Looming GDPR puts renewed focus on Sarbanes-Oxley compliance
There are countless data security regulations specific to their given industries, but in the world of finance – particularly US-based international finance – Sarbanes-Oxley rules. Though SOX has been in place since 2002, increased reliance on cloud computing, as well as the upcoming introduction of the EU’s General Data Protection Regulation, has made it more relevant than ever.
SOX is a perfect bridge protocol for companies undergoing a GDPR compliance audit in preparation for the May 2018 deadline – and that’s anyone who does business with the EU. While SOX was once a primarily finance-oriented regulation, with more data in play today than ever before, the need for internal controls and regulatory compliance is also greater.
SOX compliance audits cover a number of different areas, including proper financial disclosures, internal controls, and management certifications, but the IT aspects are the most relevant component for the post-GDPR world. Auditors review infrastructure, IT systems, policies, as well as ensuring proper certification of policy administrators.
Part of what makes SOX so relevant 15 years after its institution is that it’s a relatively non-specific piece of legislation – in other words, it doesn’t say exactly how data has to be stored or what security practices a given business needs to use. This open-ended format means that despite significant changes in standards since its passage, it hasn’t been structurally nullified. If anything, it’s gained applications with the growing data industry.
GDPR: The European Angle
So what does a 15-year-old American law have to do with new EU compliance regulations? The GDPR is meant to standardize data privacy laws across the EU, but due to security concerns, any country or individual business that intends to do business with a member of the EU needs to maintain comparable standards. There are several equivalent frameworks accepted under the EU-US Privacy Shield.
Among the acceptable frameworks are the existing Swiss-US shield, self-certification through the Department of Commerce, or by meeting the terms of other relevant industry regulations, such as HIPAA or PCI DSS. Essentially, if your business or charity already conforms to industry protocols, those terms will generally be acceptable to EU businesses. It is, however, valuable to undergo a complete audit to prove your readiness to partner companies. Still, for most companies, it’s likely you’re already doing what you need to do.
With so many ways for a business to certify itself secure vis-à-vis the GDPR, why choose SOX? Compared to many of the other options, SOX is a proven framework that works to the advantage of businesses, rather than in an oppositional fashion. In fact, studies show that voluntary compliance with SOX actually saves businesses money, even for small businesses that often find compliance burdensome, particularly regarding data.
Because SOX allows for significant flexibility in terms of protocols and infrastructure, small businesses can choose systems relative to their scale and employ appropriate levels of support. For example, in the EU, most companies need a data protection officer (DPO) on staff, but US businesses are not mandated to employ DPOs. And while many other regulatory frameworks outline the specific security practices a business must use, the flexibility accorded by SOX means companies are likely using a higher standard of security than their competitors.
The GDPR won’t go into effect until late May 2018, so we’re yet to see how it will play out in US-EU business interactions, but presently businesses need to act more aggressively to complete certification. Audits aren’t quick, and most companies have at least a few infractions to deal with. Ultimately, the GDPR may help standardize US data protections for businesses outside of healthcare where regulations have been looser in recent years, benefitting customers on both sides of the Atlantic.