Approaches to compliance have never remained static, as Jose Costa can attest.

It started with handshake deals and promises to keep data safe, questionnaires to dig deeper into an organization's practices, and third parties coming in to perform independent audits.

The problem Costa sees with these traditional approaches is that they only provide a snapshot into an organization's compliance efforts, one that is locked to a specific date in time. A company may be compliant with a law, such as the EU General Data Protection Regulation or California Consumer Privacy Act, one day, but circumstances may quickly change, and it may no longer be the case.

Costa wants to remedy this issue as the chief information security officer at Tugboat Logic, a tech vendor that hopes to help its clients maintain and prove their compliance status on an ongoing basis.

Users begin the process with Tugboat by taking a survey for the law they need to follow. The survey walks the user through the requirements of each law by asking a series of questions, such as where they are located, what personally identifiable information they collect, and whether they are a data controller or a data processor.

Tugboat takes the answers from the survey and generates a series of pre-populated policies that users can modify. Tugboat also provides controls that inform users of tasks they need to perform to meet their compliance goals.

"Let’s say, for example, people would have to comply with Article 30 of the GDPR and keep an inventory of all the data they have," Costa said. "That’s what the control would say: ‘You need to have an inventory of all the data you collect; what are you using it for and what systems is it running?’ Here, we would also have implementation details. The implementation details would describe how to achieve that control."

Should a company wish to share their compliance efforts with an auditor or another organization they wish to engage with for business purposes, Tugboat provides a portal they can share to allow other entities to see their work.

Tugboat seeks to help organizations demonstrate compliance on an ongoing basis, and the most important element to make that goal a reality is its "Integrations," which facilitate the compliance process by continuously scanning and gathering evidence via automation. This allows users to prove they are actually meeting compliance requirements and ensuring the aforementioned controls are operating effectively. 

"It’s something that is inherently very difficult to automate," Tugboat Logic Head of Content Marketing Tyler Munro said. "We have a dedicated labs team that has a bunch of ex-auditors that put together the policy content. There’s an evidence collection list. There are controls. We’ve been able to streamline something that is needlessly complicated and put it in one place."

Costa believes one group that would benefit from having the ability to demonstrate continuous compliance is small- and medium-sized enterprises. He added Tugboat has worked with SMEs that have knowledgeable people working in their privacy office who are looking for ways to automate all of their internal workflows.

"Say they want to sell into Europe and the GDPR is a big thing for them. There’s urgency to get compliant, to prove that they are compliant, but they consider it a one-off," Costa said. "They don’t recognize compliance is a state that your business needs to be in constantly."

Costa expects similar solutions touting continuous compliance to make their way to the privacy technology marketplace. While he sees the demand coming mostly from business-to-business entities, Costa sees a point where consumers will eventually demand it, as well.

During a time when information can be accessed instantaneously and privacy laws continue to appear all over the world, the days of snapshot compliance may be coming to an end. Costa believes it is no longer feasible to have an auditor come in once a year to tell an organization they are off-base and that proving ongoing compliance has to eventually become standard operating procedure.

"I think being able to demonstrate compliance in real-time is going to be key for the future because even if you get to the maximum type of assurance, which would be having a third party come in and audit you, that’s an audit as of one date that’s looking back through a year," Costa said. "But if I’m engaging in a business relationship, how can I tell them that things are working right? That’s where this automation is going to be key. People want the data. They want it now. They want to know is something wrong right now so you can go and fix it."

Photo by Hunter Harritt on Unsplash