Compliance management aligns organizational procedures and policies with specific rules, standards, and laws. It helps organizations apply the requirements relevant to their business, industry, and jurisdiction and ensure their staff follow these rules.
Compliance management involves setting and enforcing various mechanisms, including procedures, policies, internal and external audits, documentation, technological enforcement, and security controls. The goal is to ensure and verify compliance across the organization, demonstrate compliance to external auditors, and protect the organization from compliance risks including fines, penalties, and reputational damage.
What Is Compliance Management?
The information provided in this article and elsewhere on this website is meant purely for educational discussion and contains only general information about legal, commercial and other matters. It is not legal advice and should not be treated as such. Information on this website may not constitute the most up-to-date legal or other information.
The information in this article is provided “as is” without any representations or warranties, express or implied. We make no representations or warranties in relation to the information in this article and all liability with respect to actions taken or not taken based on the contents of this article are hereby expressly disclaimed.
You must not rely on the information in this article as an alternative to legal advice from your attorney or other professional legal services provider. If you have any specific questions about any legal matter you should consult your attorney or other professional legal services provider.
This article may contain links to other third-party websites. Such links are only for the convenience of the reader, user or browser; we do not recommend or endorse the contents of any third-party sites.
Why Is Compliance Important?
Here are key benefits of regulatory compliance:
- Increased customer confidence—organizations that achieve regulatory compliance can indicate to stakeholders that they met specific standards and are certified by an official regulatory body. Following these regulations helps prove the organization’s ethics, integrity, and reliability, thus strengthening the organization’s competitive position.
- Complying with regulations—regulatory compliance is mandatory for certain industries and jurisdictions. Each organization must comply with certain regulations within its business and economic landscape. Healthcare organizations and financial institutions, for example, must comply with data protection, consumer privacy, and cybersecurity requirements.
- Addressing compliance risk—noncompliance with regulations may result in disciplinary action such as license revocations, lost customers, financial penalties and losses, and damaged reputation. An effective compliance program protects the organization against these risks.
- Improving security—all organizations are exposed to the risk of cyber attacks, security breaches, and consequential data loss. Complying with regulations and industry standards acts to tighten an organization’s security controls and improve its security posture. This reduces the risk of successful cyber attacks, which can cause major damage to an organization.
Learn more in the detailed guide to regulatory compliance
What is Governance, Risk Management and Compliance (GRC)?
Governance, risk, and compliance (GRC) helps organizations handle the interdependencies between enterprise risk management programs, corporate governance policies, and regulatory compliance.
It involves creating a synthesized approach to coordinating the people, technologies, and processes required to manage governance, risk and compliance, minimizing the inefficiencies and miscommunications of a siloed approach.
Data governance involves managing data availability, usability, security, and integrity in enterprise systems. Organizations implement data governance to ensure data is used and accessed according to their unique data standards and policies. It helps ensure data remains:
- Consistent and trustworthy
- Protected from unauthorized access and modification
- Compliant with data privacy regulations
A data governance program usually consists of:
- A governance team
- A steering committee acting as the governing body
- A group of data stewards
All parties involved collaborate to create data governance standards and policies. Data stewards are primarily responsible for implementing and enforcing these procedures. Other roles across the organizations may be involved in this process, including executives, data management teams, and IT staff.
Learn more in the detailed guide to Governance, Risk and Compliance (GRC)
A compliance framework includes a set of guidelines describing organizational processes for complying with regulations, legislations, and specifications. It details all regulatory standards relevant to the organization, and the internal controls and procedures the organization sets in place to achieve compliance. A compliance framework may include:
- Communication processes
- Governance practices for maintaining compliance
- Risk controls
- A list of compliance processes that overlap
ITGC and Internal Controls
Internal controls consist of all organizational rules, procedures, and mechanisms implemented to promote accountability, ensure financial and accounting information integrity, and prevent fraud. Here are key functions of internal controls:
- Achieve compliance with rules and regulations
- Prevent employees from committing fraud or stealing assets
- Improve the timeliness and accuracy of financial reporting
Information technology general controls (ITGC) are internal controls that define a set of policies for control systems. Here are key areas ITGC covers:
- Access control to data, applications, computing infrastructure, and physical facilities.
- Security and compliance.
- Change management controls.
- Operational controls for computing systems.
- Backup and recovery.
Learn more in the detailed guides to:
Separation of Duties (SoD)
Segregation of Duties (SoD) is an internal control that helps organizations prevent errors in financial transactions and fraud. The core principle that guides SoD is instituting two or more roles to complete a specific critical task that can impact financial reporting or has financial consequences.
SoD involves ensuring one individual never has too much control. Organizations can achieve that by breaking down tasks into multiple tasks assigned to several people or requiring sign-off approval by another party before completion. Ideally, SoD should be applied to vulnerable, mission-critical components.
Data Privacy Regulations
Here are some of the main regulations governing data privacy around the world.
The European Union: GDPR
The General Data Protection Regulation (GDPR) is a unified, EU-wide data privacy legislation. The European Parliament approved the GDPR in April 2016, and the law came into effect in May 2018, replacing the 1995 EU Data Protection Directive.
The GDPR aims to ensure business transparency and expand individuals’ rights over their data. It requires companies to notify all affected individuals and a supervising authority in the event of a data breach within 72 hours. The GDPR applies to all data belonging to EU citizens, regardless of a company’s location. It also covers non-EU citizens with data stored in the EU.
The California Consumer Privacy Act (CCPA) is a California state legislation defining the rights of individuals over their personally identifiable information (PII). It came into effect in June 2018. The CCPA guarantees California residents several rights to control their information, including:
- Knowledge of the personal information collected.
- Knowledge of the disclosure or sale of their information.
- Right to refuse the sale of information.
- Access to personal information.
- Rights to equal service and price.
Learn more in the detailed guide to CCPA compliance
The General Law for the Protection of Personal Data (Lei Geral de Proteção de Dados Pessoais in Portuguese) is the Brazilian data protection law, effective since 2020. It provides similar obligations to the GDPR to regulate the handling of personal data. The LGPD applies to all organizations processing data belonging to Brazilian residents, regardless of location.
Failure to comply with the law may result in fines of up to 2% of sales revenue or R$50 million (approx. $12 million).
The Act on the Protection of Personal Information (APPI) is Japan’s equivalent of the GDPR, enforcing strict data privacy and security directives for any individual or organization handling the personal information of Japanese residents. The APPI applies broadly to the collection, storage, use, and exchange of data. The Act came into effect in June 2020 and will undergo an update every three years.
The main APPI stipulations include:
- Reporting obligation—companies must report breaches to the Japanese Personal Information Protection Commission (PPC).
- Subject consent—companies must obtain the consent of data subjects before collecting their information. Users must also agree to data sharing.
- Universality—the law applies to foreign individuals and businesses handling Japanese personal data. The PCC can collaborate with foreign authorities to find and penalize offenders.
The Digital Charter Implementation Act (DCIA) is Canada’s data protection law. It includes the Consumer Privacy Protection Act (CPPA), which regulates how organizations collect, use, or disclose personal information. The Canadian Parliament enacted the law in November 2020, replacing the Personal Information Protection and Electronic Documents Act (PIPEDA).
DCIA provisions include:
- Third-party responsibility—third-party service providers must also comply with the DCIA. The company is responsible for all data breaches, including issues with third parties.
- Cross-company awareness—all company executives and employees must be familiar with the DCIA.
- Ethical use of AI systems—the DCIA emphasizes decision-making AI systems, allowing individuals to see how prediction algorithms use their information.
The Personal Data Protection (PDP) law came into force in 2019, replacing the 2000 Information Technology Act. Given India’s large population, this privacy law can affect many organizations outside of India.
PDP provisions include:
- Government exemption—the main difference between the Indian PDP and similar laws like the GDPR is the Indian government’s exemption from the regulations. It allows the government to collect any data it deems necessary.
- Broad coverage—another point of difference is that the PDP applies to both personal and non-personal data.
- Hindrance to AI—the PDP bill severely limits data processing, hindering AI innovation in India.
UAE: DIFC Data Protection Law
The Dubai International Financial Center (DIFC) Data Protection Law was enacted in 2020 to accommodate data transfers between the United Arab Emirates and the EU and UK. It is largely similar to the GDPR, with minor differences in DPO appointment regulations and penalties.
The DIFC emphasizes international business and ease of operations. As the second-largest economy in the region, the UAE expects the legislation to affect the large Arab world.
Learn more in the detailed guides to:
Other Compliance Standards
Sarbanes-Oxley Act (SOX)
In 2002 the US Congress passed the Sarbanes-Oxley Act (SOX). It established rules for protecting the public from fraudulent practices of corporations. The legislation’s goal is to increase financial reporting transparency and obligate companies to a formalized system of checks and balances.
SOX compliance is both a legal obligation and good business practice. Companies should behave ethically, and access to internal financial systems should be carefully controlled. Implementing SOX financial security controls has the benefit of protecting the company from insider threats, data theft, and cyberattacks.
Learn more in the detailed guides to:
In 2004 Visa, MasterCard, Discover Financial Services, JCB International, and American Express set a security standard with the Payment Card Industry Data Security Standard (PCI DSS). The security standard, monitored by the Payment Card Industry Security Standards Council (PCI SSC), intends to secure credit and debit card transactions against data theft and fraud.
PCI SSC has no legal authority. However, PCI DSS compliance is a must for any business that processes credit or debit card transactions. PCI certification is the process of implementing and verifying that an organization has sufficient security controls to safeguard cardholder data.
Learn more in the detailed guide to PCI compliance
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) determines the requirements for US organizations managing healthcare and medical data. Its goal is to ensure the safety and confidentiality of individuals’ records.
HIPAA requires all electronic health records to be restricted by encryption and strong access controls. The standards apply both to records stored within an organization and those shared with others. This means activities like emails and file transfers must be monitored, protected, and controlled.
Learn more in the detailed guide to health data management
Compliance in Regulated Industries
Some sectors have industry-specific regulations and standards, in addition to the broader data privacy and security standards.
Financial Sector Compliance
Financial service companies are subject to many national and internal regulations, which evolve frequently. Each law might define regulated data differently, emphasizing data types like nonpublic personal information (NPI), personally identifiable information (PII), and sensitive personal information (SPI).
Some of the major regulations applying to financial institutions include:
- Know Your Customer (KYC)—required procedures allowing organizations to verify the identity of customers and assess their risk level.
- Anti-Money Laundering (AML)—various procedures, including KYC, to identify and block suspicious transactions.
- Comprehensive Capital Analysis and Review (CCAR)—provides a framework for assessing and regulating financial institutions and banks.
- Basel Committee on Banking Supervision (BCBS 239)—enhances bank risk data collection and risk reporting.
- Sarbanes-Oxley Act (SOX)—governs how financial institutions maintain their data protection policies, financial records, and reports.
- Gramm-Leach-Bliley Act (GLBA)—requires financial institutions to maintain the security and confidentiality of nonpublic data.
- New York Department of Financial Services Cybersecurity Regulation (NYS DFS CRR 500)—governs how financial service providers protect private information from cyber threats.
- National Institute of Standards and Technology Cybersecurity Framework (NIST CSF)—provides guidelines for managing data privacy risks.
- Payment Card Industry Data Security Standard (PCI DSS)—requires organizations to handle payment card data with a set of secure processing, storage, and transfer practices.
Healthcare Sector Compliance
Healthcare providers must comply with various legal, ethical, and professional standards. Maintaining healthcare compliance is complicated due to the constantly changing regulations.
In the US, several state and federal agencies oversee health compliance. These include:
- The Food and Drug Administration (FDA)—the production and sale of medication.
- The Drug Enforcement Administration (DEA)—enforces FDA regulations.
- The Health and Human Services (HHS) Department—audits healthcare providers to prevent fraud.
Some important healthcare regulations include:
- Health Insurance Portability and Accountability Act (HIPAA)—enacted in 1996, protects patients’ confidential data, stipulating how organizations can use, store, and distribute data. It also outlines the penalties for offenses.
- Health Information Technology for Economic and Clinical Health Act (HITECH)—enacted in 2009, requires audits of healthcare professionals to ensure compliance with HIPAA. It stipulates penalties for noncompliance.
- Emergency Medical Treatment and Labor Act (EMTALA)—enacted in 1986, obliges hospitals to treat and stabilize all emergency room patients regardless of insurance or payment ability.
- Patient Safety and Quality Improvement Act (PSQIA)—enacted in 2005, protects healthcare workers reporting unsafe working conditions.
- Anti-Kickback Statute (AKBS)—prevents exploitation of the healthcare system for financial benefit, prohibiting bribes in exchange for referrals for services covered by the federal healthcare system. Violating AKBS is a criminal offense.
- The Stark Law—protects against healthcare abuse and fraud, prohibiting medical practitioners from referring patients to service providers with which they have a financial agreement.
Digital Commerce Compliance
eCommerce is becoming a major part of the economy and has become the focus of several regulations. In the United States, the Federal Trade Commission (FTC) is the government agency that regulates eCommerce activity. It monitors online advertising, eCommerce marketing activities, and guides businesses on how to protect customer privacy.
In the European Union, the General Data Protection Regulation (GDPR) requires any organization that does business in the EU, even if it does not have offices in the EU, to carefully protect any personally identifiable data (PII) it collects from EU citizens.
The Payment Card Industry (PCI) Security Standards Council has developed the PCI Data Security Standard (PCI DSS), which applies to any organization that processes or stores credit cardholder data. The standard has detailed procedures for proper handling and storage of sensitive data, and organizations must either self-audit or undergo an external audit, depending on their sales volumes.
Learn more in the detailed guide to digital commerce
Here are some of the workforce regulations in effect around the world and additional aspects of workforce compliance.
US Workforce Regulations
The following regulations protect workers in the US:
Fair Labor Standards Act (FLSA)
In effect since July 2009, this regulation establishes a minimum wage ($7.25 per hour) and standards for recordkeeping, overtime pay, and youth/child employment. It applies to all private-sector employees in the US. The FLSA sets overtime pay (for non-exempt employees) at a rate of at least 1.5 X the regular hourly rate for all hours beyond the 40-hour standard workweek.
Hours worked include the entire duration when employees are on active duty or present at the workplace. The FLSA requires employers to display an official FLSA poster and maintain work-hour and payment records.
Occupational Safety and Health (OSH) Act
The Occupational Safety and Health Administration (OSHA) enforces the OSH Act, which applies to all public-sector and most private-sector employers. It requires employers to maintain safety and health standards to ensure the workplace is free of hazards. OSHA conducts inspections to enforce the law, providing cooperative programs like compliance assistance.
AB5 and 1099 Contractors
The AB5 employment law came into effect in California in January 2020. It redefines workers’ employment status, with many previously considered independent contractors now regarded as W-2 employees, with the associated benefits and responsibilities.
Employers are responsible for managing workers’ payroll taxes and providing certain benefits unless they can prove they are independent 1099 contractors using a three-part ABC test. Employers who fail to categorize their workers appropriately may face fines.
Learn more in the detailed guides to:
UK Workforce Regulations
The following regulations protect workers in the UK:
Employment Rights Act 1996
This law consolidates employment rights enactments, covering unfair dismissal, wage protection, redundancy payments, termination, flexible work, Sunday work, and zero-hour contracts.
National Minimum Wage Act 1998
This law sets a UK-wide minimum wage and has been effective since April 1999. A 2016 amendment raised the minimum wage significantly, based on a national living wage for workers over a certain age (first 25, now 23).
Employment Relations Act 1999
This labor law introduced more extensive trade union member and employee protections against discrimination and dismissal, requiring employers to recognize trade unions. The Labor Government enacted the law, preserving some aspects of its Conservative predecessor’s legislation. This labor law is considered less stringent than the international standard.
Off-Payroll Working Rules (IR35)
In effect since April 2000, the IR35, or “Intermediaries Legislation,” aims to prevent tax evasion by independent contractors or business partners posing as employees to hide their employment status.
Workers operating “inside IR35” must pay employee-level taxes and are entitled to rights such as anti-discrimination protections, maternity leave, and minimum wage. Workers operating “outside IR35” may be self-employed or private contractors with the associated rights and obligations.
A 2021 amendment added private-sector tax rules to hold end-clients responsible for assessing whether workers are subject to IR35. It resulted in many individuals becoming “inside IR35” workers.
EU Workforce Regulations
While each EU country has its specific legislation governing workers’ rights and employee responsibilities, there is also EU-wide legislation.
The European Working Time Directive (EWTD)
The EWTD regulates working hours and employee rights, including minimum weekly and daily rest time and breaks, night shifts, leave, and overall working hours per week. EU member states are expected to use the EWTD as the basis for their national laws, although each state might enact stricter or more lenient laws. However, across the EU, employers must track workers’ attendance and working hours.
Employee Classification Requirements
In the US there are no state or federal laws defining employee classification into full-time, part-time, and temporary employment. Nevertheless, employers must classify employees consistently across the organization. Employment status determines a worker’s responsibilities and eligibility for employee benefits.
Full-time employment typically refers to anyone working a normal workweek (indefinitely or as per a yearly contract). A regular work week is 40 hours in the US, although organizations can set shorter or longer workweeks (for FLSA-exempt employees). Some organizations classify anyone working more than the part-time employment limit (usually 30 hours) as a full-time employee. Part-time employees are usually eligible for fewer benefits than full-time employees.
Independent contractors are not considered direct employees and are not on company payrolls. They are usually ineligible for employee and company benefits. However, contractors typically enjoy greater flexibility in terms of working hours, with contracts varying widely in scope, remuneration, and duration.
Learn more in the detailed guides to:
The payroll process involves calculating employee earnings, deducting taxes, adding bonuses and benefits, paying each employee, and providing payslips. Employers must maintain records on behalf of their employees to keep track of working hours and paid leave.
Each country has different labor and tax laws, making payroll more complicated for international businesses. Some organizations implement global payroll to manage the payroll process across different countries—this simplifies the process and unifies payroll for separate countries.
Global payroll models include:
- Fully owned—the company sets up offices in each country and manages the payroll in-house. This type of global payroll usually involves local experts who handle the requirements in each country.
- Aggregate payroll—the company chooses an aggregator (a middleman) who collaborates with local service providers in each country.
Software compliance involves ensuring that an organization uses software licenses under the terms set by the provider. For example, organizations must ensure they don’t use more licenses than they purchased.
Software compliance is important for software asset management and typically involves comprehensive software licensing checks to verify that all software installed on a company’s network has the appropriate licenses. Organizations usually maintain a unified record of all purchases with the relevant documentation.
Software products fall into one of two broad license models: commercial licenses and open source licenses.
Commercial software licenses apply software components that an organization pays to use. Organizations purchase licenses to obtain the right to use, modify, or redistribute code, but these are often subject to significant restrictions. It is important to understand what a commercial license allows and prohibits.
There are several types of licensing models available:
- Proprietary license—covers the entire organization.
- Workstation license—covers a specific workstation with the software installed.
- Concurrent use license—covers a set number of users accessing a system simultaneously (e.g., up to five users allowed, with the sixth denied access).
- Single-user licenses—covers a specific individual using the software (the user usually has a unique login to access the software). This model prohibits different users from sharing a license.
Organizations often hire legal specialists to help them understand their obligations and risks under commercial license agreements. Compliance is especially important for commercial software because the provider is more likely to respond to noncompliance. A software vendor can request a license audit to check if an organization uses its software correctly.
Managers should review contracts closely and ensure employees know the relevant restrictions. Organizations should have an internal process to monitor employee behavior and ensure compliance. For example, there should be periodic internal audits.
Open Source Licenses
There are several types of open source licenses:
- Public domain—the most permissive license type. Public domain software has no restriction on use or modification. However, it is important to make sure the code is secure and in the public domain.
- Permissive (Apache/BSD) licenses—the most popular option. These licenses have minimum requirements for modifying and redistributing software.
- Lesser General Public License (LGPL)—allows developers to link their software to code libraries. This license restricts the modification and distribution of the code.
- Copyleft—a reciprocal/restrictive license type (e.g., GPL). Copyleft licenses require extending the software license terms to any modified or redistributed code. Typically, this means that proprietary software that includes the open source code will itself need to be made open source. This makes copyleft licenses problematic for use by businesses.
Learn more in about technical due diligence, which can help your organization identify and resolve open source license risk
Open Source License Compliance
Permissive licenses allow for general use and redistribution of code, including under proprietary licenses. Copyleft licenses are at the other end of the open source spectrum, making compliance challenging. It is important to consider the consequences of copyleft code interacting with proprietary code, for example, in dependencies. Dependencies can be direct (the code directly calls the library) or transitive (a dependency of a dependency).
Open source licensing is often open to interpretation, further complicating compliance. Software users must comply with all applicable licenses (including dependencies). Top-level licenses don’t usually protect against the license liabilities of other components used in the software. Transitive dependencies usually present a lower risk, especially further down the chain.
Ideally, developers should maintain a full bill of material (BOM) for each open source license they repurpose to keep track of their obligations, but this is not always practical. Alternatively, they can use a triage approach to analyze risks and prioritize direct dependencies, which tend to be fewer in number but present a higher risk. Focusing on these dependencies and embedded products makes compliance more manageable and enables a deeper analysis of compliance issues.
Open source compliance usually emphasizes direct dependencies, with organizations leveraging automated tools to scan for dependencies and software licenses. Tools such as software composition analysis (SCA) can help manage obligations and classify components based on risk. It is important to maintain visibility over open source licenses used in the organization, establish and enforce policies for appropriate use of open source licenses.
Learn more in the detailed guide to open source compliance