Choosing Your Compliance Framework

Travis Good
May 12, 2020

With the growing focus on privacy and personal data, it has become table stakes for every B2B, and many B2C, companies to attest, or comply, with an established framework or regulation. Whether mandatory (HIPAA, GDPR, CCPA, FERPA, IRAP, PCI, etc) or by choice (SOC 2, HITRUST, etc), every company needs to establish and “prove” trust if it is going to sign business customers and collect, process, and store personal data. Compliance certifications and 3rd party audits against different privacy frameworks go a long way to establish proof of security and trust in your company.

One of the major challenges with compliance is that the regulations have different requirements or at least different formats. The policies, procedures, and implementations of privacy and compliance programs remain the same but need to be mapped to each framework and regulation to which you attest.

At our last company, we were in healthcare, initially in the US only. We started with HIPAA but quickly expanded to HITRUST as it expedited our security assessments at larger enterprise customers. We eventually followed market demand into Europe, where GDPR was just rolling out, so we made additions to our compliance and privacy stack to meet the requirements of GDPR. Then, as we sold into larger, life sciences companies we kept getting asked for SOC 2 Type 2 Reports. We added SOC 2 so, as a 5-year-old company, we were audited every year for HITRUST, GDPR, and SOC 2. This was in addition to the many security assessments we did, including the incredibly extensive Shared Assessments.

At Haekka, we provide apps and workflows to establish and manage a compliance program, all within Slack. Our customers are businesses and operate in multiple verticals. For us and based on our experience, we believe in privacy and security by design. We are operating our business from founding with a compliance stack. We needed the relevant controls to inform our privacy policies and procedures. Those controls come from regulations and compliance frameworks.

We chose SOC 2 because it is increasingly accepted across verticals for B2B SaaS companies like Haekka. It will help us to win the trust of customers and accelerate our implementations. The choice was not based on us determining that SOC 2 would improve our security posture. We care deeply about security, but SOC 2 is not going to make us more secure than HITRUST Certification or a 3rd party GDPR assessment. Our decision was based on the market and our customers.

And our decision is a hedge. We fully anticipate doing audits against other frameworks like GDRP and CCPA. Those will come later and we will use amend our compliance and privacy stack to meet the additional controls in those regulations. We have not found regulations with conflicting controls. Most of the additional controls focus on the treatment of personal data, data subject requests, and breach notifications.

The thing to remember when choosing a compliance framework for your business is that it is a form of proof. The choice should be driven by your market and by your customers. It builds trust in your brand. It empowers your salespeople.

At Haekka, our first product addresses compliance training requirements across multiple regulations (HIPAA, GDPR, CCPA, and SOC 2 initially). In time, with Haekka you will be able to manage your entire compliance program in Slack. You choose the frameworks and regulations that matter to you and we build all the necessary workflows in Slack to address all of the relevant controls.