[antonvs]

> IT. They tend to over-interpret regulation, and super-restrict beyond what is needed for actual de-facto compliance.

This is such a nonsensical claim. If a company is asking someone from IT to read the regulations and implement them, then obviously you’re going to get something that conforms to the written specification they were provided.

But a company that does that is basically delegating both compliance and legal functions to IT. No sane company does that.

[VonGallifrey]

> But a company that does that is basically delegating both compliance and legal functions to IT. No sane company does that.

I was a Software Dev in a small (but fully regulated and licensed) stock exchange. We used to have guidance from legal experts, market experts, and traders, but in the last project I worked on, they just dumped 300 pages of laws and regulations on my desk and asked me what needed to be done. Why? Because the experts we used to have were either fired or left. Along with any product managers. I guess company leadership thought they were no longer needed.

Insane is right. I told them that this is not how it is supposed to work. I can't tell them what needs to be done. I am not a legal expert who can just interpret these regulations.

I was forced out of the company after that, but honestly, no one would want to work in such an environment anyway.

[thewebguyd]

> But a company that does that is basically delegating both compliance and legal functions to IT

This actually happens scarily often, especially in smaller companies. No F500 is doing this, but there are tons of "mid market" sized non-tech companies (think 80 to 150 employees in size) that basically rely on the IT department of 1 or 2 people, or an MSSP for pretty much everything. No legal team, maybe an attorney they consult with once or twice a year if you're lucky.

[mlinhares]

That's actually pretty important, if you're an eng doing compliance work and you don't have legal counsel working side by wide with you you might be putting yourself up for legal troubles down the line. I'm glad I can always rely on legal do do their job here when doing this kind of work, I wouldn't want to do work like this just out of my ass.

[DaedalusII]

perfect IT response

regulation are written ambiguously and the specifications do not match the industry

I have even seen regulators refuse to specific legislated laws because "thats not what the government meant", giving a company the choice of following the law and being fined, or breaking the law to please the regulatory agency

[dumah]

Regulators don’t want to provide arbitrarily detail into their interpretation or likely judgements on issues that may come up for many reasons, good and bad.

One good one is that providing concrete razors for compliant and non-compliant behavior accelerates the gaming of the rules.