Skip Navigation
 
 

NAIDnotes

Bookmark and ShareThursday July 9, 2015

Not designating an accountable decision maker can be fatal

By Bob Johnson, NAID CEO

From the dawn of sales, sales professionals have struggled with the task of getting to the decision maker. It’s frustrating to discuss the benefits of a solution, if the person is incapable (or resistant) of understanding the need or, too often, incapable of making the decision. But as frustrating as that is from the service provider’s perspective, it is actually a serious risk management problem for the customer when dealing with an organization’s data security and regulatory compliance.

Every data protection law in the world requires organizations to establish clear internal accountability for compliance. In virtually every case, they do that by requiring the designation of a compliance officer. The reason this requirement is universal to every such law is that regulators know that unless there is someone directly accountable for compliance, it will not happen.

So, when there is a violation of the law or a data breach, the very first question the organization will have to answer is: Who is the person assigned with the responsibility for the organization’s compliance? If the answer to that question is “we don’t have anyone assigned with that responsibility,” the fate of that organization is pretty much decided. Sure, there will be plenty of other questions, but the fact that no one was assigned the responsibility of overall compliance means the outcome will almost certainly include the added burden of negligence. In enforcement and public relations, the determination that “negligence” is at the root of the problem is fatal. Regulators and the public are able to forgive mistakes. However, to label a mistake—especially one that puts others’ personal information at risk—as negligence makes it unforgiveable. The fines go through the roof and customers head for the hills.

So, to customers, when your service provider suggests you involve your compliance officer in the discussions related to data protection, they are not trying to be difficult, they are trying to save your skin.

Comments: 0 | Reply

Return to Current Blog