Digital compliance: The modern risk management

In the United States, absent centralized legislation on data protection, organizations face an uphill battle not only in identifying and mapping their existing legal obligations but also in complying with those obligations. The situation becomes even more complex when you consider the implications of an increasingly interconnected world where organizations may be subject to the laws and frameworks of external nations via their online business and marketing practices. That is why, perhaps now more than ever, digital compliance is a critical concept for organizations operating in a modern market.   

What is digital compliance?

But what exactly is digital compliance? Digital compliance refers to the processes and means an organization employs to ensure compliance with an overlapping web of regulatory and procedural requirements to which it may be subject, based on its business model, location, sector, applicable laws, and industry standards, among other factors. Digital compliance, in this regard, is a sort of catch-all term for the efforts of an organization to comply with existing obligations in relation to the organization’s management of data, and most certainly is not one size fits all. 

Given the ambiguity of the term, businesses often find approaching digital compliance and determining where to begin assessing their obligations to be an overwhelming and daunting task, but despite the challenges of recognizing an organization’s compliance needs, digital compliance is essential to success. Failure to properly assess and ensure digital compliance is not without consequence.

  • Financial and regulatory fines and penalties – Missteps in properly identifying and assessing potential legal obligations related to an organization’s digital posture and data handling practices can result in hefty fines from regulatory and enforcement bodies including, but not limited to, data protection authorities, the Federal Trade Commission, the Securities and Exchange Commission (SEC), the Department of Health and Human Services Office of Civil Rights (OCR), and attorneys general.
  • Lawsuit liability – Failure to comply with existing data protection, privacy and handling requirements and regulations can open businesses up to liability and increase the likelihood of class action lawsuits or even shareholder-derivative suits.
  • Public trust and overall reputational harm – Another risk that arises when digital compliance efforts fall short is a degradation of public trust and the organization’s reputation in the public sphere, which can have a drastic impact on a business’s long-term well-being and standing with customers, partners, and stakeholders.
  • Data breaches – Absent digital compliance efforts (which typically include the implementation of various data security means, including encryption in transit or at rest, access restrictions, employee training, regular auditing and penetration testing, and contracting with trusted third parties), organizations are left vulnerable to increasingly sophisticated cyber-attacks and inadvertent disclosures. Data breaches, though more common now, can be devastating to a business, resulting in reputation damage, financial loss, operational downtime, potential lawsuit liability, and regulatory investigations and financial penalties.

In essence, effective digital compliance helps organizations identify and manage prominent and avoidable risks, including those listed above.

Categories of digital compliance

Digital compliance can be generalized into two overarching categories, regulatory and enterprise, which are sometimes referred to as external and internal compliance, and then subsequently broken down further into subcategories and specific areas of digital compliance.

Regulatory digital compliance requires an organization to assess existing regulatory frameworks to determine their applicability to the organization. The applicability of these laws can depend on various factors, including the sector in which the organization operates, the types of data the organization processes, how the data is processed and for what purpose, the organization’s use of targeted advertising or artificial intelligence technologies, and where the organization is located or conducts business.

Enterprise digital compliance, on the other hand, refers to compliance with internal policies and industry standards that supplement or assist in the adherence to regulatory requirements. This could include compliance with an internal privacy policy or data retention policy. Though compliance with internal policies isn’t a legal requirement, compliance can help an organization at all levels ensure that employees are holding fast to legal requirements, which are often interwoven into these policies. Additionally, noncompliance with a public-facing policy can result in an FTC enforcement action if the noncompliance is deemed to be an unfair and deceptive practice resulting in harm to consumers. 

Breaking the larger categories down further into key areas or subcategories of digital compliance, the concept can be organized into data privacy protection, ecommerce, and cybersecurity. Almost all organizations today are governed by some level of data privacy and protection framework, whether that framework is imposed at the state level, federal or sectoral level, or internationally. State privacy laws, for example, often require organizations to comply with specifically delineated consumer rights and data handling and retention limitations and requirements. From a federal or sectoral perspective, regulations governing certain industries, like the financial, educational, or healthcare sectors, typically include some form of data transparency. 

What can businesses do to better align themselves with their regulatory and enterprise digital compliance obligations?

Ensuring both regulatory and enterprise digital compliance can be challenging; however, there are some steps organizations can take to better align themselves with their obligations.

  • Know the applicable laws – Organizations should take measures to understand what laws apply to them, specifically. Where does the organization do business—Europe, California, or elsewhere? Is the organization in a regulated sector, like the financial or healthcare sectors?
  • Know your data – Organizations should take care to know the data they collect, store, destroy, and utilize. This includes knowing who has access to the data and for what purpose, as well as how that data is protected. Is the data encrypted? Is it password protected? Can any employee access the data?
  • Know your internal policies and procedures – Organizations should maintain and be familiar with policies that align with applicable laws and regulations. Where those policies are lacking, organizations should implement new policies to fill in the gaps, and take care to ensure that all employees are knowledgeable on the policies. These policies should be audited and updated as needed to comply with legal requirements.
  • Know the security measures in place and what is needed – Organizations should be familiar with the protections in place to prevent unauthorized access to data and should be able to recognize where those measures are falling short. This effort could include audits and penetration testing and should be carried out regularly.
  • Create and maintain an incident response plan – Organizations, if they do not have one, should develop an incident response plan for use in the event of a cyber attack or outage. This plan should include preparations for detection, data recovery, and needed notifications to shareholders, customers, and regulators, as necessary. Organizations should ensure that all employees are informed of this plan and should be familiar with their responsibilities in the event of an incident. Organizations could benefit from regular cybersecurity table-top exercises in which employees are able to participate in a simulated incident to gauge the organization’s preparedness.
  • Audit existing and potential third-party vendors – Organizations should consider their ongoing and considered relationships with third-party vendors engaged to carry out business in connection with the organization. Organizations should consider the contracts they maintain with these vendors and whether those contracts ensure a compliant level of data protection that reflects the organization’s obligations. In the event no such contract exists, organizations should work to formulate a contract with their vendors as soon as possible.

When in doubt, businesses can consult with trusted external legal counsel for guidance with fulfilling their legal obligations and ensuring digital compliance. If you have any questions regarding your company's data compliance, reach out to McDonald Hopkins' national Data Privacy and Cybersecurity practice group.

Jump to Page

McDonald Hopkins uses cookies on our website to enhance user experience and analyze website traffic. Third parties may also use cookies in connection with our website for social media, advertising and analytics and other purposes. By continuing to browse our website, you agree to our use of cookies as detailed in our updated Privacy Policy and our Terms of Use.

OSZAR »