A Compliance Guide
Whether you’re just starting a business—or are already a business owner—knowing the ins and outs of compliance is a necessity and not just a nice to know. It’s make or break for many companies, especially if you’re expecting governmental contracts. Not knowing the fundamentals of compliance can sidetrack your dreams of growing that Fortune 500 company.
We’re going to break down the different website compliance offerings out there. Whether you’re developing a healthcare software company or desktop application, here are the website compliance topics you should know.
What is compliance?
Just so we’re clear, we won’t be covering ADA (Americans with Disabilities Act) compliance in this article which requires your website to be accessible to everyone. This is focused on the specific compliance needs that you’ll run into as a company that works with federal governments, healthcare providers, global operations, or cybersecurity.
Who is accountable for your GDPR compliance? If your answer is no one, that’s not good. People have the right to see the data that you are collecting on them and how you’re using it.
We’ll be covering the requirements and guidelines for data protection and processes and procedures required by the governing bodies:
GDPR Compliance Guide
What is GDPR Compliance?
In 2016, the European Union adopted new rules to protect the privacy and personal data of their citizens. This originated from a lack of overall trust in the companies handling your data. The new EU requirements stressed the need for consent given by a citizen and that the consent can be withdrawn at any time, data deleted. If there are any potential data breaches, it must be announced to all parties involved.
GDPR (General Data Protection Regulation) is to protect the personal data and privacy of EU citizens. If you do business with Europe, you’ll have to comply with this one. As a company, you’re responsible for providing a “reasonable” level of protection for personal data such as IP address, Social Security number, physical address, or name. This is to protect consumer rights so that companies can’t take advantage of the data they collect and leverage it without informing their users. If not, fines are leveled on any company that breaches the GDPR guidelines.
If your startup or business that processes personal data, make sure that you are doing everything in a lawful, fair, and transparent way. Only collect the data that is necessary. And have a structure in place that allows for the destruction of data once the purpose of the collection is fulfilled, or access is requested.
If you are processing a significant amount of personal data at your organization, it is recommended that you have a Data Protection Officer in-house. If not, a third-party data protection officer like IT-SVC can handle those various duties as a GDPR consultant. But you better make sure that they’re compliant as well. Because if they aren’t, you aren’t.
HIPAA Compliance Guide
What is HIPAA Compliance?
HIPAA (Health Insurance Portability and Accountability Act) was adopted by the U.S. Department of Health and Human Services (HHS) to “develop regulations protecting the privacy and security of certain health information.” Companies that create, maintain, and process protected health information (PHI) must have strict security safeguards in place to ensure patient confidentiality is at the utmost importance.
HIPAA is designed to allow organizations with a way to adopt new technologies while also protecting the privacy of individuals’ health information. If a breach of PHI does occur, the HIPAA Breach Notification Rule must be followed. If not, HIPAA penalties can cost a company up to $50,000 for each “willful neglect” violation.
Like with GDPR compliance, if you’re working with a third-party Business Associate (ie., IT contractor, billing company, accountant) or Covered Entity that transmits health information on your behalf, they must also have the technical, physical, and administrative safeguards in place to adhere to the HIPAA Privacy Rule.
NIST Compliance Guide
What is NIST Compliance?
NIST (National Institute of Standards and Technology) is a set of rules and recommendations for standardizing the way that information is processed at federal agencies. Most notably is their widely adopted NIST Cybersecurity Framework. While protecting innovation, NIST’s mission is also to make sure that any companies that provide products or services to the federal government meet the security standards set by NIST.
What companies are required to be NIST compliant? Any companies that work in the “federal supply chain, including prime contractors, subcontractors, and subcontractors working for another subcontractor.” For all of these, NIST compliance is mandatory. That means that if you are seeking federal contracts, you must provide the proper documentation to be eligible, including NIST 800-171 compliance. NIST 800-171 covers the protection of “Controlled Unclassified Information” (CUI) defined as information created by the government, or an entity on behalf of the government, that is unclassified, but needs safeguarding.
Going through the process of NIST compliance at your small or medium-sized business has many benefits even if you aren’t working directly with federal agencies. They are industry standards across IT departments, making sure that your company is compliant and minimizing security risks. Also, you’ll be well-positioned to handle incoming cyber attacks or cyber threats.
CMMC Compliance Guide
What is CMMC Compliance?
CMMC stands for “Cybersecurity Maturity Model Certification.” It is a cybersecurity standard that companies are required to adopt in order to operate in the governmental supply chains. Unlike NIST, the CMMC model has five levels that build upon the last. They are cumulative, compounding, and provide additional procedures for cybersecurity protocols. NIST and CMMC do share many similarities, though.
If your company is currently working with, or planning to work with, the Department of Defense (DoD), CMMC compliance should be at the top of your list. If not, at least hire a trusted third-party contractor to manage and maintain your status. The DoD now requires all defense contractors and vendors to be CMMC compliant before working with them. Without a valid CMMC certification, you’ll be barred from bidding on, winning, or participating in a contract.
Complying with the CMMC framework is a green light signal to the Department that you are taking the necessary precautions in protecting sensitive Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within your unclassified networks.
For many DoD contractors, or companies seeking CMMC compliance, outsourcing this cybersecurity work to a CMMC consultant is going to be a money-saving endeavor. Why? Because many companies lack the in-house IT resources and expertise to meet the necessary requirements to achieve this level of cybersecurity.