Ensure Customer Data Privacy Compliance with UCF
As tech companies expand into new industries and geographies looking for new revenue streams, I have started receiving a lot of compliance questions…and I don’t usually have a good answer. Questions include:
- My TSEs need to start taking credit card numbers, what is involved in PCI compliance?
- We are expanding to Europe or Asia next year, what are the guidelines to storing customer data and how is it different from the US?
- We are launching a product line for Healthcare and need to know what changes are required for our support operations to be HIPAA compliant?
- Our Canadian customers don’t want their data stored on US soil and be subject to the Patriot Act. How does this work?
- We just found out states have different privacy regulations for consumer/customer data, how do we know we are compliant in all 50 states?
Between HIPAA, financial services privacy legislation, BASEL II in Europe, Sarbanes-Oxley, and a million other federal, state and international regulations, navigating compliance is increasingly complex. And add to this internal requirements for compliance with ITIL or ISO and most companies end up paying hundreds of thousands of dollars to consultants for internal compliance audits. One ITIL and Sarbox auditing firm, who I had the misfortune of doing a speaking tour with a few years back, opens and closes every presentation with: “If you don’t have us come in and audit your operations your CIO will go to jail!”
When a firm wins business using such ridiculous scare tactics, you know paranoia about compliance is very high.
I’m thrilled to say I finally have a good answer for all the member companies struggling with compliance. I had a briefing this week with Craig Isaacs from UCF: the Unified Compliance Framework. The Unified Compliance Framework is a compliance database that reduces the cost and effort of compliance by identifying the smallest set of common controls necessary to meet your compliance requirements. The UCF organizes real-world processes into Impact Zones. Each deals with one area of policies, standards, and procedures. For customer privacy alone there are 490 applicable UCF common controls that were derived from 45 different state laws, over 50 international authority documents plus Payment Card Industry and HIPAA requirements among others. In addition, the UCF team strives to work directly with as many of the rule makers as possible, to ensure that their original intentions for the authority documents they created are transferred and translated correctly within the UCF.
Compliance requirements are separated by industry, and a simple spreadsheet-type interface lets you identify all the applicable requirements that apply to you and what the ramifications of each are. It is a dizzying amount of complex information, all arranged in an easy point-and-click user interface. The product is available for individual users and via enterprise license, and quarterly updates are provided to keep all of the regulations current and accurate.
I would encourage all of you to check this out, and give UCF a try before resorting to outside consultants to assess your compliance in any area. For companies interested in pursuing new industries–especially health care and financial services–spend some time in UCF to understand these industries and the cost of compliance before making the decision. Let me know if you have any questions or comments, and as always, thanks for reading!