Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance brings to you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.
Author: admin
The award winning, Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on sanctions compliance? Look no further than Compliance into the Weeds!
In this episode, Tom and Matt consider the recent pronouncements from the SEC regarding risk assessments together with control environments and all this played out in the Plug Power enforcement action. The importance of risk assessments and a strong control environment in companies cannot be overstated. These elements are crucial for effective internal controls and proper financial reporting, as emphasized by the SEC’s chief accountant, Paul Munter. In this episode Tom and Matt underscore the need for thorough evaluation of potential pitfalls in risk assessments, citing insufficient personnel, changes in board or management composition, and hasty adoption of new strategies or technologies as potential triggers for flawed assessments.
They highlight the significance of small control failures and entity-level failures, such as weaknesses in IT controls, as indicators of a weak control environment.. Join Tom Fox and Matt Kelly as they delve deeper into the topic of risk assessment in the latest episode of the Compliance into the Weeds podcast.
Key Highlights:
· Munter’s statement
· Enhancing Control Environment through Risk Assessments
· The Importance of Risk Assessments and Controls
· Attracting and Retaining Competent Individuals
· Flaws in Risk Assessment Beyond Insufficient Personnel
· Lessons Learned
Resources:
Matt in LinkedIn
Matt blogged twice on these issues. A report on Munter’s statements here and on the Plug Power enforcement action here
Tom
Categories
AI and GDPR
Artificial Intelligence (AI) has revolutionized various industries, but with great power comes great responsibility. Regulators in the European Union (EU) are taking a proactive approach to address compliance and data protection issues surrounding AI and generative AI. Recent cases, such as Google’s AI tool, Bard, being temporarily suspended in the EU, have highlighted the urgent need for regulation in this rapidly evolving field. I recently had the opportunity to visit with GDPR maven Jonathan Armstrong on this topic. In this blog post, we will delve into our conversations about some of the key concerns raised about data and privacy in generative AI, the importance of transparency and consent, and the potential legal and financial implications for organizations that fail to address these concerns.
One of the key issues in the AI landscape is obtaining informed consent from users. The recent scrutiny faced by video conferencing platform Zoom serves as a stark reminder of the importance of transparency and consent practices. While there has been no official investigation into Zoom’s compliance with informed consent requirements, the company has retracted its initial statements and is likely considering how to obtain consent from users.
It is essential to recognize that obtaining consent extends not only to those who host a Zoom call but also to those who are invited to join the call. Unfortunately, there has been no on-screen warning about consent when using Zoom, leaving users in the dark about the data practices involved. This lack of transparency can lead to significant legal and financial penalties, as over 70% of GDPR fines involve a lack of transparency by the data controller.
Generative AI heavily relies on large pools of data for training, which raises concerns about copyright infringement and the processing of individuals’ data without consent. For instance, Zoom’s plan to use recorded Zoom calls to train AI tools may violate GDPR’s requirement of informed consent. Similarly, Getty Images has expressed concerns about its copyrighted images being used without consent to train AI models.
Websites often explicitly prohibit scraping data for training AI models, emphasizing the need for organizations to respect copyright laws and privacy regulations. Regulators are rightfully concerned about AI processing individuals’ data without consent or knowledge, as well as the potential for inaccurate data processing. Accuracy is a key principle of GDPR, and organizations using AI must conduct thorough data protection impact assessments to ensure compliance.
Several recent cases demonstrate the regulatory focus on AI compliance and transparency. In Italy, rideshare and food delivery applications faced investigations and suspensions for their AI practices. Spain has examined the use of AI in recruitment processes, highlighting the importance of transparency in the selection process. Google’s Bard case, similar to the Facebook dating case, faced temporary suspension in the EU due to the lack of a mandatory data protection impact assessment (DPIA).
It is concerning that many big tech providers fail to engage with regulators or produce the required DPIA for their AI applications. This lack of compliance and transparency poses significant risks for organizations, not just in terms of financial penalties but also potential litigation risks in the hiring process.
To navigate the compliance and data protection challenges posed by AI, organizations must prioritize transparency, fairness, and lawful processing of data. Conducting a data protection impact assessment is crucial, especially when AI is used in Know Your Customer (KYC), due diligence, and job application processes. If risks cannot be resolved or remediated internally, it is advisable to consult regulators and include timings for such consultations in project timelines.
For individuals, it is essential to be aware of the terms and conditions associated with AI applications. In the United States, informed consent is often buried within lengthy terms and conditions, leading to a lack of understanding and awareness. By being vigilant and informed, individuals can better protect their privacy and data rights.
As AI continues to transform industries, compliance and data protection must remain at the forefront of technological advancements. Regulators in the EU are actively addressing the challenges posed by AI and generative AI, emphasizing the need for transparency, consent, and compliance with GDPR obligations. Organizations and individuals must prioritize data protection impact assessments, engage with regulators when necessary, and stay informed about the terms and conditions associated with AI applications. By doing so, we can harness the power of AI while safeguarding our privacy and ensuring ethical practices in this rapidly evolving field.
Welcome to the latest edition of the Compliance Podcast Network: Into the Chair: Tales from Chief Compliance Officers, which details the journey to and in the role of a Chief Compliance Officer. How does one come to sit in the CCO chair? What skills does a CCO need to navigate the compliance waters in any company successfully? What are some of the top challenges CCOs have faced and how did they meet them? These questions and many others will be explored in this new podcast series. Into the Chair: Tales from Chief Compliance Officers is a COMPLY podcast hosted by Tom Fox and is a production of the Compliance Podcast Network. In this inaugural episode, I visit with Maria D’Avanzo.
Maria D’Avanzo is a seasoned professional in the legal and compliance field, with a career that has spanned from litigation to estate work to compliance. Maria’s perspective on adaptability and continuous learning in legal and compliance roles is rooted in her own career trajectory, which has seen her successfully transition from being a litigator to opening her own law practice, and eventually becoming a compliance officer. She believes the key to success in these roles is the willingness to learn new skills and take on new challenges, even outside one’s comfort zone.
Maria also underscores the importance of transferable skills such as analytical and research abilities, critical thinking, and the capacity for advocacy and persuasion, which she honed as a trial lawyer and have been instrumental in her compliance career. Join Tom Fox and Maria D’Avanzo in this episode of the Into the Chair podcast as they delve deeper into the importance of adaptability and continuous learning in legal and compliance roles.
Key Highlights:
· Maria’s transformation into a compliance officer
· Navigating the Legal Field: Learning and Advocacy
· Advocacy skills and the value of compliance
· Navigating Compliance Challenges in Regulated and Non-Regulated Corporate Sectors
Resources:
Maria D’Avanzo on LinkedIn
Tom Fox
The written standard requirements have long been memorialized in the U.S. Sentencing Guidelines, which contain seven basic compliance elements that can be tailored to fit the needs and financial realities of any given organization. From these seven compliance elements, the DOJ has crafted its minimum best practices compliance program, which is now attached to every DPA and NPA issued. These requirements were incorporated into the 2012 FCPA Guidance and brought forward in the 2023 ECCP and FCPA Corporate Enforcement Policy. The U.S. Sentencing Guidelines assumes that every effective compliance and ethics program begins with a written standard of conduct; i.e., a Code of Conduct.
Following your Code of Conduct is written policies and procedures required for a best practices compliance program are well- known and long established. The role of compliance policies is to provide guidance and to protect companies, despite an occasional hick-up. Policies provide a basic set of guidelines for employees to follow. They can include general do’s and don’ts, work process flows, specific issue guidelines. By establishing what is and is not acceptable compliance behavior, a company can mitigate the compliance risks posed by employees who might make foolish decisions or otherwise engage in unethical behavior.
There are numerous reasons to put some serious work into your Code of Conduct, policies and procedures. They are certainly a first line of defense when the government comes knocking. This means the regulators will take a strong view against a company that does not have well thought out and articulated policies, procedures or Code of Conduct; all of which are systematically reviewed and updated. Written policies, signed by employees provide a vital layer of communication. Together with a signed acknowledgement, these documents can serve as evidentiary support if a future issue arises. In other words, the “Document, Document, Document” mantra applies just as strongly to this area of anti-corruption compliance.
Three key takeaways:
- A Code of Conduct, together with policies and procedures, have long been recognized as cornerstones of a best practices compliance policy.
- Each level of written standards builds upon one another, so consider this integration step.
- The Fair Process Doctrine applies to your written standards.
For more information, check out The Compliance Handbook, 4th edition, here.
Welcome to the award-winning The Hill Country Podcast. The Texas Hill Country is one of the most beautiful places on earth. In this podcast, Hill Country resident Tom Fox visits with the people and organizations that make this the most unique area of Texas. Join Tom as he explores the people, places, and activities of the Texas Hill Country. In this episode, Tom visits with Ry’lee Paxton about the Kerr County Youth Leadership Program or KAYLA.
KAYLA is an incredible organization that provides high schoolers in Kerr County with the opportunity to develop their leadership skills and gain exposure to the inner workings of their local community through the Leadership Academy and Youth Leadership Program. Through these programs, students learn important concepts like civic engagement and budgeting, as well as develop relationships with their peers and city officials. By attending the Academy, students gain an understanding of municipal government roles and responsibilities. Meanwhile, the Youth Leadership Program educates students on the importance of local job opportunities and building meaningful relationships. With KAYLA, young people can become successful leaders in their own community.
Key Highlights
· Youth Leadership in Kerrville and Kerr County
· City Budgeting
· Leadership Academy
· Kerr County Youth Leadership Program
Resources
Tom Fox
Are you struggling to keep up with the ever-changing compliance programs in your business? Look no further than the award-winning Data Driven Compliance podcast, hosted by Tom Fox, is a podcast featuring an in-depth conversation around the uses of data and data analytics in compliance programs. Data Driven Compliance is back with another exciting episode The intersection of law, compliance, and data is becoming increasingly important in the world of cross-border transactions and mergers and acquisitions.
In this podcast episode, Tom Fox and Julie Myers Wood, CEO at Guidepost Solutions take a deep dive into the intersection of compliance and generative AI and how this intersection will lead to more data driven compliance. Wood emphasizes the importance of understanding the various ways AI can impact a company, including internal use, sales, compliance tools, freelancers, and criminal exploitation. Compliance teams need to have a comprehensive inventory of the tools being used and understand the capabilities and limitations of AI to ensure compliance and mitigate risks.
They discussed the need for companies to be aware of the potential risks associated with AI and have clear policies and procedures in place to protect intellectual property. He also discusses the importance of employee retraining and thoughtful decision-making when integrating AI into business practices. Overall, the podcast provides valuable insights into the challenges and considerations of incorporating AI into compliance programs, emphasizing the need for compliance professionals to adapt and stay informed.
Highlights Include
· Key Considerations for Compliance and AI
· Importance of Inventorying Tools and Managing Risks
· AI and Intellectual Property Protection
· Challenges of Implementing AI
· AI and Compliance
Resources:
Julie Myers Wood on LinkedIn
Guidepost Solutions
Tom Fox
Connect with me on the following sites:
The cornerstone of any best practices compliance program is written protocols. This includes a Code of Conduct, policies and procedures. These elements have long been memorialized in the US Sentencing Guidelines; the Department Of Justice’s (DOJs) Opinion Releases regarding compliance programs, the 2012 FCPA Guidance, both DOJ and Securities and Exchange Commission (SEC) enforcement actions, the 2019 Guidance and FCPA Corporate Enforcement Policy.
There are three levels of standards and controls, Code of Conduct standards and policies and procedures. Every company should have a Code of Conduct that expresses its ethical principles. But a Code of Conduct is not enough. The Code of Conduct is implemented through your compliance policies. It is further operationalized through your compliance procedures. The DOJ spoke to their importance in the 2019 Guidance when it stated, “As a threshold matter, prosecutors should examine whether the company has a code of conduct that sets forth, among other things, the company’s commitment to full compliance with relevant Federal laws that is accessible and applicable to all company employees.” As a corollary, prosecutors should also assess whether the company has established policies and procedures that incorporate the culture of compliance into its day-to-day operations.
At the end of the 31 Days you will have a very detailed grounding on better written standards for your compliance program. You will be able to utilize the information presented to implement a more effective compliance program for your organization.
Three key takeaways:
- The cornerstone of any best practices compliance program is its written protocols.
- Written standards work to prevent, detect and remediate.
- What are the specific written protocols you should have in your compliance program?
For more information, check out The Compliance Handbook, 4th edition, here.
Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows. In this episode, we have the quartet of Jay Rosen, Jonathan Armstrong, Matt Kelly and Karen Woody, with Tom Fox hosting on this episode of our fan fav Shout Outs and Rants section.
1. Matt Kelly rants about the US Federal Courts not allowing television cameras and says we need the Trump trials televised in federal courts.
2. Karen Woody shouts out to the Barbie movie.
3. Tom Fox shouts out to Megan Rapinoe for great professional career and her social activism while a member of the USWNT.
4. Jay Rosen shouts out SOCAR, the South Orange County Compliance and Ethics Roundtable.
5. Jonathan Armstrong shouts out Sgt. Graham Saville lost his life helping a person in distress.
The members of the Everything Compliance are:
• Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com
• Karen Woody – One of the top academic experts on the SEC. Woody can be reached at kwoody@wlu.edu
• Matt Kelly – Founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com
• Jonathan Armstrong –is our UK colleague, who is an experienced data privacy/data protection lawyer with Cordery in London. Armstrong can be reached at jonathan.armstrong@corderycompliance.com
• Jonathan Marks can be reached at jtmarks@gmail.com.
• Special Guest Kristy Grant-Hart is the founder of Spark Consulting.
The host and producer, ranter of Everything Compliance is Tom Fox the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the Compliance Podcast Network.
I recently had the chance to visit with Jonathan Armstrong on a recent data breach case that occurred in the health service provider NHS Lanarkshire (Scotland) during the COVID-19 pandemic. This breach serves as a stark reminder of the challenges organizations face in maintaining data protection and compliance, especially when it comes to communication platforms like WhatsApp. In this blog post we will explore the lessons learned from this incident and discuss practical advice for organizations to ensure robust data protection measures.
Background
According to the Cordery Compliance Client Alert on the matter, over a two-year period between 2020 and 2022, 26 staff at NHS Lanarkshire had access to a WhatsApp group where there were a minimum of 533 entries that included patient names. The information included 215 phone numbers, 96 with dates of birth and 28 included addresses. 15 images, 3 videos, and 4 screenshots were also shared, which included personal data of patients and clinical information, which is a “special category” health data under both EU and UK law. Other data to the WhatsApp group was also added in error. Other communications were also identified where the staff in question had used WhatsApp.
WhatsApp was not approved by NHS Lanarkshire for processing personal data of patients. The use of WhatsApp was an approach adopted by the staff apparently without organizational knowledge. It was used by the staff as a substitute for communications that would have taken place in the clinical office but did not do so after staff reduced office attendance due to the COVID-19 pandemic. No Data Protection Impact Assessment was in place and no risk assessment relating to personal data processing was completed concerning WhatsApp, as WhatsApp was not approved by NHS Lanarkshire for the sharing of personal data relating to patients. NHS Lanarkshire undertook an internal investigation and reported this matter to the ICO.
ICO Holding
The UK ICO determined that NHS Lanarkshire did not have the appropriate policies, clear guidance and processes in place when WhatsApp was made available to download. Additionally, there were a number of infringements of UK GDPR, not the least being not implementing appropriate technical and organizational measures (TOMs) to ensure the security of the personal data involved, as a consequence of which personal data was shared via an unauthorized means and an inappropriate disclosure occurred. There was also a failure to report this matter, as a data breach, to the ICO in time.
Armstrong noted that ICO recommended that NHS Lanarkshire should take action to ensure their compliance with data protection law, including:
- Considering implementing a secure clinical image transfer system, as part of NHS Lanarkshire’s exploration regarding the storage of images and videos within a care setting;
- Before deploying new apps, consideration of the risks relating to personal data and including the requirement to assess and mitigate these risks in any approval process;
- Ensuring that explicit communications, instructions or guidance are issued to employees on their data protection responsibilities when new apps are deployed;
- Reviewing all organizational policies and procedures relevant to this matter and amending them where appropriate; and,
- Ensuring that all staff are aware of their responsibilities to report personal data breaches internally without delay to the relevant team.
Armstrong concluded that “In light of the remedial steps and mitigating factors the ICO issued an official reprimand – a fine has not yet been imposed. The ICO also asked NHS Lanarkshire to provide an update of actions taken within six months of the reprimand being issued.”
Discussion
This case highlights the challenges organizations face when it comes to communication during internal investigations. In many instances, the most interesting documents are not found in emails, as one organization discovered. Employees often turn to alternative platforms like WhatsApp to avoid leaving a paper trail. However, it is crucial to understand that these platforms may not provide the expected privacy and security.
While platforms like WhatsApp may seem secure, they still share data with big tech companies, raising concerns about privacy. Organizations must adapt to the preferences of digital-native employees who may find email restrictive and opt for alternative communication methods. However, this adaptation should be done consciously, ensuring that policies and procedures are in place to protect sensitive information. Armstrong emphasizes the importance of revisiting emergency measures implemented during the pandemic. As remote work continues, organizations must conduct thorough data protection impact assessments to ensure compliance across all communication platforms and measures.
As with all types of compliance, setting policies and procedures is just the first step. It is essential to communicate and educate employees on these policies to ensure their understanding and compliance. Annual online training sessions are not enough; organizations should provide engaging training that goes beyond passive learning. In addition to targeted and effective training there must be ongoing communications provided to employees. Armstrong also related on the ineffectiveness of off-the-shelf online phishing training. Waiting for an incident to occur and then providing training is not enough to prevent people from clicking on malicious links. Organizations should focus on providing better training before incidents happen, rather than trying to enhance training afterwards.
The next step is monitoring as compliance with policies and procedures should be actively monitored. Technical solutions are available to help companies track compliance, but it’s crucial to involve individuals at all levels of the organization when designing these policies. Additionally, a balanced approach is needed, where employees are recognized for their service but also held accountable for policy breaches. The days of solely relying on punishment for enforcement are gone.
The data breach in the Scottish hospital serves as a wake-up call for organizations to prioritize data protection and compliance. Communication challenges during internal investigations, privacy concerns associated with alternative platforms, and the need for effective policies and training are crucial areas to address. By conducting regular data protection impact assessments, providing engaging training, and ensuring buy-in from employees, organizations can strengthen their defense against cyber threats and protect sensitive information. Always remember that compliance is an ongoing process, and continuous evaluation and improvement are necessary to adapt to the evolving digital landscape. Finally stay vigilant and proactive in safeguarding data privacy and protection.