Regulatory compliance and the distributed workforce: How to minimise your digital risk

Last year, millions of businesses had to rapidly shift gears to facilitate remote working. Whilst, initially, this was expected to be a temporary measure to stem the spread of coronavirus, both employers and their workers have since realised numerous benefits from these changes to their operations. 

From cost savings and lower real estate footprints for companies to enhanced wellbeing and productivity for employees, the advantages of a primarily remote workforce are indisputable.

A recent survey commissioned by The Straits Times revealed that a significant eight out of 10 employees in Singapore prefer working from home or having flexible working arrangements. Evidently, the novelty of homeworking hasn’t worn off – it looks like it is here to stay.

So, what does this mean for compliance professionals? And how can they simultaneously minimise their enterprise’s digital risk whilst avoiding legal repercussions in the future?

Technology and compliance in a remote world

Decentralised workforces have created a multitude of challenges for compliance teams, who carry the mantle of ensuring remote employees follow the rules and regulations set out by the business and wider governing bodies. 

As employees dispersed at the beginning of the pandemic, gaps within digital infrastructure and cybersecurity quickly emerged. So too did the need for a greater culture of compliance.

Technology has undoubtedly been a saving grace in these uncertain times, where digital tools have helped to enable connectivity, efficiency and collaboration that would never have been possible in the analogue world. 

Though without the secure systems and workflows previously used in the office environment, keeping on top of security and regulatory compliance standards has posed increasing complications (and headaches) for compliance leads.

With a complex cocktail of increased cybercrime, remote working and the growing importance of data security, it has never been more crucial to adjust to the new norm without sacrificing governance standards. 

What are the key areas of digital risk to consider?

According to a study conducted by telecommunications company AT&T, 58% of Singapore businesses cited concern over heightened vulnerability to cyber-attacks in the remote workplace. It’s no wonder then that cybersecurity makes it to the top of the list and that bodies such as the Monetary Authority of Singapore (MAS) are tightening their Technology Risk Management Guidelines. 

Malware and phishing attacks, in particular, have increased tenfold in the last 12 months, where hackers have looked to exploit homeworkers, as well as the makeshift changes businesses have made to their technology and processes. At a time when enterprises are arguably least prepared for cyberthreats, they’ve been left exposed to substantial – and largely irreversible – damage.

GDPR is another such area that may have taken a backseat as businesses have worked to navigate the changing landscape. Singaporean companies, who must already adhere to the Personal Data Protection Act (PDPA), will need to comply with GDPR if they:

  • Process the personal data of individuals in the EU in relation to the offer of goods or services to individuals in the EU or;
  • Monitor the behaviour of individuals in the EU

Failure to maintain the privacy and protection of the personal information businesses process may result in drastic consequences, including lost contracts, reputational damage, decreased market share or, in extreme cases, hefty fines of up to €20m.

Since emails, texts, phone calls and video conferencing have now become commonplace in lieu of in-person contact, compliance professionals must also assume responsibility for ensuring employees are mindful of the rules surrounding electronic communications.

Existing retention and supervision procedures and resources may not be adequate to handle the elevated levels of electronic communications that need to be scrutinised for compliance purposes. Likewise, employees may use their personal devices for work-related correspondence, creating an additional layer to the challenge of data security.  

The same goes for storing and sharing confidential business and customer information when working remotely. Not only will saving files locally cause barriers to collaboration but it will also open up systems to security threats, as home networks are typically easier for malicious third parties to penetrate. Similarly, sharing sensitive data through traditional means such as email and content-transfer services could expose an organisation to data breaches, and ultimately, legal intervention.

How can you protect your business from non-compliance?

Many compliance lessons have been learned since the major global transition to remote working in the past year. To ensure your business maintains compliance with its regulatory obligations, consider the following steps:

  1. Devise and communicate clear policies

A critical first step in managing compliance is to have clear policies that are understood and acknowledged by everyone in the business, irrespective of their level. Attestations can help to serve as a reminder for policy commitments and are more easily enforced in a remote setting. These might include the rules for handling sensitive data to comply with GDPR, or the use of personal electronic equipment for conducting work.

  1. Maintain governance and controls

Out of sight shouldn’t mean out of mind. Aside from producing appropriate policies for employees to adhere to, there are other controls you can put in place to ensure compliance. These may cover device security, where you could look to enforce measures such as disabling printing and deactivating removable storage devices to prevent data leakage. Another control might pertain to employee privacy, to ensure business tools don’t breach your obligations to privacy and trust. You may also consider governance of employee behaviours, to ensure professional conduct and communication at all times.

3. Invest in compliance training for employees

Continued engagement with employees is key to maintaining a compliance culture and in areas such as cybersecurity, your workforce is, after all, your first line of defence. Awareness initiatives may include delivering eLearning or refresher courses to not only bolster the information laid out in various policies but also cement learning on the standards they need to uphold and their key responsibilities to mitigate non-compliance. 

4. Put automation at the heart of your compliance practice

Compliance professionals have enough on their plates without having to trawl through multiple spreadsheets and paper-based systems to get to the information they need. Automation affords a whole host of benefits – from removing the admin burden to providing real-time insights and ensuring accountability of staff across the entire organisation. With clear audit trails and slicker processes, compliance software is a necessity for today’s businesses in the face of increasing regulatory demands.

5. Regularly review compliance procedures

Whether the new normal for your business shapes up to be a fully office-based workforce, a remote workforce or you take a hybrid approach, more frequent revisions of your compliance practices and policies will help to ensure that nothing slips through the net as the regulatory climate continues to change.

Remote working has affected virtually every industry as they combat the ramifications of the COVID-19 pandemic. Amid such turbulence, it is understandable that compliance and governance practices may have suffered delays whilst the world has adjusted to new, digital ways of working – though that doesn’t mean that they aren’t still a priority. With the right technologies in place, educated staff and some clear changes to digital policies, businesses can maintain the highest levels of compliance standards whilst building greater resilience in future.