Know About Privacy
As the prevalence of digital technologies grows, compliance becomes a more vital part of how organizations do business. Compliance has become a relevant concern regardless of your organization’s industry, as new sweeping regulations such as the European Union’s General Data Protection Regulation (GDPR) are shifting how organizations across all sectors view their risk.
A compliance officer is the central figure in ensuring that business processes and operations follow both internal policies and procedures, and external legislation. Typically serving in an advisory role and interacting with high-level stakeholders such as the company CEO and the board of directors, the compliance officer provides guidance on how to minimize risk related to data privacy and other laws.
What Does a Data Privacy Officer Do?
The International Compliance Association (ICA) describes the general responsibility of the compliance officer as providing an “in-house compliance service that effectively supports business areas in their duty to comply with relevant laws and regulations and internal procedures.” According to the ICA, the role of the compliance department is to:
- Identify risks
- Design and implement controls to protect from those risks
- Monitor and report the effectiveness of those controls
- Resolve compliance difficulties
- Advise business leaders about rules
Some regulations also require that specific individuals be designated to oversee the regulatory compliance. For example, the GDPR requires a designated data protection officer (DPO) while the Health Insurance Portability and Accountability Act (HIPAA) requires a designated HIPAA compliance officer. While these duties can be assigned to others within the organization, the role would naturally fall to the chief compliance officer.
In addition to a minimum of a bachelor’s degree and five or more years of experience working in the compliance field, a compliance officer should possess skills such as high integrity, excellent communication and leadership. This needs to be a person with a strong moral compass and ethics, and a highly-skilled communicator and leader who clearly understands the laws and regulations specific to the organization’s industry.
Many organizations also look for compliance professionals who have a master’s degree or certifications such as Certified Compliance and Ethics Professional (CCEP) or Certified in Healthcare Compliance (CHC) from the Compliance Certification Board. These certifications enhance the person’s credibility as well as encourage continued professional development, which helps the compliance officer maintain up-to-date on best practices and industry trends.
Security and Privacy Policies and Procedures
In a smaller organization, the information security officer often serves in the roles of compliance and privacy protection. While some of the duties of these jobs intersect, it should be noted that organizations that believe security stops with compliance are putting themselves at risk. Experienced security practitioners know that compliance is only the first step in maintaining data privacy and security and is the absolute minimum an organization needs to do to protect its digital assets.
If your organization blends the jobs of security and compliance, you need to have other checks and balances in place to ensure there’s no conflict between them — for example, implement outside audits or hire an IT firm to analyze gaps.
Smaller, resource-strapped organization may also benefit from using security policy templates. If that’s the option you choose, you’ll need to custom-tailor each template to your unique business needs as well as carefully review your customized templates, so they reflect not only regulations but also your actual business practices.
Types of Regulations
There are many levels of laws that a compliance officer needs to understand. These may include:
- International: The most broadly applicable one is GDPR, which affects anyone doing business in the European Union or collecting EU citizens’ data, regardless of company’s geographic location
- Federal or country-specific: These are laws such as the U.S. Children’s Online Privacy Protection Act (COPPA), which relates to how children’s information is collected online
- State and local government: Almost every U.S. state has different laws related to data-breach notification, and if you do business across multiple states, you need to comply with each one’s laws. Additionally, some states have laws and regulations specific to industries, such as New York Department of Financial Services’ sweeping new cybersecurity regulation
- Industry-related: These are regulations such as HIPAA for healthcare organizations, although in HIPAA’s case, it also pertains to various entities outside of the healthcare sector. Compliance officers need to understand their organization’s business to determine how HIPAA may be applicable
What Your Compliance Officer Should Know About HIPAA
In addition to covered HIPAA entities such as healthcare providers and health insurance providers, HIPAA pertains to business associates — essentially, any organization that does business with a covered entity, from consultants such as lawyers to vendors such as billing companies.
HIPAA requires covered entities to have signed agreements with their business associates about safeguarding protected health information (PHI). In turn, any subcontractors used by the business associates have their own requirements. Compliance officers need to know what constitutes PHI and how it needs to be protected, as well as what they need to do in case of a data breach.
Noncompliance with HIPAA by either covered entities or business associates can result in stiff penalties. The Department of Health and Human Services’ Office of Civil Rights, which enforces HIPAA, has levied millions of dollars in fines, in many cases for violations that could have been easily prevented.
Following Best Practices in Compliance
The world of compliance is continuously evolving, as the regulatory environment becomes more complex. Compliance officers need to find efficient ways of keeping up with the changes and maintaining high ethical standards. Following industry best practices will help in managing risk and ensuring you have the proper oversight in place.
Some of the best practices to follow include:
- Ensuring that the compliance officer has authority within the organization and adequate autonomy and independence to implement and audit policies
- Embedding compliance into the company culture, focusing both on accountability and rewards
- Providing mechanisms for reporting concerns, both for employees and third parties
- Using useful and relevant metrics to measure successes and identify gaps
- Monitoring trends within the company and within the industry, and proactively instituting changes to evolve along
Sources
International Compliance Association
The role of a data protection officer, IT Governance
What does it take to be a compliance manager, Robert Hall (blog)
What do healthcare organizations need to consider when preparing for GDPR, GDPR Report
Health Privacy: HIPPA Basics, Privacy Rights Clearinghouse
Best practices in corporate compliance and governance, Society of Corporate Compliance and Ethics presentation