In today's world, all large and small companies are required to show and prove constant compliance to do or sustain business. The task may be somewhat easy for large companies by hiring more employees to achieve; small businesses do not have the luxury to hire more people at competing rates with large companies as well as reduced revenue.
Having worked for several small businesses over a decade and helping non-profits; I have seen several challenges, pains, disruptions to business and even fear! I am sharing some effective ways that have worked for several SMBs I have worked for. Simplifying work items is a big step in right direction.
- Establish Common Language: Whether its GDPR or SOX or HIPPE, common language is critical. In an ideal world, privacy and security program is one. Though it usually not the case. Work with your Chief Privacy Officer & Chief Security Officer together to establish standard language when describing goals, action items, and writing policies and procedures. Different speak increase confusion. Keep balance between technical and business speak.
- Training & Education: If you ask anyone in the industry, they all will mention training and education as one of the key elements for successful privacy or security program. Most small business have an annual training session for all employees to check their training requirement. However today, it isn’t going to cut it. Not only training employees, including vendors and contractors, needs to be continuous program; it also has to be focused. Establish focus group trainings for management, committee, developers, quality assurance, and business managers. Email blasts, posters, news flash of incidents are helpful.
- Documentation: Everyone hates documentation, whether they are business teams or developers. All businesses have something valuable to protect including personal information, proprietary product information, employee data and more. Documenting business process how that valuable information flows, what happens to it, who has access to that information? Such documentation will assist in identifying compliance action items. It so happens, most of the time the information is not even required but is collected; adding liability. For example, several tools can build documentation from product code & comments in the code.
- Internal Reviews & Audits: Once a process is established, policing it is important. Check, audit the documentation, processes, data and information collected to ensure established controls are implemented correctly and are working. Identify gaps to remedy.
- Continuous Evaluation: Evaluate established controls, common language. Keep the loop open to allow employees to provide feedback, allow documentation to work instead treated as overhead, implement issues ad gaps noticed in audits.
All the steps when becomes part of DNA, allows the controls implementation to become efficient and lean. In order to do so, steps shared needs continuous repetition to become part of the process.
In past I have shared similar thoughts in an article on linkedin. Nothing is sure shot or quick, it takes are lot of repeated work, training and re-evaluation to succeed!