‘Being data compliant does not equate to having data security’

“Being data compliant does not equate to having data security,” Alan Boehme, Coca-Cola Co.’s global chief technology officer, chief innovation officer, and chief architect, said at the Collision Conference 2017. The event largely focused on tech, tech companies, and tech solutions, but there were several presentations, which caught the eye and ear of The Man From FCPA.

I had the chance to sit down with Alan for a longer visit about this remark, which I found so engaging. He explained that simply following the paper program rules and regulations around data security were not going to be sufficient to protect your data. To have data security you must be actually doing data security, not simply complying with the more stringent legal and regulatory requirements than are typically seen in anti-bribery/anti-corruption compliance.

Further in data security, Boehme explained it is literally impossible to protect all of your corporate data. The key is to assess what is the most important data to your organization and then put as strong a security plan is as possible around it. Obviously for Coca-Cola, the most important data is the formula for the drink. This has multiple levels and layers of security around it.

For a services companies, you may have different IP, which are the crown jewels for your organization. You may have financial or customer information which is critical to your organization (See: Target, Home Depot). Boehme made clear that it all begins with a risk assessment and then appropriate management of that risk going forward. This should all be clear to an anti-corruption compliance professional, yet the loss of IP, which does constitute the crown jewels of your company, can be a catatrophic loss.

Data security requires a continued diligence toward keeping the most important information secure. Simply following a checklist in data security compliance works no better than it works in anti-corruption compliance. Complacency through a certification, standard or even defense, will not protect you or your company’s data in a dynamic and ever-changing business environment.