Evidence collection is the act of documenting an organization’s compliance processes and outcomes. Evidence collection is one of the best methods an organization can use to demonstrate that it is taking compliance seriously.
An organization will likely encounter a number of challenges when it sets out to collect evidence and build an evidence collection process. Evidence collection is one of the most difficult parts of a successful compliance program.
One reason is that the person in charge of compliance has to collect information and documents from a number of the organization’s departments, including engineering, IT, marketing, HR, Legal, and/or sales, while at the same time ensuring the company complies with regulations. Even though the compliance officer is hyper-focused on evidence collection and compliance, those things are probably not a high priority for a member of the sales team.
Evidence collection is also challenging because evidence needs to keep pace with an organization’s controls. That means if a control is updated, then the documentation itself needs to be updated. Since an organization is constantly implementing new technologies, the evidence collection process must keep up with the changes.
Companies can mitigate many of the problems with evidence collection by implementing compliance management software as managing any aspect of the process manually is prone to errors.
Compliance management software automates the main parts of the process, alerting users when a specific piece of documentation must be finished. Compliance management software also enables users to tag and sort evidence so it’s easy to locate.
Startup or small organizations sometimes piece together different tools to manage their evidence collection and compliance programs. Consequently, it can be difficult for those companies to integrate those tools.
Content management systems and shared drives are great to store and create some types of documents. However, since these systems aren’t made specifically for evidence collection and compliance programs, companies that use them run the risk of losing track of critical documents and artifacts. In addition, document storage systems do not provide audit workflows and framework mapping features.
If/when auditors or regulators discover compliance violations, using a tool such as evidence collection can mean the difference between a company paying a huge fine and not paying any fine.
For example, the General Data Protection Regulation (GDPR) allows data regulators in each European Union (EU) country to fine companies that don’t comply with the regulation. One of the requirements of the GDPR is that an organization must have standard evidence collection and event reporting procedures in place in the event of a breach.
Under the GDPR, every company that does business in the EU must adhere to strict rules to safeguard the personal data and privacy of people living in one of the EU member states.
If a company that provides services to EU citizens suffers a data breach and that organization isn’t in compliance with the GDPR, it can be fined up to €20 million ($22.07 million) or 4% of worldwide annual revenue of the prior financial year, whichever is greater. However, the data regulators don’t levy a fine against every organization immediately after a breach.
A company is less likely to be hit with a massive fine if it has been diligent about evidence collection and can prove it has the proper processes and security measures in place to protect people’s data. A company that has implemented evidence collection procedures can also demonstrate to regulators the steps its employees are following to stay compliant with the GDPR.
There are governance, risk, and compliance (GRC) tools that enable organizations to track, manage, and assess information security compliance and remediate risk. These GRC tools simplify evidence collection, make audits easier, and enable risk management.
To fight cybercrime and collect relevant digital evidence, even law enforcement agencies are incorporating compliance evidence collection processes into their infrastructures.