Moving Toward Internet Compliance
In order to ensure the quality and integrity of the information they supply, the corporate enterprise has a growing need to develop processes along with associated policies and guidelines to aid in the distribution of information over the Internet.
Why focus your attention on Internet compliance?
There are a number of reasons to address information delivery over the Net: reputation; violation of credo, principles and ethics; advertising compliance; and privacy violations that could lead to law suits.
Corporations have a responsibility to provide leadership for the development of effective programs and processes that improve the quality, compliance and integrity of their websites and the information they deliver.
With a defined quality compliance process you can reduce risks, reduce costs to implement, experience a better return on investment, and reduce time to deploy websites.
These processes and guidelines also ensure the corporate legal, regulatory and credo standards are enforced.
Innovative companies are creating a corporate function to research the legal, regulatory, advertising and marketing components of information being distributed over the Net, an Internet Compliance Office, if you will.
This office is responsible for the collection and distribution of policies, procedures and guidelines that govern Internet compliant websites as well as the processes to stay in compliance.
Companies are also establishing compliance teams that consist of Internet compliance authorities, subject matter experts, and technical liaisons trained in the policies and guidelines that govern Internet compliance. These teams are involved in writing standard operating procedures for content approval, document closure and obtaining corporate approval.
They are also responsible for managing the auditing and monitoring of corporate websites to ensure they continue to meet compliance standards.
Internet compliance methodologys are also being developed to define the development of compliant websites. These, in essence, are mini system development lifecycles that outline the lifespan of an Internet site from conception to retirement.
The steps for establishing a compliance environment include:
The following is an example of a seven stage process for developing a compliant Internet website:
Web Site Conception
In this stage of the process the organization has initiated the potential development of a website to meet a business need. A business case is developed to define the site objectives, the sites target audience and the sites intended function.
A site owner should also be identified and metrics established to measure the success of the site. The site owner should also identify the potential site developer(s) and the potential site host(s).
Once a business case and a decision is made to move forward with the site, the owner is responsible for registering the domain name through the proper channels within the organization.
He or she is also responsible for providing the site developer and host with the compliance policies, guidelines and procedures established to develop a compliant Internet website.
Access & Apply Policies
Domain name registration should adhere to an established corporate policy and procedure. In this stage of the process the internet compliance owner registers the domain names(s) following the established procedures.
Copyright and protection of site images must be reviewed to insure the website design will comply with their use. Legal notice(s), company name and logo use policies should also be reviewed to ensure they are properly incorporated on the site.
Corporate product and service trademark polices must be addressed to ensure appropriate use. A statement of responsibility to clearly identify the legal site owner is used when applicable.
Privacy and personally identifiable information (PII) must also be addressed in this stage of website development. There are several forms of sensitive information that may be collected or distributed via an Internet site. PII (via Email), information from children under the age of 13, employee ID information, etc. Financial transactions and medical information are good examples of sensitive information.
Email communications should be reviewed and approved in accordance with local and, if applicable, regional content review procedures including legal departments for all countries involved.
Linking and framing polices guiding the linking to acceptable sites must be applied to the new website. The use of framing technology to third party websites, linking disclaimers and links to blogs must also be reviewed in this stage of the process.
Any potentially patentable inventions or ideas described on or collected by the website must be reviewed by a local operating company patent attorney. Web content designers must also ensure that all product-related content is compliant with any applicable product registration requirements, promotional and advertising requirements set by the locales ministry.
A geographic disclaimer template may be required to ensure that the site is targeted to a country or countries where all content, including product information, applies.
The website developer and host must also confirm they are meeting information asset protection requirements. They must:
Resolve Design, Content & Technical Issues
A companys image must not be compromised. The credo principles a company has established and adheres to must not be violated due to content on websites. This applies to textual content, all other forms of static images, video and audio content and the presentation of content in context to other content.
A website review with consideration to its content should address key questions. Does the website:
Sensitive information, medical advice or consultation must be reviewed by the companys copy clearance team. In general medical advice should not be given to consumers over the Net.
Web content must also be reviewed to determine if the site contains information that must meet corporate healthcare compliance requirements.
You may also consider:
You must obtain regulatory and advertising copy review for products and services sold over the Net. Internet sites must present information about products in a fair manner with an equal presentation of the benefits and risks of the product. Especially if you are marketing children's products.
Products intended for children should:
Advertising products and/or services over the Net may be subject to country's rules and regulations. Some countries require password protection for reimbursable product information. Disclaimer information may also be required for goods and services sold over the Net.
Creditable references must be cited when making promotional claims. These references may be from journals, books and credible professional and/or government organizations.
In general, a corporate employee should not be identified by name or image on a website. If identifying an employee by name or image on a site, you must obtain consent in writing utilizing an employee consent and release form.
Once the site content and basic framework of the website is completed, the site content must be submitted to a local copy review. This process is similar to content review that is distributed to a designated receiving audience (i.e., print brochure content reviews).
Hosting and technical compliance requirements must also be addressed in accordance with the established network and computing services guidelines.
Review the companys recommended conventions for site hosting in a shared or dedicated infrastructure. Ensure the Web services provided are compatible to established network and computing services guidelines and procedures.
At the conclusion of this stage the major compliance components should be in place and the website prototype is ready for development.
The Internet site owner works with the site developer and the deployment teams to develop a site utilizing corporate infrastructure and application guidelines.
If using a third-party vendor, it is strongly advisable third-party developers and/or server host locations use software and hardware platforms that would be easily transportable to an in-house environment. This facilitates an easier transfer, should the operating company decide to bring an existing production website in-house.
Hosting site technical security issues must be addressed to ensure compliance requirements are met. Legal issues surrounding any third-party development and/or hosting contracts must also be established and in place with the appropriate approvals and signoffs.
Websites should be developed utilizing corporate infrastructure and application guidelines. It is recommended that all websites comply with the guidelines set forth by corporate network and computing services.
The validation test actually verifies the functional requirements of the site are performed as per specification in the original design.
A compliance validation plan and test results demonstrate that the final work product, including all site management and related database software and network components, works as it was designed and meets all corporate compliance standards.
The site functional requirements are inventoried and test scripts are developed to validate each function. The functional requirements are tested in accordance with the test plans and the test results are documented.
Testers should attempt to break the website. This includes entering incorrect data into any interactive features that should result in a notice that points out the error to the end user and provides guidance on entering data correctly.
At this stage the testing results are reviewed and approved to ensure that the site meets the design and functional requirements defined.
Document Compliance Closure
After validation testing has successfully been completed, final site compliance closure reviews are conducted and appropriate local approvals are obtained. The local marketing organization will review the site for brand content.
The local operating company will have their regulatory affairs and a corporate attorney review the site for regulated content and legal compliance. The local Internet compliance authority will also perform a review of the site to insure site administration and overall compliance is in place.
Local technical, privacy and security representatives perform a review to ensure hosting, technical security and privacy compliance is met for the site and associated databases.
Local marketing approval on site ensures all content and functionality is reviewed. Local regulatory and legal approval on site ensures that local operating company written approvals are obtained from the Regulatory Department and the corporate attorney.
Internet compliance authority approval ensures the corporate Internet compliance policies, guidelines and procedures are met. Local technical, privacy and security approval ensures protected access to the corporate site via a secure network and the site is compliant with corporate privacy standards.
Site Deployment and Monitoring
In the last stage of the process you must ensure the site is deployed with supporting documentation, that monitoring procedures are established and that the website is properly maintained.
Periodic site monitoring should be conduced by key operating company personnel and success measures compiled and reviewed. The use of software monitoring tools is recommended to check the sites performance.
An on-going monitoring plan should be established to periodically revisit the site to ensure that the site as well as it links remains compliant.
By developing policies, guidelines and procedures and applying them in the design and development of a corporate website, the corporate enterprise is now moving toward Internet compliance. Through testing and reviews, the company ensures compliance closure. Compliance continuity is reinforced by on-going monitoring and maintenance after the website is deployed.
Innovative corporations are now adopting Internet compliance as a best practice to ensure they safeguard their Internet connection for the future.
Tony Rundella is a consultant with Delta Corporate Services, a business and technology consulting organization servicing the federal government and fortune-level companies throughout the United States.