Compliance in IT is mandatory for every company. Data protection is just one example. Before each IT project, it is necessary to check which legal and contractual requirements exist and must be met.
IT compliance refers to adherence to the set of rules and regulations established for IT in companies and government agencies. Exactly what compliance or adherence to rules is required depends on the particular organization and the particular IT process. In addition to the company’s or authority’s internal guidelines, it is the legal and contractual obligations that must be met by IT.
What does compliance mean for companies?
Compliance in IT means that IT is not used to implement everything that is technically and organizationally possible, but only that which is permitted within the set of rules. Companies and public authorities are therefore constantly required to check whether a particular project in IT is also compliant with the rules and regulations.
IT management and organization, i.e., IT governance, must therefore make decisions and take measures within the framework of IT compliance requirements.
Compliance means adherence to data protection
An important example of legal requirements that must be met for IT compliance is data protection. IT must be designed and used in such a way that the protection of personal data is guaranteed. What this means in concrete terms is regulated by the German Federal Data Protection Act (BDSG) and the data protection laws of the German states, as well as at the EU level from May 2018 by the General Data Protection Regulation (GDPR).
IT compliance is also required by tax offices
Another example of where IT must comply with precise legal requirements is the “Principles for the Proper Keeping and Retention of Books, Records, and Documents in Electronic Form and for Data Access (GoBD)”. Audits by tax offices take place digitally. To ensure that this is technically possible, companies must comply with the requirements of the GoBD. The GoBD are therefore part of the IT compliance requirements.
IT compliance requirements often refer to standards
In addition to legal requirements, contracts can also prescribe certain rules for IT. Contractual regulations for IT often refer to recognized standards in order to provide uniform, tried-and-tested specifications.
In the area of IT security, compliance with the IT security standard ISO 27001 or IT-Grundschutz according to BSI (German Federal Office for Information Security) is often required. Compliance with a standard can be confirmed by independent bodies as part of certification.
IT compliance also takes industry standards into account
While data protection must be observed by all companies and authorities that process, use, or store personal data, there are sets of rules that contain specific requirements for certain industries. One example is the Payment Card Industry Data Security Standard (PCI/DSS), an IT security standard that must be followed by all companies that process credit card data.
Basel II is an example of legal framework conditions in the banking business and represents a requirement of banking supervision that also contains demands on the IT security of banks.