Let’s say I invite you to the house for a BBQ. You say “sure,” and ask “where’s your house?” As I answer the question in the following ways, we go back-and-forth: “Earth,” “North America,” “the United States,” “Indiana,” “NE Indiana,” “Fort Wayne,” “North of X road and East of X road,” “X neighborhood,” “X street.” Likely, just reading this has your blood pressure on the rise. It’s obvious you’d need more granular information, my street address, to arrive at the destination with efficiency, confidence, and on-time.
This simple example is applicable to data compliance. As compliance professionals, we invite other functions to the BBQ, but can’t tell them the destination, or help them with directions on how to get there.
Know your destination...
It starts with knowing your destination. From a data compliance perspective, that means knowing what information is required to demonstrate compliance. More specifically, it requires you to know what events need to be recorded, and what information the records must contain, to demonstrate data safeguarding and compliant release compliance.
For export practitioners dealing with Export Controlled Information (ECI), the granular information required to demonstrate compliant release must manifest in the export record. For ECI, the export record is the destination. Start there…at the destination…define the ECI export record-keeping requirements and work your way backwards.
The compliant record is an artifact, often a data-level access log, that captures what was known about the transaction at the time of transaction, to include such elements as ECI names/IDs, export classifications, export authorizations, entities, individuals, dates, times, etc. The record must contain the information required to demonstrate compliance. Incomplete, or altogether missing, records, at best, are fertile ground for auditors and could result in administrative violations. At worst, they result in assumed non-compliance (“potential access” for all the trade folks) and lead to ITAR Consent Agreements.
If you want the key stakeholders to attend the party, start by providing the destination.
Compliance Data Science...
“Compliance Data Science” is the practice of knowing what information is required for accurate and timely compliance decisions. It forms the foundation for integrating compliance requirements into business functions, processes, networks, systems, users, and data. If you’re interested in learning more, feel free to shoot me a private message.