At the beginning of the year I joined the many other well-intentioned people who made a New Year’s resolution to get in better shape. In support of this resolution, my Christmas presents to myself included a fitness-tracking wristwatch and a nutrition-tracking smartphone app.

Counting steps and calories has been an interesting experience for me over the last few months. For starters, it was a challenge to identify realistic goals. How much weight do I want to lose? What’s the right balance of diet and exercise? When should I set my milestones? What penalty or corrective action should I enforce on myself for failing to reach those milestones? And perhaps most important, how was I going to measure the effectiveness of my efforts?

My journey to better personal health made me contemplate its comparisons to data compliance. How do you identify which data is subject to protection? What’s the right balance of restriction and access? What penalty or corrective action should be enforced for noncompliance? And perhaps most important, how do you measure the effectiveness of these efforts?

Compliance dashboards and alerts, like the ones on my watch and smartphone, are an essential element. Every time sensitive data is accessed, certain information should be recorded and reported – including when it was accessed, for how long, and by whom. Verifying this log against user permissions related to sensitive data access can identify compliance violations, which will be necessary to comply with external regulations such as the EU General Data Protection Regulation (GDPR).

But even when your organization is compliant with external regulations, the effectiveness of efforts must also be measured against internal standards. And this is not as well-defined.

There are also other issues to consider. My watch counts my steps – the steps I take while wearing the watch. My app counts my calories – the calories of the food I manually enter. My point is that there will always be lapses and loopholes. Lapses in personal responsibility will lead to some sensitive data being accessed without being reported. Loopholes in systems will lead to some sensitive data being accessed without being logged.

Not only does measuring the effectiveness of your efforts have to go beyond whether or not regulatory fines were levied by an external authority – corrective action for noncompliance with internal standards has to be considered as well. When I cheat on my new diet and exercise resolution, I can cut desserts from my menu and double-up on missed steps for a week (or longer). Data noncompliance has to be addressed with a different kind of training and restriction. Employees need to be educated about how to identify and properly handle sensitive data. And systems need to be reviewed to ensure only authorized access is being granted to sensitive data.