Following the 2018 implementation of the General Data Protection Regulation (GDPR) which established new rights for EU citizens regarding the control and processing of their personal data, other governing bodies are implementing similar regulations.
Fast approaching in the United States is the California Consumer Privacy Act (CCPA) which goes into effect January of 2020. The CCPA goes beyond notification of privacy breaches and requires organizations to address how they process data. Companies doing business in or with Californians are now faced with the challenge of interpreting, evaluating, and incorporating external regulations and requirements into an existing organizational structure.
External Requirements Challenges
The most daunting requirements are the ones mandated by an external source such as a government or industry standard. Consuming external requirements requires interpretation, understanding, definition, and commitment. Ambiguity or extreme specificity can present challenges for business leaders and systems owners to meet the requirements. By applying a requirements management and analysis methodology to the regulation preparation, organizations can respond with agility as they update their business processes to adapt to these changes.
Regulatory requirements are published and enacted with varying degrees of specificity. The problem with this ambiguity is that it amplifies the risk and challenge of addressing the problem. The risks associated can involve fines, negative press, and added costs. Lack of understanding and no concrete roadmap to address the requirements inhibit the ability to create sustainable change throughout the organization. To avoid compliance becoming a burdensome and confusing exercise, companies need to take a rigorous yet iterative approach to identifying the relevance, impact, and priority of regulations and the actions needed to achieve compliance.
Managing Ambiguous Requirements
Implementing a strategic and repeatable approach can absorb and manage requirements, even when they seem ambiguous. A pattern of analysis, definition, design, and integration activities allows an organization to address evolving regulations in a consistent and systematic way. This aides in maintaining focus and traceability to reduce risk and generate positive change as solutions are put in place to satisfy requirements.
The GDPR and CCPA are just the beginning of data privacy regulations that the U.S. will encounter. Organizations need a structure and process to facilitate compliance with the laws that are in effect now and those that are around the corner. An organization’s ability to be responsive to external changes will allow it to mitigate the impact to operations and processes. With this agility, organizations remain able to meet business and customer needs, while ensuring adherence to laws and regulations.
RG has been assisting customers with regulatory compliance, including for GDPR, by applying industry-leading best practices for business analysis which involve business leaders, functional leads, information officers, legal, and regulatory experts to comprehensively assess the need, priority, cost, and impact of compliance activities. Our iterative approach focuses on uncovering the highest priority requirements early and helps ensure that compliance is achieved with the least confusion and impact to ongoing business operations.
LINKProcess™, our proprietary business analysis methodology, provides a framework for organizations to adapt to new compliance regulations and enables them to prepare for future regulations as they are introduced. Learn more about how LINKProcess™ can help your organization.