Compliance in digitalization
Mastering the challenge of digital compliance
Published in: DiALOG - THE MAGAZINE FOR ENTERPRISE INFORMATION MANAGEMENT | MARCH 2019
Introduction
Our world is constantly changing. From time to time, this change is so great that it permanently shakes up existing structures and processes and then we talk about a revolution, such as the "Industrial Revolution". This process does not happen overnight, but sends out its harbingers and then progresses ever faster and more drastically. With digitalization, we are once again in such a situation. This time the situation is exacerbated by the fact that humanity is now much more closely and directly connected globally in terms of business and communication. In addition to the technical possibilities of digitalization, globalization and worldwide networking must also be taken into account. And it is precisely this circumstance that significantly increases the complexity already inherent in digitalization, particularly due to its unpredictability. There is also the requirement to comply with and demonstrate compliance with existing law and order requirements in the digitalization process. How exactly this should work has so far been anything but universally clarified.
It is therefore important to find a system that allows these circumstances to be taken into account generically on the one hand and offers certainty for decision-making and action in the here and now on the other.
Initial situation
The challenge for compliance in digitalization is the virtualization of previous processes and the associated consequences for legal and auditing security as well as their proof of compliance as a whole. In this context, the following risk factors stand out in particular:
- Lack of physical features that can be used for secure identification or authentication;
- Lack of familiar, natural protective barriers such as borders and premises;
- global networking and access options;
- new security risks (e.g. espionage, manipulation, vulnerability);
- ongoing changes in technology, most of which are not synchronized.
Native mapping of existing processes in the digital world is therefore not enough. Measures must be taken to control these factors.
What needs to be done?
The answer is to set up a development and control process for the appropriate interaction between technology and organization.
A fundamental key factor in this process is to ensure sufficient transparency and traceability. On the organizational side, this means comprehensive procedural documentation, and on the technical side, sufficient control options and system protocols. The required structure depends on the case-specific and usually individual situation, which can be determined using the following procedure:
Compliance factors arise, among other things, from the laws and regulations to be complied with, standards and norms, contractual agreements and socio-economic circumstances.
Relevant risk factors of digitalization are more difficult to determine for individual cases. In Germany, for example, the established methodology of IT baseline protection (BSI Federal Office for Information Security) is used to determine information security risks.
Attention must also be paid to the design:
- The measures for transparency and traceability should be verifiable and resilient. To this end, it is advisable to obtain the assurance of the relevant experts, particularly in matters relating to laws and public regulations!
- The process should be precisely defined both technically and organizationally in terms of its mode of operation and range of effects.
In addition, reference should be made to two corresponding standards:
- ISO 27001 Information technology - Security techniques - Information security management systems - Requirements
- ISO 19600 Compliance management systems - Guidelines
Managing complexity
The complexity of the compliance process for digitalization can already be significantly reduced using the aforementioned structured and systematic approach. However, this alone is not enough, as it only represents a static part in the form of a snapshot. The next step is the dynamic component of taking ongoing changes into account in a timely manner. To do this, it is advisable to set up a control loop. The PDCA model is used for this in a number of ISO standards (such as ISO 27001/2).
Supplementary measures
Depending on the impact of digitalization in economic, legal and ethical terms, it may make sense to have your measures confirmed by an expert third party. To ensure that such an expert opinion is reliable, it is advisable to pay attention to the following points:
- The expert must be neutral and independent.
- The assessment procedure must be transparent and comprehensible.
- The assessor may not audit and/or certify their own consulting services.
Various models are available for such an approach, the choice of which can be determined on a case-by-case basis. Some approaches, such as those recommended by ISO standards, are simply too costly for small organizations and would not be economically viable. In principle, however, such standards should always be used as a guide. For this purpose, more flexible models that focus on the aspects of economic appropriateness and the fact that proof of legal and auditing security is provided are suitable. Ideally, such models also show the content coverage of relevant ISO standards. One such procedure is offered by the industry association VOI Verband Organisations- und Informationssysteme e.V. with the VOI PK-DML compliance method, which covers the design, testing and certification of "digital document processes and IT solutions".
Conflict situation
Various models are available for such an approach, the choice of which can be determined on a case-by-case basis. Some approaches, such as those recommended by ISO standards, are simply too costly for small organizations and would not be economically viable. In principle, however, such standards should always be used as a guide. For this purpose, more flexible models that focus on the aspects of economic appropriateness and the fact that proof of legal and auditing security is provided are suitable. Ideally, such models also show the content coverage of relevant ISO standards. One such procedure is offered by the industry association VOI Verband Organisations- und Informationssysteme e.V. with the VOI PK-DML compliance method, which covers the design, testing and certification of "digital document processes and IT solutions".
Conclusion
Compliance is not a sure-fire success and must be designed individually for each organizational form. Developments in recent years, such as the GoBD (BMF "Principles for the proper management and storage of books, records and documents in electronic form and for data access") and the EU GDPR (General Data Protection Regulation), clearly show that not only concrete evidence of proper operation is required, but that violations should also be punished effectively, quickly and severely. Compliance in the context of the use of IT technology (IT compliance) requires new technical, organizational and economic measures and active action from organizations. A significant part of success lies in the involvement and motivation of all employees and the creation of a serious compliance culture. This leads to the realization that in the context of digitalization, systematic "compliance management" should be understood as an indispensable field of action at the top management level in the future.
Dipl. Inform. Ralf Kaspras is the owner of InnoDataTech. Ralf Kaspras is a management consultant for information technology, specializing in IT compliance and information security. He has been involved in the VOI e.V. (Bonn) professional association since 1997, developing best practice procedures in the field of IT compliance.