How To Implement Virtually Any Compliance Standard

Having implemented compliance programs for everything from ISO 9001 to GDPR/CCPA, I've learned (sometimes painfully) what works and what doesn't. Here are some tips that may help your implementation be easier.

1) Unless you can see it or touch it, it doesn't exist.

I once joined an in-process negotiation, for IaaS/BaaS services, whose agreement draft indisputably stated that the company was compliant with... you name the regulation or standard (i.e., ITAR, HIPPA, EU Data Protection Directory, ISO 27001, etc.). I thought this was amazing that the company was up do date on so many standards. It sounded too good to be true, and it was. The company was, in actuality, compliant with virtually none.

The manager, a senior VP, had added that information to the agreement draft hoping to get the deal. And if so, we would later spend the time and money to implement what the agreement promised. Crazy right? Thank God I checked. Aside from being a HUGE breach of the agreement if executed, it was just stupid.

2) Become an Expert

Compliance standards are generally meant to be implemented by individuals of average intelligence for virtually any business that needs compliance. And although you can get very good paid professional training, there's a lot of free training available, particularly on YouTube.

3) Hire an Expert

If you can afford it, it may be useful to hire an expert to provide guidance for implementation. Law firms tend to be good candidates. However, beware of the "open bar tab" billing that law firms use. Otherwise, you'll get some serious sticker shock, and some serious explaining to do when you finally get the bill.

4) Buy/Get a Template

You can find or buy templates and examples for virtually all standards. Many companies put compliance documents on their public websites. And law firms may also have templates that they will share (for a fee of course).

5) Do a Gap Analysis

Once you become familiar with the standard, and hopefully have reviewed some templates, should do some type of audit, comparing "where the company is" to "where the company needs to be".

6) Rough Out A Budget & a Schedule / Program Management

The biggest cost, by far, is usually labor. Review the gap analysis, and looking at the standard and the template, rough out a set of tasks and the amount of engineering hour it will take to complete each task. It doesn't have to be perfect, just provide a rough guide.

7) Get Management Buy In

Make sure that the appropriate manager understands the need for compliance and a reasonable estimate of the implementation cost, particularly if engineers or programmers need to be used.

8) Conduct & Record Training

Make sure that whoever needs to follow/enforce the standard gets appropriate training.

And if the standard involves data that everyone can potentially touch, like privacy data, then everyone at the company, both employees and contractors must receive the training.

It is VERY important to maintain training records because it's a virtual certainty that you will be asked to provide this should you ever be audited.

And here's a little tip. The fastest way to determine if a company is compliant with a given standard is to ask for the training records. No records means no compliance...period. 

9) Hang In There

Change is hard. Let's face it, everyone wants to BE skinny, but no one wants to GET skinny.

It takes hard work and perseverance to implement any standard. But if you hang in there, change will happen, slowly at first, and then accelerating. Have faith and take it a day at a time.

I hope this was of some value. If you have any questions, suggestions, or comments, feel free to reach out to me.

Disclaimer

The information in this article is for general informational purposes only. The information presented is not legal advice or a legal opinion, and it may not necessarily reflect the most current legal developments. You should seek the advice of legal counsel of your choice before acting upon any of the information in this article.