Compliance as Strategic Advantage

Webinar Transcript

Mohamed Hamad: Hello, hello, hello, everybody. Welcome to another webinar. Today, we’ve got a very exciting conversation going on with Sandra Peterffy. Compliance as a strategic advantage. 

Sandra is a compliance and privacy and risk management executive. She’s got about 20 years of experience helping FinTech, Sass MedTech, and insurance companies turn compliance into regulatory obligations and a practical, scalable programme, making sure that companies, you know, dot their I’s and cross their T’s out there. 

Sandra, would you like to give us a little bit about your background and how do you go about doing what you do?

Sandra Peterffy: Sure. So I started off in UK in the Lloyd’s of London insurance market and by trade, I’m an auditor. So a big boo out there for that, I’m sure. But then when I moved to Canada, I started working for tech companies and startups. 

So I’ve worked for AI and automation companies, fintech companies, and a lot of med tech companies as well. Helping them embed compliance in what they do, so it becomes something that’s layerable rather than a panic and rewrite later down the line.

Mohamed: Yeah, I mean, compliance is one of those things that people think of as an afterthought. There’s more and more people out there building apps, coming up with new systems, and with vibe coding becoming the new hot thing for people building stuff. It’s something that—What do you think? Should they be really thinking about it early on? Is it an afterthought? How does one get into setting up their compliance from the ground up? Or what does that mean?

Sandra: I mean, it depends on the priorities of the business, right? Like, if you actually want to make money and if you actually want to get investment and you want your product to go [to market], you need to think about compliance at some point and I’ve lost count of how many times I’ve been asked, « Oh, we need a policy for this by 9:00 a.m. tomorrow morning for our investors, » and you’re up all night writing policies and evidencing controls that you may or may not have in place, you know, like it’s a— 

It becomes a lot of hard work when you’re doing it last minute for the sake of, oh, our investors want it, or a customer has asked that we need to do this and we need to do that, and it can just become a real headache, so. If you think about it at the start, you don’t necessarily have to do it all, but at least be aware of where your product’s going to be going in the next 5 years. 

Like, what’s your North Star, how are you going to achieve that? And some of that is going to be, you can’t sell your product until you’ve got a degree of compliance.

Mohamed: Now, basically you’re saying is that if any app or any product that’s going out, if they’re looking for funding, if they’re looking to target an enterprise market space, if they’re looking for any, you know, financial and or medical sectors, these things are very important and need to be set up from the ground up.

Sandra: Absolutely. I mean, regulated industries are—that’s a whole other beast, right? You can start building and you can start working from a principle-based compliance, but when you start getting into regulated environments, that’s when firm and hard rules are going to be in place. 

You need more separation of duties. You need more process, you need more rigour, I guess, in what you’re doing. So you need to also think about at what point you’re going to deploy that. When are your customers going to need that? When you look at just the basic apps and you get a lot of them out there, like there’s just so much tech, it’s coming in thick and fast. 

Oh, AI can do this, we’ve got the greatest AI product in the world, we’re going to sell globally. Sure, how are you going to evidence that you’re compliant with the AI laws, for example, in Europe? So you’re going to have a blocker to a whole huge market if you can’t evidence a degree of that and your customers are going to ask for it. 

And you don’t necessarily need to be ISO compliant. You don’t necessarily need to have SOP compliance, but you do need to evidence you have controls to protect their information and to protect their environment with integrations and, and actually that’s what matters, right? It’s all about actually protecting data and doing what you have to do legally. And it’s turning from ‘trust us’ to being able to show you’re trustworthy, there’s a big difference between that for enterprise customers.

Mohamed: So, what are some of the compliance frameworks that are out there? Obviously, there is GDPR when it comes to Europe, and that’s more in the safeguarding of data and the right to be forgotten and how people can remove stuff. And then in the US you’ve got HIPAA, which is also around medical private data. But what is there? There’s SOC 2. Just give us a little bit of an understanding of some of these. What do these mean?

Sandra: So there’s a bit of a difference there. So things like GDPR and HIPAA, they’re law. You have to comply with them. They will set out guiding principles and a lot of the time it’s reasonable and proportionate because it’s like for everyone, right? 

And then you have these different frameworks out there that can help satisfy these laws. And some of them are called harmonised standards. They’re the ISOs, they’re quite rigorous, but they are recognised by law that, « Yes, you are fully compliant because we acknowledge that this standard meets everything we require. » 

And then you have the lower level, they’re not lower level, but they’re less intrusive frameworks that you can work to, and they’re the SOC 2s, and a lot of startups will start with SOC 2 because it’s like the first dip your toes in there, you’re working to principles and you can be very risk based. As long as you’re meeting the intention of the principles, and it’s less rigid. 

So moving from something very principle based, very fluid, very risk-based, to then ISO, which is a bit more rule-based and rigorous, is very much a market decision and that kind of depends who your customer base is, right? A lot of people can survive with SOC 2 because actually it’s a really good solid framework, as long as you’re not doing it as a checkbox and you are actually compliant.

Mohamed: Yeah, so. A lot of startups are coming up. They’re thinking about shipping product. They’re focusing their devs on the features and, you know, their MVP getting things out there. They’re always putting certain things on the back burner. These types of things usually get pushed to the back burner because they need to ship fast and ship quick. 

How do you, when you’re talking to any of these startups or any of these organisations, get them to really think about institutionalising the idea of setting these trust frameworks, embedding them within the culture in itself, so that it’s not a heavy lift when it comes time for it. Where does that start? Is it a top-down thing? Do you work with the engineers from the get-go? Like, how does that get going?

Sandra: You’re working with everyone. But the biggest blocker, and so many CEOs are going to hate this, it’s tone from the top and culture. I don’t know how many times I’ve heard, « I don’t want to hear about culture anymore. » But it’s true, right? CEOs, C-levels, founders, they are super impressive people, and everyone working for them, especially in a startup environment, wants to learn from them, right? They’re inspired by them. 

They have this interaction and level of respect. They’re like influencers. I’ve referred to them as Kardashians before, but that doesn’t always go down so well. But as soon as you start shitting on compliance outwardly to your teams and how it’s a waste of time and, « Oh, we’ve got to do this, » the teams actually listen and then they don’t care. 

So then everything your GRC people are doing to try and explain the principle behind the control, how are we going to manage this control, no one’s going to respond to that because they just don’t care because leadership don’t care. It’s not been made part of the corporate goals and no one understands how they interact with it. 

A lot of time you get silos too, you get security or GRC just centralising everything, « these are security controls. » They’re absolutely not, they’re organisational controls and that should be owned within the organisation and everyone should be accountable. So it’s very much a branding thing and compliance gets a really, really, really bad reputation sometimes because there’s a lot of bad things going on out there and there’s a lot of bad implementation, like you see policies that are just templates that don’t actually give any guidance around what the internal rules are and how you can proceed. 

People can still proceed and do their processes how they need to, but they need some guidance about what they can and can’t do, what needs further discussion, who needs to now be included because we want to do something different. 

That’s where the problem starts. It starts at the top, but everyone needs to be involved and compliance and security can sometimes be the problem too.

Mohamed: Yeah, I guess one of the key things there is to make sure that people understand the why behind this and why it’s important and it needs to be done, and not to think about it as another layer of red tape that needs to be implemented and just a bottleneck to productivity to a certain degree. Am I reading that right?

Sandra: Yeah, 100%, and it’s also, I call it hilltops, right? Everyone has a different view and opinion, so everyone’s on their hilltop. Some people are looking from up here and they see so much more, and some people are here and you are literally missing each other’s point. And that’s why it needs to be embedded and that’s why it needs to be communicated, right? 

You need to try and get a level playing field of understanding and making sure everyone understands the big picture and everyone understands the granular level too, because if you’re just looking at information in isolation, it’s not going to work. 

Compliance and risk management is a messy web, right? Everything interacts. You change one thing over here, it’s going to change 10 things over here, so. Again, it’s all about collaboration and meeting in the middle somewhere.

Mohamed: Yeah, yeah, what would you say to someone who thinks of these types of things as more of a cost centre than it is, you know, something that is necessary, the cost of doing business. I wouldn’t say that necessarily, but, yeah.

Sandra: I mean, sure, they’re not wrong, it is a cost centre, it’s certainly not cheap, and if you don’t think about it early and you don’t design it in a way that will scale with you, it’s very, very expensive because you’re always engaging consultants, you’re always rewriting what you’ve done rather than uplifting or layering, you’re bringing in expensive tools because it’s been done in those ways. 

So it can be a cost centre. And it can be a huge cost centre, or it can be a business enabler, right, because you can’t sell to certain markets if you can’t show that you are going to protect data. There will come a point, whatever application you do, that it’s going to block you from selling. So it’s a sales enabler.

Mohamed: So if someone’s kind of coming in from the ground up, where would they start, in this thinking through, being compliant? I’m guessing you don’t have to be 100% compliant from the get-go, but there are certain things that you can do to lay a foundation that later on, it doesn’t become a huge gargantuan lift and becomes a bigger cost centre for you later on. And just enables the business in a sense.

SP: Sure, and no one is ever 100% compliant all the time, right? The risk warrants you not doing something sometimes, depending on where you are with your organisation. But the first thing that I would recommend founders do is they have a conversation with someone that’s going to try and talk them out of compliance. 

Genuinely, I’ve had so many conversations that people say to me, « Can you do ISO 27001 or whatever ISO is relevant? » And the first question I ask is, why? Like it’s a hell of a thing doing ISO. It’s not a small thing. And if you’ve got nothing, why are you starting there? And a lot of times people think about doing this is because a customer has asked it. And that’s, like I say, they’re starting to think, oh, this is going to block business if we can’t do it. 

But also you need to ask yourself how many customers are asking for it? How is this going to impact your roadmap? What kind of research should you be doing? What kind of reading should you be doing, because you need to understand it as well as either get consultants in to look at it and plan out a roadmap. 

You need to decide how much work you need and how much of a culture shift you need. Maybe you’ve never had policies, maybe you do need a full-time FTE. So do you really need that level of uplift? I always say if you haven’t had someone try and talk you out of compliance, they’re not trying to understand your business and what you actually need.

Mohamed: OK, so basically someone that’s just complying with your request for compliance is not very compliant.

Sandra: Exactly, exactly. I couldn’t have said it better myself. But there’s also a lot of things you can do. So you’ve got a customer saying in a very standard MSA, we want these attestations where you can go back and say, « Well, we don’t do these because we’re not ready for that yet. » 

But we do have all these controls in place. We do have all this policy. We’re just not ready for third party attestation yet. We have some areas we need to improve on. And as long as it meets the risk profile of the customer, it actually won’t block business.

Mohamed: OK. Are there certain sets of compliance or these laws and frameworks that are low hanging fruit that are easy to implement that enable you to be in more markets than one, or, is it specific to certain industries?

Sandra: Everything overlaps to a degree, right? There’s always some outline things, and which is why I say compliance can be a bit of a messy web. You’ve got PIPEDA that has all of its principles, that’s the Canadian federal privacy law. You’ve got all the provincial privacy laws underneath that. 

And then you’ve got the European privacy law, and then you’ve got HIPAA and then you’ve got the CCPA. It can get out of control, but they do all layer and overlap. So from a security point of view, SOC 2 is a really good entry point because it maps to a framework that’s called COSO. It’s very corporate governance. We won’t go into it. 

All of these principles set out in COSO can help you satisfy these laws. ISO maps to these principles. SOX, if you want your company to float one day on the US Stock Exchange, you need SOX compliance, and that’s a lot of this well. But they all overlap. 

So if you want entry level, so you can be really risk based, you can still move fast with your product because you’re a startup. Maybe you’re flying a little bit loose, but you’ve accepted that risk and you’re still adhering to the intent of the principles is going to be a really great place to start.

Mohamed: Excellent. I mean, for, from a marketing perspective on my side, you know, we deal with either GDPR or in Quebec, here, we have Law 25, and in California, there’s another privacy law in terms of like marketing campaigns and how do you, you know, how do you communicate and how do you collect data and tracking information and all of that. 

But that always can feel like a bit of a doozy to kind of, one, explain it to people and why it’s needed. And just people’s experiences on the web, as people travel around, they don’t always see the same safeguards, and they question it quite a bit. But it’s very important in a lot of senses, especially depending on where you’re going to be selling your product or marketing yourself out to.

Sandra: So I was going to say, sure, it’s never fun, right? Like this is law, but you don’t have to make it really dull and intrusive at the same time, right? It’s hard to get into, but you do what you can with it.

Mohamed: You know, it’s, it’s an uphill battle sometimes with these compliances, and they change quite a bit, but they’re fairly stable in most cases. They don’t really change very much. You know, for years there was not many changes.

Sandra: I remember way back in the day when GDPR came out. Sorry, that makes me ashamed of my age when GDPR came out and was implemented and how everyone was losing their minds about it. But actually it wasn’t difficult because it’s just basic principles of protecting people’s data, protecting people’s rights. 

But I’m from the UK and we had very strict data protection laws and actually a lot of the battle with GDPR is that the UK wanted more uplift in GDPR because it was less than the rules we had in place. But yeah, going back in the day, I remember it being like, whoa, this is crazy, but actually if you, the way you want to think about it is if you’re just doing good business, and it’s just the way you work and it’s how you would want your data to be handled, you’re actually not going to go far wrong.

Mohamed: It kinda goes against the whole move fast and break things kind of thing. It kinda stops you from doing that even though people have really.

Sandra: I mean, sometimes you can still. I don’t ever like to say it will stop you moving fast. You just need to have the right protections in place. So if you want to go ahead and break things and do things, do it in a safe environment, right? 

Don’t perhaps use live customer data because you wouldn’t want your data used to go and try and break things in a really unsecure environment. You know, like there’s always a degree of sensibleness, but when people get it in their processes and it’s just become how they work, it doesn’t actually slow them down at all. A lot of it is a mental barrier saying this is going to slow me down, this is going to make my life harder.

Mohamed: So, no conversation can be a conversation these days without including or mentioning AI and, you know, how does AI in this whole space, how does it affect it? How do people navigate their compliance when it comes to model sharing information, data? How do you keep your data secure? Like, what have you seen out there around this that might change the game or, you know, push people forward into a weird direction?

Sandra: I mean, what I’ve seen is truly horrifying sometimes. And what people are doing. Like AI is wonderful, right? I love AI. I use AI. I encourage people to use AI. In fact, almost why are people talking about it? It should be assumed that it’s part of the product in your daily life now. That’s kind of where I am. 

But from a product development or the founder’s point of view. Sometimes I’ve just seen everyone has forgotten their data handling requirements. Like they were doing everything right before with their data handling and data management, and then suddenly AI came about and there was customer data being thrown everywhere and you’re just like, wow, everyone has just forgotten. 

And when you use AI apps, make sure you have the right privacy clauses, make sure you have the right extensions that you need for your business, make sure that the learning models or the models aren’t learning from your data. You want to make sure that your data is still protected like any other vendor, and if you’re pushing AI you need to make sure that you’re doing the same things to protect your client’s data. 

It’s a lot about data handling, but there are new AI regs that are now in Europe and it just reinforces good and proper data handling and transparency. Again, a lot of people are losing their minds about it, but it’s not outrageous, really.

Mohamed: OK, yeah, I mean, yeah, there’s so much going on out there with how to build an app with AI and people are just diving into it headfirst. And, I’m always curious how do people manage these data privacy measures, without giving out too much to the LLM or the model in itself to train without training on real-world, well, people’s data, but making sure that they train the models correctly to get the outcome that they’re looking for.

Sandra: I mean, it’s kind of terrifying really. I mean, every time I’m now looking at the App Store or I’m doing third party risk management and reviewing what we’re trying to bring in, I’m looking at like, what is this app? 

What is its history? Sure, it doesn’t need every certificate out there, but like what the hell is this? Does it even have the features we need? Because there’s so much garbage out there, right, and it’s just so easy to do. But does it actually fulfil your needs? 

Like, sure, it can be a great product, and maybe you need to work with these people to get it in a way that you need it to work. That’s always an option. You do that, you’re going to do that yourself with some clients. But yeah, the how easy it is just to get an app on the App Store and do all of this. It’s kind of terrifying, really. You’re not going to go global until you do something different.

Mohamed: I heard it was notoriously hard or notoriously inconsistent to get your stuff in the App Store, and sometimes you wonder about the things that get through, but at the same time, you’re seeing things that shouldn’t be there because of how they handle things,

SP: Or, not that they shouldn’t be there, let’s rephrase it, they don’t meet the needs of the business that I’m working for at the time, right, because different businesses have different requirements. 

When I’m doing medical device stuff, super strict on who we’re going to allow to touch any data, right? Like we have to be. If it’s just, I say just, like sales outreach information, sure it’s still personal information, but it’s more business contact, the risk of harm to the individual is very low, then maybe we won’t care so much. But it’s always proportionate.

Mohamed: OK. So what are you working on these days? What’s your, what’s keeping you up at night around compliance?

Sandra: I mean, everything keeps me up at night. But actually it’s not compliance that helps me sleep. No, what I find I’m doing, I mean, I’m working full time with Clinia right now. And that’s a medical device company. And it’s a really wonderful company to work for. 

They’re moving really fast, but they’re also in a regulated space. So it’s intense, but I’m loving it, absolutely loving it. And I’ve also been doing some work with a company called Myo One. They’re a physical medical device and app as well, but it’s mostly privacy, SOC 2, AI regs, and then industry specific stuff.

Mohamed: So you got your work cut out for you. That’s quite a regulated sector there.

Sandra: I’m a busy woman, but I love it. It’s what I live for, right? I’m super passionate about compliance and I really wish people loved it as much as I do because it can really get your gears going. I like to say I throw in thought grenades to really make people’s gears go. So it can be fun.

Mohamed: I like that thought grenades. I’m going to steal that from you. One thing before we wrap up, you call yourself the overlord. Where does that come from?

Sandra: I was working for a company called Wrk. They are an AI and automation company. They’re absolutely wonderful. You should check them out if you’re looking for automating stuff. I don’t get paid to say that. I just give people good products, right? 

But David Li, I used to report to him when I was a compliance officer and he is one of the founders and has many hats. He started calling me the overlord. And it just stuck from there. But he also says that it’s not the worst experience he’s ever had when it’s compliance with me. 

So that’s like a huge compliment when it comes to compliance, right? It’s usually a crappy experience.

Mohamed: I mean if you make this whole thing easier for people, that’s great. It’s about being flexible as well. And if people wanted to connect with you or find you online, where would they do that? Obviously you’re on LinkedIn.

Sandra: I am on LinkedIn. I’m not a huge social media user, but I do use LinkedIn, and you can also email me Sandra at londonmarketconsulting.com.

Mohamed: Amazing. Well, we are at time. It was an absolute pleasure talking to you today about compliance and its strategic advantage. I think this is a very important conversation that people should have early on and make sure that they get the groundwork set up for future growth. 

As you mentioned, it can really be a business enabler and something that could propel you globally and put you in an enterprise in different markets. And, yeah, it was absolutely fantastic chatting to you today. Thank you so much for being on the webinar, and look forward to hopefully having you again next time.

Sandra: It was wonderful. Thank you so much.