Boring? Think Again. Your Compliance Roadmap Could Be Your Biggest Differentiator

What we’re seeing today is only the tip of the iceberg of how pervasive AI technology will become in our lives and world at large. This means more and more products & services will emerge, using AI, to handle sensitive data & information, from our health records to our banking transactions. There are no signs of this development slowing down, with the market for AI in Healthcare alone set to be around $173 billion dollars by 2029. There has never been as a good time as now to familiarise yourself and your organisation into compliance frameworks and best practises needed, to ensure that you really mean when you tell stakeholders, ‘we really care about data privacy and security’.

The process can often be summarised best via a compliance roadmap. At a high-level, a compliance roadmap is an outlay of the various certifications, and their respective timelines by which your company needs to attain to deliver on business goals and operations. It serves as a guide for ensuring that all necessary compliance measures are implemented and maintained, helping companies mitigate risks and ensure ongoing adherence to legal obligations.

At the end of 2023, we at Heidi made a conscious decision to make compliance a priority. Through the development of our comprehensive compliance roadmap, and through internal dedication and strategic focus, we successfully achieved compliance with GDPR, HIPAA, ISO 27001:2022, and SOC 2 within a span of just 10 months. In this blog post, I’ll aim to provide some high-level guidance to organizations to understand how to effectively prioritize their compliance roadmap, offering insights from our own journey at Heidi.

What does this look like for AI-driven tech products?

Want to sell your banking AI tool to financial institutions in the US? You might need PCI-DSS or SOC2 Type 2 certification to be taken seriously by those players. Providing an AI dispensary product to European pharmacists? GDPR compliance will be necessary before even operating in the EU. Are you launching a new product feature in Australia giving diagnostic advice to clinicians? You’ll probably need to register as a medical device under the Therapeutic Goods Administration.

It is important to bear in mind a roadmap can only be effective if its implementation is incorporated from the beginning of your overall strategic business planning. This also means it cannot happen without the support of leadership and/or management, who can instil a culture across all levels of the business about being rigorous with their data privacy & security habits; This is something we’ve done quite well at Heidi with our mantra of “compliance is everyone’s responsibility” being taken seriously and not just a pretty slogan to mentioned at company meetings or plastered on a wall in the office. It is through this culture that a company will understand the gravitas of potential consequences for not taking compliance seriously enough, across all jurisdictions of operation.

Beyond avoiding potentially disastrous mishaps with regulatory bodies, having & following through with a compliance roadmap is what will allow your business to grow, especially if operating in a B2B capacity. Many organisations, especially established brands, will not trust 3rd-party software providers without the necessary certifications to prove your adherence to protecting their data. Gaining clients’ trust is one of the top weapons in your strategic arsenal to beat competitors in your AI product category because it is something that takes time, resources, and a dedicated team to execute. The certificates themselves also need to be maintained regularly, and if you are a business dreaming of scale, there’ll never not be another one to add & use to reassure potential customers of why you’re the best option.

The most daunting part about starting this process is selecting which certificate to attain. The best rule-of-thumb that can be applied to this is, the more sensitive the data you process, the more important that your security posture is backed by your certificate.

Across the scope of data privacy & security certifications, there are many different options that span across a spectrum of prestige level (marked by its standardisation per jurisdiction and cost) and timeframe to attain it. For this guide, there are two main streams to help you select the certificate for your company according to your team’s size, jurisdiction(s), resources at your disposal, and turn-around/commitment.

The first are certifications that can be considered as ‘Quick Wins’. They are achievable in a short-time frame, less complex, and less costly. They give you entry-level certification in data privacy & security.

Here is a non-exhaustive list of different ‘Quick Win’ compliance certifications relevant to various industries:

Cyber Essentials (UK)

• What it is: A UK government-backed certification that focuses on basic cybersecurity measures.
• Ease of Obtaining: Straightforward and cost-effective, often achieved within a few weeks with proper preparation.
• Business Value: Demonstrates a commitment to cybersecurity to clients, particularly in the UK.

NIST Cybersecurity Framework (CSF) Implementation (International)

• What it is: A voluntary framework providing standards, guidelines, and best practices for managing cybersecurity risks.
• Ease of Obtaining: Implementation is flexible and can be tailored to your company’s needs, making it less burdensome.
• Business Value: Highly regarded in the U.S. and by companies interacting with U.S. clients or partners.

FedRAMP Tailored (for Low-Impact Software as a Service - SaaS) (US)

• What it is: A streamlined version of the FedRAMP (Federal Risk and Authorization Management Program) certification, designed for low-impact SaaS applications.
• Ease of Obtaining: Significantly simpler than full FedRAMP authorization, with a faster and less resource-intensive process.
• Business Value: Crucial for SaaS providers targeting U.S. federal agencies or clients who prioritize government-level security standards.

CSA STAR Level 1 (International)

• What it is: A self-assessment-based certification for cloud service providers, focusing on transparency and security practices.
• Ease of Obtaining: The Level 1 certification is based on self-assessment, making it a more accessible and quicker process.
• Business Value: Demonstrates commitment to cloud security and transparency, particularly useful for cloud service providers.

HIPAA

• What it is: A U.S. regulation for protecting the privacy and security of health information, specifically for entities that handle protected health information (PHI).
• Ease of Obtaining: Compliance involves a comprehensive review of policies, procedures, and practices related to the handling of health information. It requires ongoing adherence and regular updates to remain compliant.
• Business Value: Essential for businesses in the healthcare sector or those dealing with health data. Demonstrates a commitment to protecting sensitive health information, which is critical for client trust and legal compliance.

The advantages and disadvantages to these ‘Quick Wins’ as followed:

In the other stream are the ‘Long-Term Wins’. Requiring much more time commitment, resourcing, and support from leadership (almost requiring cooperation company-wide), these certifications would be recommended to businesses looking to enter new markets and/or have a decent amount of revenue & wish to scale their business.

Another non-exhaustive list of certifications falling under this category:

ISO 27001 (International)

• What it is: An international standard for information security management systems (ISMS), focusing on establishing, implementing, maintaining, and continuously improving information security.
• Ease of Obtaining: Requires a thorough audit process and ongoing commitment to security practices. The certification process can take several months to a year depending on the organization’s size and maturity.
• Business Value: Recognized globally, it demonstrates a strong commitment to information security and can enhance trust with clients and partners. It is often a prerequisite for doing business with larger enterprises.

SOC 2 Type 2 (International)

• What it is: A compliance framework developed by the American Institute of CPAs (AICPA) that assesses the controls related to security, availability, processing integrity, confidentiality, and privacy of data.
• Ease of Obtaining: Requires a detailed audit of the organization’s controls and processes over a period of time, typically 6 to 12 months. The Type 2 report evaluates effectiveness over a specified period, usually 3 months.
• Business Value: Highly valued in the U.S., especially for service organizations, as it provides assurance to clients about the robustness of data security practices and operational controls.‍

GDPR (EU)

• What it is: A comprehensive data protection regulation in the European Union that governs how personal data is collected, stored, and processed, emphasizing individuals' rights and data protection.
• Ease of Obtaining: Compliance requires substantial changes to data handling practices and policies. Organizations must implement robust data protection measures and undergo regular audits. Achieving full compliance can be complex and time-consuming.
• Business Value: Mandatory for businesses operating in the EU or dealing with EU residents' data. Demonstrates a commitment to data protection and privacy, significantly impacting international business relations and legal compliance.

For some businesses, deciding between a ‘Quick Win’ or a ‘Long Term Win’ may not be as intuitive. There are some factors by which the choice between the two can become clearer: overall strategic planning, resource allocation, client segmentation, and budget. Within this, here are examples of how these certification efforts panned-out at Heidi, as a gauge for what this can look like in action.

Overall Strategic Planning: Balancing Immediate Certification with Long-term Goals

• In November of 2023, Heidi’s compliance team consisted of two individuals.
• At the time, there were not many resources, a new product was being released and leadership had a strategic vision to enter big markets like the US and EU.
• By doing a compliance framework analysis, the team was able to ascertain that HIPAA would be the ‘Quick Win’ because it was the bare minimum level of compliance, we needed in order to provide Heidi in the US.
• It was also crucial to consider plans to enter other markets such as the European Union; GDPR is the required standard needed in that jurisdiction however it was also the bigger task, both from a time, resource and complexity standpoint – consequently it made prioritising HIPAA more obvious.
• Working with product and strategy teams, rather than working in the silo, was crucial because it allowed full visibility on what goals for the business were going to be more achievable, considering regulatory requirements

Resource Allocation: Ensuring it is effective for achieving different certifications

• At Heidi, flexibility was also key as our team was considering what certifications were needed as we needed to consider if there was a pivot in strategy later down the line
• This especially came into play when entering the US market; Heidi realised their product strategy could not be refined to just private and individual clinicians, it also had to be implemented by big hospitals & clinics
• All these big hospitals & clinics required a SOC2 Type 2 certification to even begin commercial conversations, a very hefty and time-consuming certification to attain, all while GDPR and HIPAA certifications were ongoing
• The bare minimum of resources would be having at least one dedicated personnel towards the documentation side of the certification (i.e. drafting policies, procedures), another towards the technical tests & controls (i.e. one engineer or technical role), and a company culture that buys into upholding the data privacy & security practises (e.g. ensuring all individuals use password protection & hard-drive encryption etc)

Client Segmentation: Understanding the needs of your target market and aligning your compliance strategy accordingly

• The main question to ask yourself for this matrix is to think about ‘who cares about what, where?’.
• This requires the compliance roadmap to be tailored to the size of your company and market you’ll be entering.
• For example, if you are an Australian business with 10 people, working on a SOC2 Type 2 certification whilst aiming to launch into the EU, SOC2 Type 2 might not be what’s required. Instead, your time and effort might be better placed investing into bringing your company up to GDPR standard.

Budget: Executing the Compliance roadmap without undermining the ability to keep the lights on

• For some businesses with the extra reserves, there are options to outsource the admin process of getting certifications done, using verifiable auditors and third-party specialists. These often come with a higher cost but can remove some of the guesswork and complexity involved if you lack the expertise in-house.
• There are ways to get some certifications with lower barriers of entry, which includes a large portion of self-learning to ensure it is executed well.
• These include an attestation, self-assessment, and ‘Quick Win’ certifications we discussed above. Deciding which style of certification depends on where your core market is and what is the bare minimum certification required.
• For attestations, it is recommended to only use it if you are starting slow, and as a lily-pad towards affording a full certification conducted by a third-party
• Self-assessments can be not as competitive as other forms of low-cost certifications and if this is the path being taken, Cyber Essentials would be a great place to start, with Cyber Essentials Plus being even more favourable. These certifications can be completed on their website for just a couple of hundred pounds
• Heidi went through a similar process of starting with small certifications to then build up to bigger ones as we acquired reserves in our budget. We recommend to other businesses to start small and continue building the resources to do more, add as many of the basic certifications you can until your business is ready to need more.
• This continuous process of acquiring certificates whilst building the business is essential to keep client-leads warm; some clients may only wish to engage with your business once certain data privacy and security milestones have been attained
• This puts you on the front-foot to say these certifications are pending, making it easier to re-engage them further down the line. This is as opposed to letting them grow cold because of being unable to affirm if you’ll be compliant within a reasonable timeline.

There are other key factors to consider in a compliance roadmap:

• Regulatory Landscape: Understanding the ever-changing regulatory requirements in your industry.
• Client Requirements: Tailoring your roadmap to meet the specific compliance demands of your key clients.
• Risk Management: Identifying and mitigating risks associated with non-compliance or delayed certification. See Uber’s $295 million dollar fine from the EU over their GDPR non-compliance which most companies would not survive. There is always a huge risk of being non-compliant and continuing operations in any given market; thinking of these risks will give you leverage to push-back against pressure from leadership & sales to drive growth for the sake of it, and instead do so from a more considered vantage-point.
• Technology and Tools: Leveraging compliance management platforms and tools to streamline certification processes. Some great ones to recommend & start with are Vanta or Drata.
• Foster positive relationships with third-party auditors: These are the independent teams who’ll help you get prepared for the external audits by conducting internal audits where they can highlight blind spots, go over interview questions, and guarantee you get that certification. While external auditors often have a need to remain impartial and not disclose if you are falling short of passing their tests; the internal auditors can be candid with you about this and so it’s best to seek a long-term relationship with them.
• Seek strong, ongoing relationships with external auditors: When undertaking an audit for a certification, there’s a lot that can go wrong and grey areas that can make a difference between a pass or fail, benefitting from investing thousands of dollars or watching it all go down the drain. Especially when the challenge of multiple certification audits becomes frustrating, it's important to not take the situation out on people, most especially your external auditors who are just trying to do their job (and who can also make your life awful!). Remember to be kind and engage with all parties in as positive a manner as possible!
• Internal Stakeholders: Engaging key stakeholders (e.g., Legal, IT, Operations) early in the process. It is best to be realistic about the compliance roadmap and not let it be thrusted upon your business’ broader to-do list, causing you to potentially even must re-do your product strategy from scratch. Even the smallest product decision can make you non-compliant
• Continuous Improvement: Ensuring your compliance roadmap is a living document, regularly updated to reflect new challenges and opportunities.

A well-structured compliance roadmap is one well-tailored to your business, with cultural support from the broader team to execute, invest in, and incorporate into overall strategic planning. Selecting the best compliance certifications to attain come down to your needs, target clientele, and resources. It is vital to ensure not only are you preventing potentially damaging consequences from regulatory bodies, but also to give you competitive edge in the race to acquire clients, especially those who have greater onus to be protective over their data privacy & security practices.

The race to be the best AI product in your category is only getting fiercer as the world recognises the urgency to adopt AI technology, at the risk of being left behind. Assess your current compliance status and consider whether your business can benefit more from a ‘Quick Win’ or a ‘Long-Term Win’. Your compliance roadmap can be the weapon in your arsenal that brings you miles ahead of the game, showing you truly are serious when you say, ‘we really care about data privacy and security’.

‍