The evolution of IT governance, risk and compliance

The regulatory landscape is constantly changing

Over the last year, authorities have gained a greater understanding of their role in holding businesses accountable for their use of personal data (i.e. information about people) and have demonstrated their commitment to enforcing legislation that protects individual rights. Encouragingly, we’re also seeing more data privacy professionals driving the business agenda.

Authorities in the European Union (EU) and the US, in particular, have issued a number of fines against businesses that have failed to act transparently, fairly, and responsibly in their use of personal data.
2019 was a year of enforcement for IT compliance…but GRC is becoming more complex and challenging to navigate: global health emergencies like the Coronavirus outbreak do, and should, affect the way organizations manage security-related initiatives. Health and safety concerns over employees and the public override many compliance initiatives and should be taken into account when designing and implementing security controls, business continuity and disaster recovery plans.

Compliance and complacency don’t mix

Complacency can lead to serious consequences and put your business, employees, and customers at risk. Moving forward steadfastly and continuing to make the appropriate investments is critical.

New regulations are being implemented or are coming soon; to name a few:

• California Consumer Privacy Act
• Brazilian General Data Protection Law
• India’s Personal Data Protection Bill
• Singapore Personal Data Protection Act
• South Africa’s Protection of Personal Information Act

Steps to success

To ensure thorough IT governance and compliance programs, businesses should take note of the following guidelines:

• Gain an understanding of what data you currently have. Scrutinize what kind of information you have. Determine where you store it, know who has access to it, what you do with it, how you use it, with whom you share it, why you need it, and how you need to protect it.
• Employ the appropriate persons for the job. Appoint appropriately qualified and skilled data protection professionals, and engage trusted partners, as they will work with you to transform data protection legislation into business practices which support compliance.
• Implement strong data governance mechanisms. Ultimately, data protection is about managing the personal data you use in your business, and ensuring you have appropriate controls and oversight, as well as reporting compliance to validate the effectiveness of your controls. Ask yourself: ‘Do we apply rules relating to data classification and quality? Do we have master data records management? Are robust retention and records management policies and procedures in place?’

 Connect on LinkedIn