It’s Saturday. 8am.
I’m not writing strategy. I’m reviewing our incident registry. Cross-referencing SHA-256 hashes on evidence files. Updating action items from last week’s risk assessment.
This is what compliance actually looks like.
Not frameworks on slides. Not certification logos on websites. Methodical, repetitive, unglamorous work.
I run Herbst Group. We handle sensitive pharmaceutical client data. Work with AI systems. Operate across multiple jurisdictions.
Compliance isn’t a nice-to-have. It’s the foundation everything else sits on.
I’m not writing this to explain why compliance matters. If you’re running a data company in 2026, you already know. I’m writing this to show what it actually takes.
January 2026. The Real Count.
Evidence and Documentation
32 pieces of evidence logged this month. Each with SHA-256 hash verification for integrity.
6 master registries maintained: Incidents, Evidence, Risk, Actions, Communications, Policies.
16 active policies govern our operations. 6 global. 9 domain-specific. 1 project-specific.
12 critical controls defined with zero-exception enforcement.
Incident Response
5 incidents managed and closed. 1 critical. 2 high. 2 medium.
Each one documented through detection, containment, eradication, recovery, lessons learned. Each one with root cause analysis. Each one producing evidence that can be audited.
Risk Management
10 risks identified this month. 4 closed through treatment. 4 remain open and monitored. 1 actively mitigating. 1 formally accepted with documented rationale.
6 high-severity. 4 medium.
Every single one tracked in our risk register with treatment decisions recorded.
Infrastructure Security
Azure Secure Score: 22% increase this month. 10 specific issues identified and remediated.
69,704 IPS threat signatures deployed across our infrastructure.
100% MFA compliance achieved.
External attack surface audit: passed with minimal exposure.
Vendor Verification
26-item evidence chain for our primary AI vendor, Anthropic. Verified their ISO 27001 certification. Reviewed their Data Processing Agreement, Standard Contractual Clauses, Terms of Service, Privacy Policy, Usage Policies.
Documented 13 authorised subprocessors.
The Cost
Let me be direct.
Tools. Security platforms. Compliance management systems. Evidence storage with integrity verification. Logging infrastructure. Monitoring dashboards.
Time. Hours every week. Not occasionally. Every week. Saturdays when things slip. Late nights when incidents occur.
Discipline. The most expensive cost.
Doing the documentation when you’d rather ship features. Updating the registry when you’d rather close the laptop. Following the process when shortcuts are tempting.
7 compliance deadlines in February alone. Penetration test due April. ISO 27001 80% target by June. POPIA 100% compliance by June.
This isn’t a project. It’s an operating model.
When a client exercises their right to audit, you’ll either have the evidence or you won’t.
Why It Matters
Here’s the moment that clarifies everything.
We have two active client compliance tracks right now. Both contracts include 24-hour breach notification requirements. Both have right-to-audit clauses.
When a client exercises that right to audit, and they will, they will ask to see:
- Our incident response records
- Our vendor verification chain
- Our risk treatment decisions
- Our evidence of control effectiveness
You will either produce that evidence or you won’t.
No middle ground. No “we’re working on it.” No “we follow best practices.”
Either the evidence exists, with integrity verification, with timestamps, with audit trails. Or it doesn’t.
This is the only moment that matters. Everything else is preparation.
For Founders Starting Data Companies
Start Day One
Not after your Series A. Not when you hire a compliance person. Not when a client demands it. The structure costs almost nothing when you’re small. It costs everything when you’re not.
The reason is simple. Retrofitting compliance into a growing company is exponentially harder than building it in from the start.
Every system you build without audit trails will need to be rebuilt. Every process you establish without documentation will need to be re-established. Every vendor you onboard without verification will need to be re-verified.
Build the registries first. Before you have incidents, create the incident registry. Before you have risks, create the risk register. Before you have policies, create the policy framework.
The structure costs almost nothing when you’re small. It costs everything when you’re not.
Document decisions, not just outcomes. Why did you accept that risk? Why did you choose that vendor? Why did you implement that control?
The decision rationale is often more important than the decision itself.
Assume you will be audited. Because you will be. By clients. By regulators. By partners. By acquirers.
Operate as if every action you take will need to be explained and evidenced to a sceptical third party.
The Unsexy Truth
I wish I could tell you there’s a shortcut. A framework that makes this easy. A tool that handles it automatically. A consultant who takes it off your plate.
There isn’t.
Compliance in 2026 is expensive, exhausting, and endless. It’s Saturday mornings reviewing hashes. It’s late nights closing incident tickets. It’s the discipline to document when you’d rather ship.
But when that audit request arrives, you’ll either have the evidence or you won’t.
That’s the only thing that matters.
What does compliance actually look like in your organisation? I’m curious what you’ve built.
Written by
Dieter Herbst
CEO & Founder at Herbst Group. Working with pharmaceutical commercial leaders across South Africa, Kenya, and Brazil to transform sales force effectiveness through evidence-based approaches.
Connect on LinkedIn
