23 Jul Privacy and Data Protection Laws Show Need for Compliance-as-a-Service
When you were growing up, did your parents ever tell you to do something, and when you asked why, they shot back, “because I said so.” Did that answer alone convince you to obey or did it make you want to defy your parents – at least until you got a “real” reason?
If you want to persuade people to take action, they need a good reason. And they need to understand and relate to that reason. They need to be able to comprehend the consequence or benefit of forgoing or committing the action.
Young or old, people are more likely to act when they understand why they should do something. What’s in it for them? What happens if they don’t? This mentality holds true when people purchase products and services as well. MSPs won’t get very far if they simply tell prospects their compliance services are excellent. Decision-makers want to know how these services will benefit their organization and what negative repercussions could occur if they opt out. Validate the good, demonstrate the bad.
And this is where MSPs can leverage privacy and data protection laws to persuade clients about the importance of Compliance-as-a-Service. Privacy laws protect consumer rights related to how a business uses consumer data – anything from information gathered through online forms for communication requests to purchase history to health records. The mandates regulate who has access to the data and how it can be used, and also asserts consumer control over the data.
Cybersecurity and data protection laws are meant to safeguard consumer and employee data from unauthorized and unlawful access, such as what could happen in the event of a cyber breach. This data can include billing information, health records, tax information and personally identifiable information such as addresses, phone numbers and driver’s license details. The directives require organizations to establish a minimum level of network and data protection protocols to avoid penalties.
Many of the privacy and cybersecurity regulations overlap. Some fall under the reactive law umbrella while some fall under prescriptive law. Reactive laws dictate a company’s actions after a breach has occurred, such as requiring a business to notify customers and reporting the incident to the attorney general within a designated time frame. Prescriptive laws set out to institute safeguards that will help prevent breaches and safeguard data. They often assign penalties if a business is breached and found to be non-compliant with the directives.
Every state in the U.S. and most foreign countries have established privacy and data protection laws. Of course, the regulations vary from state to state and country to country. With our increasingly connected business world, compliance can be a complicated and multifaceted achievement – yet a critical one. Many businesses have clients or employees outside of the company’s resident state or country, so all laws of any involved states or countries must be followed to achieve compliance.
For instance, if a company is based in North Carolina but has just one employee or customer residing in New York, the business must comply with New York’s SHIELD Act (Stop Hacks and Improve Electronic Data Security Act). If an organization holds data of a customer in California, it has to comply with the state’s mandate to notify the customer within 15 days of a breach. Canada has its Personal Information Protection and Electronic Documents Act (PIPEDA) that governs data protection, and three provinces – Alberta, British Columbia and Quebec – have their own data protection laws. Ontario has a unique regulation similar to HIPAA that’s dedicated to health information. With so many different directives, MSPs can make a solid case to help ease an organization’s compliance burden.
MSPs can supply a high-level overview of these laws and reveal the financial and reputational consequences of violating them – granting credence to their pitch for ongoing compliance services. However, MSPs don’t have to become experts on these regulations. All they need is a basic understanding of compliance and each client’s requirements.
MSPs can strengthen their services using technology. For instance, if a business has encryption needs, an MSP can use Network Detective to look across a network and find devices, determine their encryption status and create reports. Compliance Manager can automate the data gathering and documentation requirements associated with many government and agency standards. It also includes a best practices guideline, the NIST Cybersecurity Framework, that aligns with many compliance standards. MSPs can utilize these tools to provide critical proof of compliance down the road should their clients be audited or breached.