Evidence Collection: A Key Pillar of an Effective Compliance Program

Jingcong Zhao Opinions

Whether you’re a compliance officer or a business leader of a growing company, you’ve seen examples of how much companies can suffer when a data breach happens. Data breaches can be disastrous. They could lead to huge remediation costs, a loss of trust from customers, and on-top of that, possible scrutiny and fines from enforcement officials. 

These days, no one is safe from a data breach; even large organizations are falling victim to them because of a lack of data security knowledge and proactive compliance measures. These breaches have caught the notice of both legislators and the public because, according to comments from Forrester Research on the Marriott Mega-Breach, “As the case has been for nearly every other mega-breach in recent history, the methods that the attackers used to exploit this system weren’t magic or exceedingly advanced. Basic database security protocols, good authentication, minimization of lateral movement, and an understanding of how to apply technology strategically would have made a big difference.”

As breaches become more common and larger, and as regulators and the general public have become more aware of their data protection rights, it’s even more important for organizations of all sizes to both comply with data privacy regulations and document their compliance process and outcomes.

Why Collecting Solid Evidence Matters


Photo by Maarten van den Heuvel on Unsplash

Evidence collection, or the act of documenting your compliance processes and outcomes, is one of the best tools for showing auditors and federal regulators that your organization is taking compliance seriously, and it can mean the difference between paying a huge fine and paying no fine at all when a violation has been discovered. 

For example, the General Data Protection Regulation (GDPR) allows the UK’s government to levy fines against companies providing services to their citizens that have a breach and aren’t in compliance with its requirements. It also allows for companies to show they are making a good faith effort to remediate non-compliant processes. 

Fines aren’t automatically levied against every company as soon as a breach happens, but if a company has no evidence that they have, or are at least working towards having, a comprehensive compliance program, they’re more likely to suffer the consequences. When your organization is diligent about maintaining documents that prove you have processes and security measures in place to protect your data (and customers’ data) and comply with regulations, you can easily demonstrate to regulators what employees throughout your organization are doing to stay compliant. 

Other benefits to maintaining an evidence collection process

Along with potentially keeping your company from being fined in the event of a data breach, having evidence of your compliance measures on hand can also demonstrate to the public that you take their trust seriously and aren’t flippant with their sensitive data, which is crucial for building your reputation.

Evidence collection also gives you an opportunity to find your compliance blindspots—if your compliance evidence doesn’t exist, you’re likely not meeting standards. This process will help your compliance officer correct assumptions and clarify who is responsible for each compliance activity. It will also help them connect with the business process “owners” — people who are responsible for maintaining compliance evidence—and ensure they have the tools and understanding they need to be successful.

This is especially important in startup environments, where it’s common for people to have multiple responsibilities and where there might not be a compliance specialist managing the process. Having these conversations is a great opportunity to get everyone on the same page.

Evidence collection is a business practice that deserves attention and thoughtful planning as much as the rest of the compliance process, and the work you put in will be worth it when your entire organization is bought in to your compliance efforts.

Challenges in Collecting Evidence

Evidence Collection

Photo by Adeolu Eletu on Unsplash

When you set out to build an evidence collection process, or if you’re rehauling a process that isn’t currently working, you’ll encounter a variety of challenges. If they’re handled correctly, they can help strengthen your compliance program and create a culture of compliance throughout your organization. However, if you don’t acknowledge and address them, they can spell disaster for your fledgling evidence collection process.

No tools to collecting and organizing evidence.

Manual processes lead to missed steps and holes in your compliance process. If you are relying on different tools to track compliance updates, document compliance efforts, store evidence, communicate with people providing evidence, and manage the interplay between all of those tasks, you will be fighting an uphill battle. Operationalizing the collection and updates for compliance evidence is the antidote for wasted time on manual processes.

Evidence collection isn’t everyone’s priority.

Evidence collection is one of the hardest parts of a successful compliance program because it doesn’t sit solely with the person in charge of compliance. A compliance officer must collect information and documents from IT, engineering, marketing or sales, all while ensuring it complies with regulations. And while it may be the compliance officer’s highest priority, it isn’t the highest priority for engineers. 

It’s also an ongoing process, and if the employees who implement the controls don’t understand the importance of this process, they may not feel a sense of urgency to engage in proper evidence collection. A culture of compliance means that every employee buys in to the process and invests in doing the right thing, and it’s crucial to a successful evidence collection process.

Controls change often

Evidence collection is also challenging because evidence needs to keep up with your controls. If a control is updated—for example, the way in which a system authenticates users—then the documentation itself needs to reflect the current control. These days, it’s common for an organization to introduce new systems/tech all the time, and the evidence collection process must be updated along with it.

How to Successfully Manage the Evidence Collection Process

Many startups use a patchwork of tools to manage their compliance programs, and integration can be difficult. Tools like Google Drive and Dropbox are great low-cost options for some kinds of document storage and creation, but these systems aren’t designed for compliance programs and using them makes it too easy to lose track of important documents and artifacts.

Many of the problems businesses face when it comes to evidence collection can be mitigated by implementing a compliance management software Manually managing any part of the process creates potential for error. Good compliance software automates keyparts of the process, not only alerting the user that a certain piece of documentation needs to be completed, but also allowing those involved in compliance to tag and sort evidence and make it easy to find.

Additionally, compliance software both fosters and demonstrates a culture of compliance. You’ll spend less time manually sorting through documents and trying to develop a filing system for them, and you’ll have a record of all of your completed compliance audits and activities so you know exactly where you stand at all times.

All of these things will empower you to build relationships with the people responsible for providing evidence and show regulators that you are being proactive about doing the right thing—even when nobody is looking.

Whether you’re a dedicated and experienced compliance professional or an executive taking on compliance responsibilities in addition to your other duties, you will be more successful with the help of a compliance software. Hyperproof provides software that makes collecting evidence simple and allows you to automate processes that are time-consuming and prone to error. Not only that, the software helps you stay on top of testing and reviews and allows you to set reminders to review your evidence periodically. Hyperproof also provides a repository of all of your controls and proof, as well as an audit trail of all of your compliance activities, so that if you lose a key person or are subject to an audit, you have a record of what’s been done. 


Evidence collection is a crucial part of your compliance process, and it can either be a giant headache on top of an already difficult and stressful responsibility, or it can be an opportunity to be proactive and demonstrate your organization’s dedication to security, data protection and sound business practices. Hyperproof can help you manage your compliance programs from start to finish and provide you with tools you need to protect your organization from hefty fines and damage to your reputation. 

Banner photo by Mel Poole on Unsplash