The Complexities of Compliance: What Keeps the C-Suite up at Night?
As businesses’ reliance on technology grows, so do concerns over data privacy and protection. New laws and regulations emerge every year requiring organisations to adhere to complex data control requirements, with steep penalties for non-compliance.
For the C-suite, the complexity of compliance can add up to a considerable burden, including satisfying stringent and resource-intensive audits. The last two decades have seen some particularly notable legislation take effect. Here are some of the key data protection laws that have had the most impact on C-suite stress levels:
2002: Sarbanes-Oxley Act (SOX)
The Sarbanes-Oxley Act, often referred to as SOX or Sarbox, is a US law that protects investors from fraudulent accounting activities by corporations. US Congress enacted Sarbanes-Oxley following several high-profile accounting scandals in the early 2000s, including misconduct by energy firm Enron. This scandal led to Enron going bankrupt and the collapse of one of the world’s largest accounting firms, Arthur Andersen. Section 404 of SOX, arguably the most onerous requirement, demands management of all SEC-listed entities to establish, maintain and validate required internal controls, which is expensive to implement and a headache to audit. You can read more about Sarbanes-Oxley on our blog.
2010: Massachusetts Data Protection Law
In 2010, Massachusetts introduced what was widely considered the most comprehensive data protection and privacy law in the United States. The law includes strict requirements for how organisations retain and store the personal data of Massachusetts residents. Among the protocols is the need to encrypt, where technically feasible, all records and files containing personal information that are transmitted across public networks or wirelessly and all personal information stored on devices such as laptops and mobiles. A particularly burdensome obligation is that companies ensure that any associated third-party providers who have access to their data maintain the same standards.
2018: The General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. While a European Union (EU) directive, the GDPR affects organisations anywhere, assuming they target or collect data related to people in the EU. Any organisation in breach of the GDPR will face harsh penalties with fines of up to tens of millions of euros. The GDPR comes with stringent accountability requirements, whereby data controllers must be able to demonstrate GDPR compliance. These demands put pressure on companies to ensure that the correct auditing and logging systems are in place and that everyone understands their responsibilities. Check out this article for more thoughts on GDPR compliance.
2020: California Consumer Privacy Act (CCPA)
Inspired by the Massachusetts Data Protection Law, California introduced its own version with the California Consumer Privacy Act of 2018 (CCPA). Following a vote by California residents, the state updated the Act in 2020 to expand rights for residents and create new compliance obligations for businesses, known as the California Privacy Rights Act of 2020 (CPRA). Generally, the CPRA only applies to large for-profit entities that collect and use the personal information of Californians but can also apply to contractors or service providers that work for a business covered by the CPRA. Companies must implement “reasonable security procedures and practices” to ensure they protect customer data.
Coming soon: New York Privacy Act and Washington State Privacy Act
Also in the works are two other US privacy laws that will affect organisations that do business in New York and Washington. While the New York state Senate is still to take a vote, the New York Privacy Act is likely to require businesses to obtain written consent from New Yorkers before using or transferring their personal data to a third party. Consumers could also have the right to bring forward civil lawsuits.
The Washington Privacy Act passed 48-1 in the state Senate in March 2021. If passed by the state House of Representatives, the law would give consumers the right to access, correct and delete personal data collected by businesses. Companies would also have to issue privacy notices and adopt reasonable security standards.
Stay Compliant with Automated Auditing
Keeping up with constantly moving legal goalposts creates audit fatigue and sleepless nights for many executives. That’s why we’ve launched Smart Audit for Workday. Like many ERPs, Workday is a hub of organisational data, and so organisations who rely on it need to ensure the privacy and security of the data subjects they interact with – from employees to contractors to partners. Smart Audit is a continuous, automated auditing tool for Workday that simplifies internal controls, cuts risks of non-compliance and reduces auditing costs.
Automation takes the stress out of compliance and transforms the auditing process, so organisations can hit the ground running when the rules inevitably change again.