All software will fall under some compliance standard from HIPAA for health care information to PCI for credit card information, from GDPR for privacy in some countries and states to SOX for publicly traded companies. As software developers, product managers, and quality engineers we have an outsized influence on the ability of a company to maintain compliance and meet standards.
However, compliance standards can be confusing, contradictory, and scary. Every day we are making decisions from data storage to data security, from form validation to walking away from an unlocked computer that impacts the compliance of our software and our company. When should we talk to a compliance officer? What are the right standards of data security vs user control that we should maintain? How do I even know if any of these standards apply? Join this talk to learn the basics of compliance.
Key takeaways of this session are:
* High level understanding of the most common compliance standards
* What responsibilities you have as an employee and as someone building software
What to do when compliance requirements are contradictory
* What is involved in various compliance audits and what to do if you think you are out of compliance
* When to talk to your compliance officer, HR, or security team and what to do if your organization doesn’t have one of those

As a product person, I have worked with teams to build software that required compliance with GDPR, SOC2, HIPAA, and PCI-DSS. I have worked in companies with a security team and a trained compliance officer and startups with none of these support structures. I have written compliance handbooks and gone through compliance officer training. Too often I have been in conversations where teams are debating different standards with little understanding of what they actually mean and how to get clear guidance on what is the right thing to do.