Compliance as a competitive advantage or a risk factor?
IT security, GDPR and data protection. It’s all words that is in frequent rotation across both the media and business landscape. But what is it? And how do you, as an organization, ensure that your approach to GDPR, as an example, is turned into a competitive advantage instead of a risk factor?
Let’s start by describing what these terms are about. Colloquially the general term of “compliance” is typically used a lot when data – or security rules and measures are described. Rules that we know is here for a reason, but in some cases, we really don’t know why. Compliance is actually a pretty good term in this sense, and it can also be phrased as something like “in full accordance with the rules in force”.
Last year, compliance got on everybody’s lips to full extent. And just like all the polemics with IT security around the millennium, many was in doubt whether the General Data Protection Regulation (GDPR), would put a heavy burden on the business landscape and make things break down after May 25th, 2018, where the rules became effective.
As with the millennium issue, the business community hasn’t broken down, but obviously, we need to be aware that the new reality comes with increased risks for businesses, for example related to lacking data security. On the other hand, the stricter rules within several areas as well as increased focus on compliance, has fostered opportunities for creating other competitive advantages.
A competitive advantage
But how can compliance be a competitive advantage? It can, for example in the cases where your organization is choosing suppliers and partners, that live up to new or revised rule sets or even operates with higher levels of security compared to what is obligatory. This is especially applicable when you buy cloud based / SaaS solutions that lives up to the legislation for the new IT reality.
As an example, it means that you quickly, provided that the SaaS provider is on top of their game, can begin to operate in markets, where it might be complex to comply with the local interpretations of international rules, as in the case of GDPR. These can vary a lot between countries. It is also a fact that most businesses prefer to cooperate with suppliers and partners that has their security in place. In other words, if you can document a high level of IT security with your suppliers and partners, especially the most important partners, then there will be instances, where you can make advantage of this fact in sales situations.
Choose the right supplier
When you choose a supplier of cloud software, then it is very important to do business with someone who has the necessary resources to secure your data. Obviously, there are categories and business areas that are more critical than others given the types of data that is processed. However, it’s very important that you have your business fully covered in all areas, where you use externals to process data.
Therefore, it is highly recommended that you enter individual data processor agreements (DPA’s) that comply to the rules and interpretations applicable for the countries in which you operate. Several standards and certifications can be a guidance if you want to make sure, that the supplier you choose lives up to current rules, legislations and sound IT practice. The outstanding SaaS suppliers will, however, offer you the opportunity to enter a fully covering data processor agreement (DPA) upfront. Remember that.
Some suppliers even choose to go further and have themselves ISAE 3402 Type II certified. This can both happen as a direct response to demands from customers and business partners, but the reason can also be that the business want to send a signal of high credibility to the market. This specific certification is an international standard for IT service providers, where a high level of security and control is needed. This is especially important within the more sensitive industries like banking and finance, telecom or the public sector. This certification will ensure that the supplier lives up to the responsibility around securing the “cloud” infrastructure on parameters – including data security.
The concluding recommendation from us, is that you thoroughly investigate potential suppliers’ approach to data security as early as possible in your research phase. This can potentially save you time and resources later in your buying process. This is a banal piece of advice, but nonetheless, it is perhaps the most important one.