Perceptions on an effective Compliance Management System : An approach to compliance with EU Data Regulations

• Main Author: Mulugeta, Bruke Mekuria
• Format: Others
• Language: English
• Published: Internationella Handelshögskolan, Högskolan i Jönköping, IHH, Informatik 2016
• Online Access: http://urn.kb.se/resolve?urn=urn:nbn:se:hj:diva-31603

The purpose of this thesis is, through an exploratory study, to examine how organizations can effectively comply with data regulations.  The following are the research questions: What are the elements of an effective compliance management system? In light of the elements of an effective compliance management system, how are organizations complying with EU data regulations? A holistic multiple case study approach was implemented where four companies with services handling personally identifiable information were interviewed and then requested to participate in a Likert scale questionnaire to find points of consensus.   Based on literature the elements of an effective compliance management system were shortlisted. These elements are policies and procedures; communicate and train; culture; respond to incidents and prevent future incidents; resources; incentives and rewards; exercise due diligence to prevent and detect criminal conduct; governance; objectivity; risk management; prohibited persons; monitoring and auditing program effectiveness; ethics. Based on the interviews and questionnaire, organizations were not systematically managing compliance with EU data regulations. Also, there was not an awareness of the regulations. There was a lack of understanding on the details of the regulations and a drive to comply with these regulations. It was noted that issues that do come about due to data protection were handled on the go. To summarize the interviewees, there is a reactive mentality instead of a proactive one towards compliance with data regulations. From a regulator’s perspective, a means of including service providers in the process of data regulation may first help in creating awareness. On the note of awareness, it is necessary for organizations handling personally identifiable information to comply with the law. Again, this is not viewed as a priority for the organizations that have been interviewed or at least for organizations that are relatively small in size or in a startup phase. The value provided by this thesis is in providing an aggregated view of the elements of an effective compliance management system.