Customer Misconception: A Compliance Officer is Unnecessary – Selling Information Disposition by the Book (vol. 11)
By Bob Johnson
NAID members rated this issue as tenth in our survey of misconceptions that prevent them from providing service to their customers and prospects. Personally, I think it is in reality much higher. I believe that if every company had a person on staff responsible for the organization’s compliance, there would be a lot more data destruction occurring.
Information Disposition makes it very clear that the assignment of a compliance officer should be a major priority. It not only describes why all data protection regulations require it, it describes what will happen if there is a data breach and it is discovered that there was no compliance officer appointed.
As early as page 14 of Chapter 1, we read:
Designation of Accountability
HIPAA and GLB require organizations to appoint an individual to be responsible and accountable for compliance. Of course, from a practical perspective, it is easy to understand why that is important. Without a person assigned accountability for compliance, it would be very difficult if not impossible to achieve and enforce.
In the event of a data security breach or an audit, regulators will almost certainly first ask to speak to the individual responsible for the organization’s compliance. Of course, admitting that accountability has not been designated, in addition to being non-compliant with the regulation, is also very likely to be considered negligent, and, in the case of HIPAA, could well rise to the level of Willful Neglect.
Not all regulations are as clear as HIPAA and GLB on the issue of assigning internal compliance accountability. However, even where that is the case (FACTA and state laws), practically speaking, it is still incumbent on an organization to assign such accountability. Were there an investigation into a violation of a data protection regulation, an organization should still expect investigators to be interested in speaking to the person who is responsible for compliance. Though having not designated such a person may not technically violate the law, it would certainly reflect poorly on the organization simply because it is unreasonable to expect that compliance could have been achieved without someone responsible to make sure of it.
Assigned accountability, even when not required specifically, is a de facto necessity insofar as the absence of such accountability would likely be deemed unreasonable, even negligent, if there were ever a non-compliance determination.
How could any customer read that and ignore their responsibility to assign such accountability? Certainly some will continue to disregard this obligation (at their own peril), but they will no longer do so with a clear conscience or with plausible deniability.
July 6, 2017