Buoy

The Journey to Compliance: Why You Should Start Now (and How to Get Started)

Jingcong Zhao Hyperproof, Opinions

If you’re a startup founder or working in the c-suite of a new company, you’re a busy person. Starting and growing a business takes a lot of work and a lot of late nights. Every process, procedure, and system has to be built from the ground up. Unfortunately, in all the chaos, many startups lose sight of something critical: compliance.

You may think compliance will slow you down, is too expensive, or isn’t all that important. The reality is that although it can be time consuming and costly, you can’t afford to put compliance off. Compliance is one of the keys to growing a thriving, successful business, and it’s something that will come back to bite you if you aren’t thinking about it in the early stages of building your business.

Starting to build your compliance program in the early days of your company’s existence is important for a few reasons, and in this article we’ll talk about why it’s so important that you start immediately as well as a few tips on where and how to get started.

A Culture of Compliance

culture

Photo by Helena Lopes on Unsplash

In the last few years, we’ve heard a lot about how important culture is in the workplace; industry blogs and even mainstream news organizations have talked about workplace culture and how it affects peoples’ work lives. Many startups invest a lot of time and resources into defining and building their workplace culture into something they’re proud of.

But culture is more than the catered meals and ping pong tables in the break room that many people think of when they imagine startup culture. Company culture defines your organization in a lot of ways. It dictates the environment your employees work in, and, ultimately, it affects the way that your employees make decisions. Whatever the other aspects of your company culture, it’s crucial that one of the pillars your business is built on is a culture of compliance.

  1. Here’s what a culture of compliance means: Everyone, from the executives all the way down to the summer interns, understands the importance of compliance and is committed to maintaining a compliant workplace
  2. Software and IT systems that handle data are designed to be compliant with laws and industry standards that govern data privacy and protection.
  3. Everyone understands their role in the company’s compliance program, whether it’s reporting compliance issues or providing compliance evidence to the compliance officer, and they take their responsibilities seriously. 

Why Starting Early Matters

By starting now, you can also avoid bigger and more serious disruptions down the road. As your company grows, systems and patterns of behavior will form either out of conscious design or force of habit. If you wait to implement a compliance program until you’ve grown significantly, you’ll have a much harder time changing these systems and patterns. Everything from aligning everyone’s priorities to rolling out controls, processes, and tools will take longer and be more disruptive across the organization. 

It’s also important to be able to show that you are, at the very least, working toward a compliance program, because if there is compliance violation (e.g.a data breach) and you have nothing to show regulatory agencies, the consequences can potentially be much worse. This is especially true for a small business that isn’t financially established enough to withstand fines and reputational damage. 

Finally, starting this work early on is important because B2B customers today are savvy and expect a robust compliance program. Customer-driven audits are on the rise. If you don’t pay attention to data privacy, security, and compliance to regulations, you won’t be able to do business with a significant portion of your addressable market. 

Fortune 500 companies, federal and state governments, healthcare organizations, and any other successful business or organization that handles sensitive information often require their vendors and partners to be compliant with certain frameworks. Depending on what kinds of businesses you’re working with, you might need to be HIPAA, SOC 2, ISO 27001, or FEDRAMP compliant.

The time to start thinking about building a compliance program is long before you’re courting a government agency or a large hospital system. You don’t want to miss out on big opportunities and set your business back. 

A culture of compliance sends a positive message to your potential customers, the general public, and your own employees: it says that you take data security seriously, that you value your customers’ trust in you, and that you are a developed and mature company, not a fly-by-night operation.

A culture of compliance ultimately means that your business and your employees are doing the right thing even when nobody else is watching. And isn’t that something every business wants anyway?

What do I need to do to get started?

recipe

Photo by Kara Eads on Unsplash

Once you’ve committed to building a compliance program, there are a few high-level ideas that will help you get started. Every compliance program is a little bit different, but to build a program that’s successful for you company and your culture, there are some things that are universal.

Avoid compliance-in-name only programs

First, while you’re building a compliance program, and the culture that surrounds it, don’t make the mistake of creating a compliance-in-name-only program. In an article about building a compliance program published by Datavant, they give a great example of what this kind of culture looks like: imagine hiring a new employee, and on their first day you give them an employee manual that’s hundreds of pages long. You ask them to read it—knowing they probably won’t—and have them sign a paper that says they read it, which is placed into their personnel file and never looked at again.

While you’ve technically checked all the boxes and provided your employee with the information they need, if you’re not making sure they actually read and understand the processes, procedures, and requirements, you’ve created an in-name-only compliance program, and you are putting data and other important information at risk.

Involve your leaders

As with almost anything else in a startup, one of the keys to ensuring your compliance program is successful is showing that it’s one of leadership’s priorities and that they’re taking it seriously. If your executive team sees compliance as a set of hoops to jump through as quickly as possible, the rest of your company will see it that way.

But if your leadership team understands the importance of compliance and makes business decisions with that priority in mind, everyone else will also understand the importance. Datavent also explains how their CEO routinely talked about compliance as a priority, highlighted progress the company made, and showed it was not something to be brushed aside. Involving leadership and helping them model the compliance culture you’re striving for will help you build that culture.

Start with the processes you already have in place

The easiest way to start is with the procedures that you already have in place. It’s easy to get carried away writing aspirational policies, but before you worry too much about what you don’t have, you should get a handle on what you do have. This will give you a realistic starting point and show you where the gaps are so that you can begin filling them.

Don’t take on too many regulations at once

documents

Photo by Sharon McCutcheon on Unsplash

When you begin your research, you may feel overwhelmed with the number of policies and procedures you have to create under all these compliance regimes. But there’s no need to boil the ocean. Starting out, choose one set of standards, like HIPAA, SOC 2, ISO 27001 or GDPR, instead of trying to do all of them at once. This will give you the chance to develop a strong foundation without overwhelming your team.

The first certification you’ll want to get is the one that your customers are asking for. For example, many large enterprises will require their vendors to show a SOC 2 report. All healthcare customers will require their vendors to establish HIPAA compliance. If your customers are not asking you to produce a specific certification, you can look and see what certifications other companies in your industry are getting.  

Develop new policies and procedures 

Regardless of what industry standards you choose to pursue, there is a baseline set of policies and procedures every organization will need in order to adequately address their customers’ security and data privacy concerns. At a minimum, organizations will need to have a business code of conduct, an information security policy, an incident response policy, a password policy, a privacy policy, and a data management policy. Organizations like Datavant have open sourced some of their compliance policies, so you can use theirs as a starting point. 

Engage with an auditing firm 

The best way to determine what policies, procedures, and controls you need in order to comply with an industry standard or a regulation is to engage with an external auditing firm. Auditing firms specialize in different standards such as SOC 2, ISO 27001, or HIPAA. 

They can perform a pre-assessment to identify any gaps in your compliance program by mapping what you have against the desired criteria (e.g. SOC 2). This involves inviting auditors to your office(s) for a few days to dive into your business processes and your current control environment. The auditors will interview some key employees (e.g. head of engineering, security engineer, etc.) to get a sense of how things work today. From there, the auditors will be able to identify any gaps you should address and provide recommendations on the controls you need to put in place in order to pass an audit.

Remediate compliance gaps 

Once you have a list of compliance gaps you ought to remediate, you can create a project plan to put additional policies and controls into place. Be sure to give yourself plenty of time to complete all the work — at least 4 to 6 months. 

Schedule audit for desired standard 

Once the remediation work is done, you will have the auditors you’ve selected back on site to ensure that controls are designed appropriately to meet the objectives laid out within the standard. Once the on-site fieldwork is complete, you’ll discuss any potential issues identified in the report and reach an agreement with your audit firm on any issues that are included in that report. Once you’ve incorporated any feedback noted in that report, the auditor will issue you the final report. 

Make sure to document the entire process

While you’re developing, testing, and deploying your compliance process, centralizing information is crucial. You should document each part of the compliance process, collect evidence of your compliance measures, and track who is managing what. 

This is important because it gives you a record of your compliance activities. It also ensures you’re not creating a process that is immediately forgotten about or letting things bounce from person to person with no accountability. Then, when you’re faced with an audit, you won’t need to scramble to locate all the evidence you need to present to the external auditor. 

All of this evidence collection and documentation can present a lot of challenges if you use several different software and storage platforms to store and track everything. Solutions such as Dropbox and Google Docs are no match for a dedicated compliance software when it comes to building and streamlining your compliance process. Utilizing compliance management software will help you keep everything in one place, track your compliance process and activities, and be more prepared in case of an audit.

Use compliance management software

Whether your compliance program is tried and true or completely nonexistent, a compliance management system can make things easier. Hyperproof’s compliance management software is built to make every part of the process simpler and automate as much as possible so you aren’t bogged down with administrative tasks. 

Hyperproof provides you with pre-built frameworks for the most common data security regulations (e.g. ISO 27001, SOC 2, GDPR, HIPAA) and makes it easy to see what you need to do to comply. It also helps you automate your compliance process, stores, tags, and organizes your compliance evidence.

Hyperproof empowers your compliance officer to manage a successful compliance program and gives you the tools you need to protect your company and your clients’ data. If you want to see how Hyperproof can help you get to compliance faster, we’d love to talk

Banner photo by Micaela Parente on Unsplash