Your Step-by-Step Guide to Updating Policies and Procedures

Today, it’s become increasingly critical for all organizations to comply with the ever-growing number of regulatory laws governing the handling of personal data. By complying with these regulations, your business aligns with established best practice security standards, improves data safety, and avoids the legal fines, penalties, and government settlements potentially awaiting compliance violators. 

Oh, and did we mention the potential cost? Regulatory compliance and the economic effects of federal intervention is estimated at $1.9 trillion annually. For those thinking the cost of preparing your organization for compliance is prohibitively high, don’t even consider non-compliance which can be 2.71 times higher according to a Ponemon and Globalscape report. The numbers can be eye-popping depending on the level of the infraction: Amazon was hit with an 886 million EU data privacy fine in 2021. 

 So, once your team creates comprehensive policies and procedures to develop operational consistency, assist with training, establish compliance and stay off the regulator’s radar, you’re done, right? In a perfect world, compliance requirements would be static, but modern regulatory laws constantly evolve, forcing organizations to update their policies and procedures regularly. 

Diligent organizations typically update compliance policies annually while monitoring key drivers, including business model or leadership changes, the use of new technology like AI, shifts in the risk landscape, the emergence of new compliance regulations and audit feedback. 

Maintaining compliance today requires recognizing when and how to keep your policies and practices current, starting with a step-by-step plan. In this article, you will learn the six steps necessary to effectively update and maintain your organization’s policies and procedures, helping to ensure a secure and compliant future.

Step 1: Assess your current policies

Before you create the plan to get you where you want to go, you must begin by knowing where you are, right? Every compliance update starts with thoroughly assessing your organization’s policies. Your team must determine if they match all applicable regulatory laws and abide by all contract or contract flow-down requirements governing your compliance duties as a subcontractor. When assessing your compliance policies, you should identify and understand the regulations that apply to your industry, region, and operational needs. Next, build a centralized database of relevant regulatory laws listing their intentions, parameters, and areas where your business may be affected. Some suggested action steps for creating and maintaining a database of relevant regulatory laws include:

• Appointing a team member to assume the duties of compliance officer
• Determining the specific industry and jurisdictions under consideration
• Identifying relevant regulatory bodies and highlighting key regulations from official sources like government websites and legal databases like LexisNexis and Westlaw 
• Constructing an SQL database of relevant law, including amendments, jurisdiction background, and dates 
• Installing an automated alert system or consider linking your database to a compliance management software tool to stay abreast of new or changing laws
• Scheduling regular audits to maintain an acceptable legal standing

With a working database of current regulations and knowledge of your existing policies and procedures, you can better understand your organization’s compliance standing. Use your regulatory database as a benchmark while factoring business needs to see how your current policies and procedures stack up. Perform a gap analysis, identifying the trouble spots where your current policies and procedures fall short of your organization’s specific compliance needs.

Don’t hesitate to pull all the stops when assessing your compliance standing. Organizations that lack expertise but maintain a sufficient budget should consider hiring consultants and attorneys to assist. Even though self-assessment can be painful, it’s better to discover the warts now than have regulators do it for you later. Incident response simulations can uncover gaps, and internal audits can provide insightful snapshots of your compliance footprint.

Step 2: Engage stakeholders early

When it comes to updating compliance policies and procedures, having the support of all significant stakeholders is critical to your organization’s success. You want to reach out to all departments across the business, including IT, HR, security, and legal. Be sure to include the leadership from all business units by reaching out early in the update process to ensure the sharing of responsibility and ownership.

Remember early buy-in from stakeholders is essential to facilitate collaboration as the updating process progresses. Collaboration from all departments will help ensure equal input from the grassroots employees to the C-suite. Developing a culture of collaboration helps ensure that your policies will be relevant and actionable.
As we know, gaining support for policy change at the executive level often can come down to politics—and a well-timed and business-centric sales pitch.

Kayne McGladrey, Field CISO at Hyperproof, shares advice for gaining executive support:

If there’s going to be a committee meeting, go talk to everyone on the committee beforehand to sell them on the idea of the policy update before you even go to the meeting. Also, remember that if you can’t make a justifiable business case for policy updates, especially the large ones tending to be strategic in nature, it’s not going anywhere.

Step 3: Align policies with current risks and objectives

How can you ensure data security and regulatory compliance without aligning your policies and procedures to reflect the current risk landscape? Identifying your risks starts with knowing your data, which can prove challenging for many organizations. What type of data is stored? Where is it stored? Who can access your data, and what access controls are in place? 

Data mapping can be helpful as Benson Varghese, seasoned attorney and Founder of Varghese Summersett and Lawft, explains:

I recommend data mapping before updating compliance policies and procedures. Data mapping goes beyond knowing where you store sensitive data to understanding how data flows through your organization, who can access what, and how data is shared internally and externally. Many organizations don’t realize how third-party vendors or cloud services handle their data until they map it.

For those unfamiliar with data mapping, it’s a process of connecting data from divergent sources to a common database, helping to ensure a standard level of consistency and functionality of data. Teams identify data sources, review formats and standardize terminology while cleaning the data to remove errors, replications, or outdated information. Data is then normalized, and the format is converted to a standard structure. Finally, automation is added and data mappings are commonly stored in a centralized archive for convenience. 

Data mapping can provide significant value by creating a centralized storage location and standard of uniformity for all company data so teams can more effectively determine if its use, handling, and storage comply with all applicable industry regulations. Mapping data is one step your team can take to simplify the process of knowing where you stand on compliance when it comes time to update policies. Performing internal system audits and risk assessments can also help build your risk profile and provide critical information to guide policy updates. Risk assessments can help identify individual risk severity and areas within your company where non-compliance could be the most impactful. Smart teams use this insight to design policies and procedures that support areas with the most significant risks and vulnerabilities.

Successful teams know that policies must also align with the organization’s goals and business philosophy. Fortunately, we can all agree on the importance of data security and how it needs to be a core component of every business’s ideology. Modern teams must strike a delicate balance between remaining true to internal objectives and meeting stringent regulatory guidelines while enabling the innovation necessary to remain competitive, and this only comes by tailoring policies to your organization’s specific profile and needs.

Innovation may be the most critical and challenging, as, at times, it can appear like the EU is intent on suppressing innovation by overregulating specific industries. For example, some feel the Digital Operational Resilience Act (EU DORA), an EU regulation designed to help financial institutions better manage cyber attacks and system hiccups, hits this industry especially hard. Another example is NIS2, a recent EU cybersecurity directive, which increases regulations, stiffens requirements and expands incident reporting with heavier fines for more industries, including energy, health, transportation, and public administration. Finally, the EU AI Act targets the rapidly expanding field of AI. This Act, which regulators will implement in 2025, governs AI by identifying risk levels with a goal of safer, transparent, and ethical use of the technology in all industries. 

Also, remember to avoid cookie-cutter options when designing your compliance policies, as they don’t allow the flexibility required by most organizations today. Generic policies often fail to address specific industry or regional issues in sufficient detail. Different size companies and business models often require differing policy construction to avoid unnecessary, and possibly harmful, outcomes. For example, larger banks can easily manage compliance costs that would likely cripple smaller financial institutions.

Consider tailoring your compliance policies to fit your company’s specific profile. Taking the time to tailor compliance policies helps ensure they meet your specific needs and won’t weigh your business down with regulations not intended for your model. Besides, it stands to reason that employees will find it easier to follow compliance policies designed with their company’s specific profile and operations in mind.

No discussion of policy creation is complete without mentioning the importance of aligning with the many compliance frameworks designed to provide direction and guidance. Examples of frameworks include GDPR, CCPA, PCI DSS, and SOX, which should always be front of mind when updating your compliance policies and procedures.

Step 4: Update and test policies

When preparing to draft policy revisions, be sure to review your organization’s unique environment and profile. Always base policy updates on your organization’s unique profile, including applicable industry regulations, location and operational needs, your specific risk landscape and the gaps where your policies don’t meet current regulatory requirements.

Begin by drafting suggested policy revisions with a priority on areas of highest risk to your business while seeking feedback from leading stakeholders across all departments and levels of your organization.

Would a company meeting on the proposed policy revisions be worthwhile? 

If so, schedule a meeting with adequate stakeholder representation. Make sure to include legal and HR representation at your main meeting to approve any policy changes and prepare the final documents. 

Remember to create your policy in plain language and clearly explain the expectations to all your key stakeholders. Transparency in policy creation is essential for future guidance, so document your steps. “Having a documented transparent process is more important than any specific tool or technology because if you write the process down, it will survive any change of leadership or tools,” adds McGladrey.

Lastly, remember to test any new procedures with trial runs before deployment. Running tabletop exercises or pilot programs to test the efficiency of new practices or tools can save time, money, and sometimes embarrassment in the long run. Also, be mindful of organizational change management when considering how to trial new procedures. Use every opportunity to collect feedback during your change management process as it can prove helpful when building your training programs.

Step 5: Train employees

“All the good policy documents in the world — they’re just paper thrown out of an ivory tower without your people reading them,” says McGladrey.

This statement isn’t hyperbole. Without effective communication regarding your new compliance policies, these messages can be lost.

How can you successfully communicate new compliance policy updates to your team? 

We recommend a cohesive rollout strategy to ensure all departments fully understand new policies. Organizations can prefer different methods and tactics, but effectively communicating all compliance policy changes to every employee is critical today.

Multi-channel communication often works best. Effective delivery strategies can include emails, employee portal messaging, team meetings, visual infographics and brief informational videos or podcasts highlighting the essential takeaways. Always use plain jargon-free language summarizing the policy changes and how they may affect the individual’s job or role in the company. 

Be sure all employees understand the “why” behind the need for new policies and how supporting these policies can positively impact them. McGladrey explains, “What I see tends to work best is a cohesive rollout strategy that helps employees understand why a policy update is good for their jobs and not just something that’s protecting the organization.”

This understanding can lead to ownership of new policies, and accountability can follow with the correct training programs. Training classes with employee testing and scoring help document the recognition and acceptance of new policies, building accountability across departments.

Training programs shouldn’t be one-and-done, so as regulations and policies evolve, make sure your refresher training programs stay updated and relevant. Cache Merrill, founder of Zibtek, who has over a decade of experience in cybersecurity strategy and policy optimization, sums up the importance of training today:

The new compliance is everyone’s business, so make sure you have updated and relevant training materials and remember a well-educated team is your first line of defense.

Step 6: Monitor and maintain policies

The only thing more important than correctly drafting new policies may be monitoring and maintaining your updates. Start by establishing a regular cadence of internal audits and policy reviews. This diligence demonstrates proactive responsibility to regulators and external auditors—a point for you if you ever end up in court. We recommend that your team schedules bi-annual compliance checkups. Also, businesses in industries with more complex compliance mandates like finance may find value in periodic consults with regulatory experts.

As compliance laws shift today, how can you stay current with this constantly evolving regulatory landscape? 

Investing in automated compliance management tools could be your answer. These convenient solutions can help monitor your policies by tracking access controls, data usage, and compliance workflows.

Lastly, considering the fluid nature of compliance laws, build flexibility into your policies so they can more easily adapt to changing risks and regulations. Updates, if required, will be much simpler.

Looking to the future

Compliance regulations exist to ensure organizations follow best practice guidelines for data protection — something everyone can agree is valuable. However, maintaining compliance with today’s regulations isn’t easy, as constantly evolving risks and expanding regulations challenge even the most prepared teams. 

Companies across all industries now face the difficult task of maintaining compliance despite tight budgets and a climate of deregulation, which often leads to cost-cutting efforts in compliance areas. Despite these challenges, organizations should invest significant effort and resources toward monitoring, updating, and maintaining their compliance policies and procedures — because the stakes are simply too high. Successfully navigating compliance requires recognizing when and how to update and manage your policies. By following these six key steps, your organization will be well-positioned to ensure a secure, compliant, and prosperous future.