5 things to plan for when developing software in a regulated sector.

May 14, 2018

Down arrow black
Melbourne Demons premiers 2019


Technology Director

Product development can take very different shape depending on what industry you’re developing for. Finance and Health are highly regulated and will drive your digital projects to be less about the development and more about the navigation of processes to release within a regulated environment. But that doesn’t mean they should be any less effective, or delivered any less quickly, if you take into account these 5 areas for planning and scoping for these projects.

1. Onboarding

This is mostly relevant if you using external teams or new staff to do the heavy lifting to get the project live. Often, the regulated environment will require development on-site for access to various systems, and open communication with key individuals inside the walls of your business. Preparing for this involves more than just a desk, but also ensuring the new staff have completed compliance testing, getting them the right tools (including hardware and software) and completing background checks. This can delay the ‘real’ start of a project by weeks if you don’t have these tasks accounted for.

2. Compliance

Get them involved early! The last thing you want to do is develop your proposition and then have legal and compliance teams strip out half of your functionality in order to meet legislative requirements. Discuss the idea with them from the earliest stages, and ensure they are a part of requirements scoping and messaging within the product. This will definitely help ease the journey to comply.

3. Data integrity

Backup/Archive/Persist. If there is any transactional data or personal data involved. That data will likely require the ability to tell the story it went through to get there for up to 7 years. This can create quite a large dataset, so think about this persistence. Will it be a cold backup? Does it need to be queryable with 7 years? Where are the logs being persisted? Most organisations will already have a process for most of this, but ensure this is thought about, documented, and understood.


If you’re reading this you’re probably the type of person who has spent many nights thinking about GDPR and making sure compliance exists into your current projects. I’m not going to write about it again, just read Anders’ GDPR blog if you want more info, and make sure you add requirements to cover the relevant features!

5. Risk & Security reviews

This likely goes for every sector, but regulated sectors are most on top of making sure risk and security reviews are a core part of their delivery process. Make time for these reviews, and for penetration testing. Work with the risk and security team during the design phase. They will provide great value and insight, and their review will give you confidence your product and approach is moving in the right direction.

These are not always the points that you immediately think about when planning your project, but if you make sure they are not neglected, you are well on your way to delivering a successful digital product within a regulated sector, that is on time and on budget.