Why Compliance Isn’t Just About Law

Compliance is all about knowing the rules, and making sure that you comply and are able to account for it.

Compliance is concerned with our obligations in terms of:

  • Law
  • Contracts
  • Promises
  • Relevant standards
  • Your own policies and guidelines

Whether we live up to our obligations is one thing, but even more important is whether we can account for it. An essential part of compliance refers to being able to document what we do exactly.

But how?

  • Documenting procedures, work instructions, and controls
  • Reporting incidents and control execution
  • Documenting plans for dealing with risks and incidents as well as responses to observations and recommendations

Getting started with compliance is about knowing the actual obligations and making sure to keep up to date with potential changes in these obligations.

Your obligations are defined based on the law, contracts, promises, standards, internal policies, and guidelines coupled with the specific assets you are handling and the kind of work you do.


Initial identification of which requirements you are being met with may be the hard part of compliance. But once you get past this point, it will be just a matter of tracking changes to the identified sources, internal procedures, products, and services.

So how do we start?

Most legislation is closely connected to what we do and what we do it to. In less formal language, we will have to look at our line of business, products, services, and processes.

For example, the following functions will map to a specific law:

  • Finance – Bookkeeping law
  • Sales and Marketing – Marketing law
  • Banking – Financial regulations

It is best to start like this, laying out the rough groundwork before going into details with the specific set of rules affecting us.

We will likewise have to look at the stuff we handle; this will be some kind of assets and these should be identified and classified as to where relevant applicable law should be noted, e.g.:

  • HR data – Personal data act
  • Financial transactions – Bookkeeping law
  • Credit card data and transactions – PCI DSS
  • Employees – Health and safety regulations

So the more specific a field of responsibility you have, and the better you are able to narrow down what assets you are responsible for, the easier it will be to identify regulations affecting your area of work.

Living up to the expectations

When identified, you will of course need to come up with a list of the demands that you are currently not meeting, and for each of these a plan for how to get on track.

From there on, compliance will practically be 90% about documentation and reporting. Hence, it makes sense to manage the three disciplines as a whole:

Compliance, documentation, and reporting should be managed as one!

We are getting back to how to manage your documentation in the last post in this mini series.

At the end of the day, the big question remains:

Can you prove that you are complying?