If you operate in a regulated industry, or have customers or partners who do, being compliant is non-negotiable. If regulatory requirements mandate compliance, you’ll be required to produce certain evidence in order to be certifiably compliant. And in order for many customers to do business with you, you need to be able to demonstrate how you’re compliant.

But before you jump right in, there are a few questions you should be asking yourself and your customers or partners. These are designed to clarify their expectations and help to scope out their compliance requirements. Becoming compliant is a large undertaking, so knowing where to start is just as important as knowing where to end. That’s why understanding exactly what your customers or partners require of you can help to narrow the scope and keep your team focused on the right compliance initiatives.

Based on conversations we’ve had with customers, here are five clarifying questions to ask yourselves internally when a customer or prospect inquires about compliance.

1. What are they asking for?

Let’s say a prospective customer’s asks that you be SOC compliant in order to do business together. The first step in the process is to understand if they require SOC I or SOC 2. After all, you don’t want to spend time becoming SOC I and SOC 2 compliant when both aren’t necessary.

Then, you’ll want to understand what services or applications need to be compliant. If the customer is only using one of the services you offer, and their data will be stored and processed on just a select few servers, that may narrow down the scope a great deal.

2. Why are they asking for it?

Next, it’s important to understand the drivers behind their request. Are they asking you to be HIPAA compliant because they’re a healthcare organization that, legally, can only do business with companies who have demonstrated HIPAA compliance? Or will they be storing customer PHI and it’s their customers who require that any service the company use be HIPAA compliant? The answers to these questions may indicate that compliance is not negotiable in order to do business with them.

If you determine that the value of closing business with this prospect, and many more down the road, is worth the cost of becoming compliant, then it’s a good idea to get on the horse now.

On the other hand, you might find that the prospect is in a tangential industry to healthcare, and working with HIPAA-compliant companies is only a nice-to-have, but not a requirement. If this is the case, you may be able to find a way to close the deal without being HIPAA compliant right away, with the understanding that, in a certain timeframe, you will become compliant. This way, you can more strategically plan for the compliance project rather than rush to complete it when new business is on the line.

3. How are they asking for it?

The way in which a prospect or partner asks about compliance can tell you a lot about how urgent the matter is and how not having it may or may not hinder the deal.

Pay attention to the following signals:

  • Was compliance the first thing they asked for, or was it inquired about later on as an afterthought?
  • Did they send in a formal request, perhaps even via an outside agency they hired, or is their security or IT team asking for it?
  • Are they explaining the business driver behind the need for compliance (e.g., regulated industry, sensitive data)?
  • Do they require all vendors and partners to be compliant before doing business?

Depending on their answers and the signals you pick up, you can start to understand how critical compliance is to the deal. Especially if you’re in a competitive market, you don’t have a lot of time to waste before you’ll lose the prospect or partnership to another company that is already compliant. That’s why you should try to foresee the need for compliance as early as possible, and if a customer request does come in before that time, find out if it’s truly a requirement in order to do business, or if there is an agreement you can come to in the meantime.

4. When are they asking for it?

Unfortunately, the first time many companies realize they need to become compliant is when an RFP (request for proposal) is right in front of them from a big potential customer or partner. And oftentimes, companies are asking to see a demonstration of compliance within 30, 60, or 90 days, according to Ryan Buckner, Principal at Schellman & Company, who we co-hosted a webinar with recently. It’s very difficult to commit to compliance when you’re trying to win business, but it’s always a good idea to find out how much time you have.

While we can’t recommend enough the importance of becoming compliant before it’s on top of you, sometimes that’s just not possible with other high-priority tasks on the table. So, knowing how much time you have when a prospect is asking can give insight into whether it’s even feasible to close the deal at this point in time. If it’s not, then as much as you can, nurture that relationship so that when you do become compliant, the door may still be open to do business.

5. Who are they asking?

Invariably, most of the individuals within your company who will be asked to demonstrate compliance are either IT directors or compliance personnel. But often, it’s the sales person who first receives the question as part of a vendor assessment form early on in the sales cycle.

This is why it’s important that your front-line folks, namely sales and marketing, have a foundational understanding of what compliance is, why it matters, and how your organization meets any or all requirements. Arming them with a post like this one to help them ask the right questions early on can help them move the prospect along until it comes time to have a technical conversation with your IT or security team.

Keeping a close-knit relationship between technical team members and those who will be communicating about your organization’s compliance is critical. The better prepared they are, the smoother the sales process will be.

Adopt a Continuous Compliance Mindset

Compliance is an ongoing project, not a point-in-time task that you can handle and then forget. If you’re in a regulated industry, or work with companies that are, you will need to continuously verify that compliance controls and processes are being met. And as your business grows and evolves, you will likely go through various audits and compliance projects, from HIPAA to SOC to PCI-DSS and more. The key to doing this without driving yourself and your team up a tree is finding technologies and processes that help you to address a broad range of compliance requirements at once. It’s also important to have tools in place that alert you in real-time when anything is misconfigured or compromised that could jeopardize your current compliance posture.