The EU approves 80 directives, 1,200 regulations, and 700 directions each year, on average, while in the UK, an average of 3,000 statutory instruments - the country’s primary method of making laws - are introduced in the same timeframe.
Industries, as well as individuals, must abide by a wealth of various laws, rules and regulations designed for a multitude of different reasons. Whether imposed by governments, regulators or by businesses themselves, they affect every area of those industries’ operations.
Banks, for example, must abide by minimum capital requirements set by financial regulators. These describe the amount they need to hold in order to protect their customers and are based on formulae describing the ratio of a bank’s common equity to its risk-weighted assets. Elsewhere, automobile manufacturers must meet regulations around the monitoring and control of vehicle emissions in line with laws governing wider environmental concerns.
Most regulations are designed with the customer in mind. To help ensure patient safety, for example, recent regulations concerning medical devices mean that any anomalies in the functioning of a device must be reported so that, in conjunction with regulations around traceability, the device might be traced from point of manufacture to patient.
And new regulations are being introduced all the time. Following the recent collapse of BHS and its pension scheme in the UK, for example, a cross-party group of politicians is currently considering how corporate pensions can be better regulated to help prevent similar mismanagement occurring again in the future.
Undergoing constant revision
At the same time as new regulations are being introduced, others are regularly being revised.
Perhaps the best known example right now and one that will have an organisational - and potentially legal - impact on any business which holds personal information on residents of the European Union is the General Data Protection Regulation (GDPR), the replacement for the existing data protection directive, due to be enforced in May 2018.
Elsewhere, current European legislation on the labelling of foodstuffs includes the management of allergenic information, with the display of nutritional information to be made mandatory from this December. What’s more, the growing use of radio frequency identification (RFID), quick response (QR) codes, and bio-reactive labels means that future legislation might have to accommodate even more complex labelling technologies.
More recently, many businesses, particularly in the financial services industry, have seen amendments to regulations enabling greater traceability of reported information as a means of improving ongoing performance measures and risk management. The risk data aggregation and reporting principles defined by the Basel Committee on Banking Supervision (BCBS 239), for example, which are being implemented for some banking institutions incorporate notions of reporting origins of information and how that information was processed.
Establishing data governance procedures
As they become increasingly pervasive, the adoption of regulations can have a significant impact on an organisation’s business processes. In many cases, compliance implementation teams are challenged with constructing cross-practice project steering groups to develop new corporate policies.
For their part in supporting regulations, IT departments may be required to join together various sources of data for reporting purposes. This data might be held in silos, residing in different lines of business, each of which may be supported by disparate information systems.
It’s important, therefore, that data governance procedures are established across these different sources to support compliance processes. According to Gartner, data governance is the specification of decision rights and an accountability framework to encourage desirable behaviour in the valuation, creation, storage, use, archival and deletion of information. It includes the processes, roles, standards and metrics that ensure the effective and efficient use of information in enabling an organisation to achieve its goals.
This would involve locating relevant information and establishing its authority by documenting its intended usage, any security requirements, and the levels of quality acceptable for supporting compliance. A company-wide information policy would need to be implemented and its performance measured, and the information itself should be distributed for the purposes of internal audit, stress testing and compliance reporting.
Those data governance organisations or councils undertaking such a project may, however, find themselves facing a moving target as they attempt to anticipate the organisational and technical changes required to address further regulatory amendments. It important, therefore, that they plan for future change from the start.
Delivering additional benefits
Compliance projects may be seen as a necessary cost of doing business, but consideration should be given to the technologies required to support them and the additional value that these technologies might deliver. After all, while compliance solutions based around addressing a single piece of compliance might provide short-term wins, they will often lack the flexibility to deliver additional business benefits and may be unable to provide the functionality needed to anticipate future amendments and changes in regulatory directives.
Regulations around traceability in the pharmaceutical industry, for example, offer benefits from both a commercial and brand protection perspective. Not only are they clearly useful to consumers, but deeper levels of information regarding composition, manufacture and labelling might also help in identifying counterfeit products. And in the financial services industry, the application of Customer Due Diligence procedures for risk management and compliance offers a chance to develop richer information which can be used to support the development of commercial opportunities.
Taking advantage of compliance initiatives
Businesses today are awash with laws, rules and regulations of various types, designed for various purposes, the majority of which require certain standards of compliance to be met. With regulations being regularly amended, it’s important to plan for the future and to support best practice data governance with tools that allow additional flexibility in the way that information might be collected, enriched and exploited.
By adopting a principal of good data governance, an organisation should be able to comply with anything asked for by a regulator and compliance will essentially become a by-product of an ongoing process. With the right approach, it’s possible for businesses to take advantage of compliance initiatives to help promote data governance internally as a benefit to the business, enabling stakeholders to manage their data to support business processes as well as simply keeping the regulators happy.