CEO and Co-Founder of Compliance.ai, a RegTech company transforming the way highly regulated organizations address compliance risk.
As businesses respond to the global pandemic by transitioning to remote workforces, many are leaving their compliance flanks exposed by ignoring new risks posed by remote workers. Compliance is always a labor-intensive challenge, especially in heavily regulated industries, but those challenges grow exponentially with decentralized workforces.
Recent surveys have found that remote workers struggle to properly secure their devices and data. With new consumer privacy laws such as the CCPA and GDPR covering large swaths of the global economy, this oversight could be costly.
According to London-based data privacy research firm PrivacyAffairs, European data protection authorities have issued 347 GDPR-related fines, totaling €175,944,866, since May 2018. Every single EU nation, plus the U.K., has issued at least one GDPR fine.
Meanwhile, remote work is further eroding work-life boundaries, which poses a major threat to sensitive corporate data. According to a survey by security company Trend Micro:
- 80% of remote workers use work laptops for personal browsing.
- 56% run nonwork applications on corporate devices.
- 66% have uploaded corporate data to nonwork applications.
- 39% often or always access corporate data from a personal device.
- 34% do not give much thought to whether the apps they use are sanctioned by IT or not.
- 7% are regularly accessing the dark web.
If those statistics don’t alarm you, remember that the GDPR and CCPA both punish businesses for data breaches if the business has not followed proper security protocols.
While CCPA enforcement is just beginning, in the EU, regulators have handed out fines as high as €50 million (approximately $54 million). To minimize risks, businesses must quickly realign their corporate compliance efforts to meet pandemic-related realities.
Here are four steps to help you mitigate remote work noncompliance risks:
1. Establish safe and compliant remote work policies.
According to a report by Upwork, 57% of businesses have no remote work policy whatsoever. Even if the business does have a policy, a June study by Wakefield Research (commissioned by networking company Riverbed) found that 69% of business leaders still report that they are not completely prepared to support extensive, ongoing remote work.
The first step, then, is to establish proper policies. Remote work policies should, at a minimum, address safe access to sensitive corporate data by requiring the use of virtual private networks (VPNs), enforcing endpoint security and mandating encryption for any sensitive corporate data.
With the rise of consumer privacy laws, remote policies must also improve the controls around how remote workers access, manipulate, share and store consumers’ private data.
2. Train employees on new policies — and enforce them.
It’s important to recognize, however, that establishing policies only goes so far, especially if your employees aren’t aware of them. According to a 2020 survey by Clutch, while 66% of U.S. employees are now working remotely, a full 43% of them have not taken part in any remote training this year.
If policies aren’t enforced, your workers will ignore them. As any seasoned compliance officer can tell you, enforcement is part of the law. And unenforced laws, or corporate policies, erode over time.
3. Create an agile regulatory change management plan.
Business leaders struggle with change management in the best of times, but during major upheavals, old tools and methods often become obsolete overnight.
For regulatory change management (RCM), legacy tools create drag and impede agility. Developed before the last great economic upheaval — the 2007-08 housing crash — legacy RCM solutions were designed as monolithic platforms in order to serve a wide horizontal market. Today’s fracturing regulatory conditions, in contrast, require sector-specific solutions.
Legacy RCM was also intended to be deployed through on-site, consultant-led initiatives, which isn’t an ideal business model during a pandemic. Additionally, most legacy RCM solutions are entirely rules-based and do not leverage advanced tools like artificial intelligence (AI) and machine learning. In other words, agile they are not.
4. Deploy modern, automated tools to accelerate the change cycle.
The pandemic is just the latest in a series of economic upheavals, from 9/11 to the Great Recession and now the pandemic-prompted recession, that have triggered legislative bodies to issue a steady torrent of new regulations.
For instance, according to a Boston Consulting Group (BCG) study, in the financial industry alone, the number of daily regulatory changes tripled from 2011 to 2017, reaching an average of 200 per day. Thus, a critical but often overlooked question those crafting secure remote work policies should ask is: How will we keep up with a fast-changing regulatory landscape?
Unfortunately, this goal is impossible to achieve at scale — which is what remote work requires — using legacy RCM products. “Most firms in the industry will be familiar with the constant feeling of being on a treadmill. A lot of resources are required from a regulatory standpoint just to stay still,” warned Nirvana Farhadi, recognized global influencer in the regtech sector, in a recent editorial for Global Banking and Finance Review.
Legacy RCM solutions require compliance teams (and/or business owners) to manually keep track of, read and interpret each new law, executive order, regulatory revision, enforcement action, etc. Modern SaaS-based regtech solutions, in contrast, hand those tasks off to modern technologies, such as AI, machine learning and cloud-based automation.
Farhadi stated that regtech “provides technologies that facilitate the delivery of regulatory requirements more efficiently and effectively than existing capabilities. In doing this, it provides process automation, reduces the cost of remaining compliant, and streamlines operations to become less reliant on resources that could be better used elsewhere.”
I agree wholeheartedly with Farhadi’s assessment. Once your policies, training, change management practices and technologies are modernized and working in concert, your business will be better positioned to meet the challenges posed by constantly changing regulatory conditions. Then, your business leaders can turn their attention back to where it belongs: your bottom line.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?