Tag: Data Privacy

Categories
From the Editor's Desk

From The Editor’s Desk – January and February 2024 in Compliance Week

Welcome to From the Editor’s Desk, a podcast where co-hosts Tom Fox and Kyle Brasseur, EIC at Compliance Week, unpack some of the top stories that have appeared in Compliance Week over the past month, look at the top compliance stories upcoming for the next month, talk about some sports and generally try to solve the world’s problems.

Tom Fox and Kyle Brasseur are back. In this episode, they look at the Department of Justice’s role in shaping corporate compliance practices through its enforcement actions, setting the tone for companies to voluntarily self-disclose and cooperate. Tom believes that the DOJ is making a concerted effort to highlight what companies are doing right in enforcement actions, particularly in relation to remedial efforts and cooperation. He sees the DOJ’s settlement documents as a clear communication of what they expect from companies going forward. Kyle emphasizes the importance of focusing on the positive aspects of enforcement actions and learning from what companies are doing right to prevent similar situations in the future. He mentions the use of data analytics and the retention of off-channel communications as examples of new expectations from the DOJ. Join Tom Fox and Kyle Brasseur on this episode of From the Editor’s Desk as they delve deeper into the topic of DOJ enforcement actions and corporate compliance practices.

Highlights Include:

  • SAP Enforcement Action
  • CNIL and Amazon’s Excessive Employee Surveillance Violation
  • Exploring Best Practices in Know Your Customer and Anti-Money Laundering Compliance
  • Highlighting Compliance Success in Financial Services
  • Insights from DOJ Enforcement Actions Roundtable
  • Bill Belichick
  • NFL Playoffs
Categories
Daily Compliance News

Daily Compliance News: January 25, 2024 – The Big Brother Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

In today’s edition of Daily Compliance News:

  • Menendez says search warrants are unconstitutional.  (Roll Call)
  • Wayne LaPierre claims he’s too sick to go to trial. (Business Insider)
  • More bad news for Boeing. (WaPo)
  • Big Brother arrives at the workplace. (BBC)

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program Through Data Analytics: Day 10 – The Impact of Privacy Regulations on Compliance

What is the impact of privacy regulations on data-driven compliance? Every CCO must be aware of the importance of privacy in data-driven compliance and the challenges and tradeoffs involved in implementing effective compliance strategies. A key mandate is for CCOs and compliance professionals to have a compliance program that provides visibility into their data. This emphasizes the importance of having efficient and effective compliance solutions in place or as I have previously noted CCOs must have access to their compliance data literally at their fingertips.

This is one of the drivers for key trends shaping compliance technology in 2025 and beyond. The RegTech market is growing rapidly, and there is increased regulatory focus on cryptocurrency activities, ESG, and information security and cybersecurity. These trends indicate the evolving landscape of compliance and the need for organizations to stay updated and adapt their compliance strategies accordingly. By embracing connected compliance and leveraging technology, organizations can navigate the complex regulatory landscape and ensure compliance with privacy regulations while driving business efficiency.

 Three key takeaways:

  1. CCOs and compliance professionals must have a compliance program that provides visibility into their data.
  2. ESG regulations affect not only regulated industries but also any company holding private customer data or involved in large supply chains.
  3. By embracing connected compliance and leveraging technology, organizations can navigate the complex regulatory landscape and ensure compliance with privacy regulations while driving business efficiency.

For more on KonaAI, click here.

Categories
Daily Compliance News

Daily Compliance News: November 7, 2023 – The Apology Accepted Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen to the Daily Compliance News. all from the Compliance Podcast Network. Each day we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

  • ICO apologizes to the ex-Nat West chief. (FT)
  • A 70-hour work week in India? (BBC)
  • Integrity in cricket. (University of Sussex)
  • Do chatbots violate anti-wiretap laws? (Reuters)
Categories
Daily Compliance News

Daily Compliance News: October 26, 2023 – The Don’t Play Games Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance brings to you compliance related stories to start your day. Sit back, enjoy a cup of morning coffee and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership or general interest for the compliance professional.

Stories we are following in today’s edition:

  • Forced labor in yet another Chinese industry?  (WSJ)
  • Data privacy and Trump. (The Guardian)
  • Suspicious death shadows Austrian corruption probe. (FT)
  • Don’t play games with the SEC. (Reuters)
Categories
Corruption, Crime and Compliance

Catching Up with California and State Data Privacy Laws

California’s data privacy regulations, primarily embodied in the California Consumer Privacy Act (CCPA) and its extension through the California Privacy Rights Act (CPRA), constitute a pioneering and influential framework. These regulations, effective from 2018 and further strengthened in 2020, set a standard for data protection not only within the state but also across the national and global economy. In this episode of Corruption, Crime and Compliance, Michael Volkov explores the nuances of the CCPA and CPRA, and the evolving data privacy landscape.

You’ll hear Michael talk about:

  • The lack of a federal data privacy law in the United States has led to a complex patchwork of state laws. Businesses are faced with the challenge of navigating these varied regulations, which contributes to compliance complexities.
  • California, through the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), is a leader in data privacy regulation in the United States, with implications for both the national and global economy. The CPRA, enacted in 2020, establishes the California Privacy Protection Agency (CPPA) to enforce the law robustly.
  • The CPRA introduces critical changes, including: 
  • Protection of employee and business-to-business personal information, which is now subject to the same privacy protections as consumer personal information. 
  • Enhanced consumer rights, such as the right to access, delete, and correct their personal information, and the right to opt out of the sale of their personal information.
  • Companies are now obligated to implement reasonable security precautions and undergo annual cybersecurity audits and risk assessments.
  • In addition to California, other states such as Virginia, Colorado, Utah, Iowa, and Connecticut have also enacted data privacy laws that echo the GDPR. Businesses must stay up-to-date on evolving compliance requirements and adapt their systems accordingly.
  • Compliance issues comprise risk assessments, impact assessments, adherence to data breach requirements, and compliance with notification standards. Companies are developing systems based on the most stringent set of laws to guarantee compliance.

 

KEY QUOTES

“We have a patchwork of laws that apply in the United States. Unfortunately, we continue to suffer from the absence of a federal data privacy and breach notification law. Congress has tried for years to broker a deal here, but it has never been able to overcome strong lobbying forces. Whether it’s high tech trial lawyers, law enforcement, or other gadflies, the public continues to suffer.” – Michael Volkov

 

“Many commentators have suggested that California’s data privacy laws and regulations are starting to look closer and closer to the EU’s GDPR regime.” – Michael Volkov

 

“To me, we’re getting into a more strict regulation. We already have, under the California Consumer Privacy Act, a requirement to have on your website: an ‘opt out’ in terms of any information that you may provide to a website, that it can’t be used by the entity for sharing or selling or whatever consumer products purposes. So keep tabs on the California events.” – Michael Volkov

 

Resources

Michael Volkov on LinkedIn | Twitter

The Volkov Law Group

Categories
Data Driven Compliance

Data Driven Compliance: Rachael Ormiston on Privacy as a Business Differentiator

Are you struggling to keep up with the ever-changing compliance programs in your business? Look no further than the award-winning Data Driven Compliance podcast, hosted by Tom Fox, is a podcast featuring an in-depth conversation around the uses of data and data analytics in compliance programs. Data Driven Compliance is back with another exciting episode The intersection of law, compliance, and data is becoming increasingly important in the world of cross-border transactions and mergers and acquisitions.

We take things in a data privacy direction today as I visit with Rachael Ormiston, Head of Privacy at Osano, whose No Penalties Pledge sets them apart in the privacy industry, offering customers assurance that they won’t face fines for non-compliance. In conversations with Tom Fox, Rachael Ormiston discusses the importance of privacy as a business differentiator and the impact of GDPR. Trust is highlighted as crucial for building a positive customer experience. Osano has developed a privacy maturity model to help companies assess their progress and prioritize compliance. Their website offers valuable resources, catering to both experts and beginners in the field. Rachael emphasizes the increasing importance of data privacy and the need for companies to prioritize it at the executive level.

Highlights Include

·      Osano’s No Penalties Pledge

·      Privacy as a Business Differentiator

·      The Importance of Privacy Compliance

·      Data Privacy and Free Resources

Resources:

Osano

 

Tom Fox 

Connect with me on the following sites:

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Life with GDPR

Life With GDPR: WhatsApp Breach: Hospital’s GDPR Failures Exposed

Tom Fox and Jonathan Armstrong, renowned experts in cyber security, co-host the award-winning Life with GDPR. The recent controversy surrounding Nigel Farage’s banking situation highlights the risks and compliance challenges faced by the banking industry in relation to data protection. In this episode, Tom and Jonathan discuss a data breach in a Scottish hospital during the COVID-19 pandemic.

The breach occurred when hospital staff shared patient details on WhatsApp, raising concerns about GDPR compliance. The hospital informed the ICO about the breach but chose not to notify affected patients, highlighting the need for appropriate advice and support when making such decisions. The conversation also explores communication challenges in internal investigations and the privacy and security risks of platforms like WhatsApp. It emphasizes the importance of organizations adapting to the preferences of digital native employees and conducting data protection impact assessments. The podcast also highlights the importance of effective policies, training, and proactive phishing training to prevent cyber-attacks and protect sensitive information.

 

Key Takeaways:

  • Data breach in Scottish hospital
  • The Challenges of Communication in Internal Investigations
  • Importance of Policies and Training
  • Phishing Training Effectiveness

Resources

For more information on the issues raised in this podcast, check out the Cordery Compliance News Section. For more information on Cordery Compliance, go to their website here. Also, check out the GDPR Navigator, one of the top resources for GDPR Compliance, by clicking here.

Connect with Tom Fox

Connect with Jonathan Armstrong

Categories
Blog

The Importance of Effective Policies and Training in Data Protection: Lessons from a Scottish Hospital Breach

I recently had the chance to visit with Jonathan Armstrong on a recent data breach case that occurred in the health service provider NHS Lanarkshire (Scotland) during the COVID-19 pandemic. This breach serves as a stark reminder of the challenges organizations face in maintaining data protection and compliance, especially when it comes to communication platforms like WhatsApp. In this blog post we will explore the lessons learned from this incident and discuss practical advice for organizations to ensure robust data protection measures.

Background

According to the Cordery Compliance Client Alert on the matter, over a two-year period between 2020 and 2022, 26 staff at NHS Lanarkshire had access to a WhatsApp group where there were a minimum of 533 entries that included patient names. The information included 215 phone numbers, 96 with dates of birth and 28 included addresses. 15 images, 3 videos, and 4 screenshots were also shared, which included personal data of patients and clinical information, which is a “special category” health data under both EU and UK law. Other data to the WhatsApp group was also added in error. Other communications were also identified where the staff in question had used WhatsApp.

WhatsApp was not approved by NHS Lanarkshire for processing personal data of patients.  The use of WhatsApp was an approach adopted by the staff apparently without organizational knowledge. It was used by the staff as a substitute for communications that would have taken place in the clinical office but did not do so after staff reduced office attendance due to the COVID-19 pandemic. No Data Protection Impact Assessment was in place and no risk assessment relating to personal data processing was completed concerning WhatsApp, as WhatsApp was not approved by NHS Lanarkshire for the sharing of personal data relating to patients. NHS Lanarkshire undertook an internal investigation and reported this matter to the ICO.

ICO Holding

The UK ICO determined that NHS Lanarkshire did not have the appropriate policies, clear guidance and processes in place when WhatsApp was made available to download. Additionally,  there were a number of infringements of UK GDPR, not the least being not implementing appropriate technical and organizational measures (TOMs) to ensure the security of the personal data involved, as a consequence of which personal data was shared via an unauthorized means and an inappropriate disclosure occurred. There was also a failure to report this matter, as a data breach, to the ICO in time.

Armstrong noted that ICO recommended that NHS Lanarkshire should take action to ensure their compliance with data protection law, including:

  1. Considering implementing a secure clinical image transfer system, as part of NHS Lanarkshire’s exploration regarding the storage of images and videos within a care setting;
  2. Before deploying new apps, consideration of the risks relating to personal data and including the requirement to assess and mitigate these risks in any approval process;
  3. Ensuring that explicit communications, instructions or guidance are issued to employees on their data protection responsibilities when new apps are deployed;
  4. Reviewing all organizational policies and procedures relevant to this matter and amending them where appropriate; and,
  5. Ensuring that all staff are aware of their responsibilities to report personal data breaches internally without delay to the relevant team.

Armstrong concluded that “In light of the remedial steps and mitigating factors the ICO issued an official reprimand – a fine has not yet been imposed. The ICO also asked NHS Lanarkshire to provide an update of actions taken within six months of the reprimand being issued.”

Discussion

This case highlights the challenges organizations face when it comes to communication during internal investigations. In many instances, the most interesting documents are not found in emails, as one organization discovered. Employees often turn to alternative platforms like WhatsApp to avoid leaving a paper trail. However, it is crucial to understand that these platforms may not provide the expected privacy and security.

While platforms like WhatsApp may seem secure, they still share data with big tech companies, raising concerns about privacy. Organizations must adapt to the preferences of digital-native employees who may find email restrictive and opt for alternative communication methods. However, this adaptation should be done consciously, ensuring that policies and procedures are in place to protect sensitive information. Armstrong emphasizes the importance of revisiting emergency measures implemented during the pandemic. As remote work continues, organizations must conduct thorough data protection impact assessments to ensure compliance across all communication platforms and measures.

As with all types of compliance, setting policies and procedures is just the first step. It is essential to communicate and educate employees on these policies to ensure their understanding and compliance. Annual online training sessions are not enough; organizations should provide engaging training that goes beyond passive learning. In addition to targeted and effective training there must be ongoing communications provided to employees. Armstrong also related on the ineffectiveness of off-the-shelf online phishing training. Waiting for an incident to occur and then providing training is not enough to prevent people from clicking on malicious links. Organizations should focus on providing better training before incidents happen, rather than trying to enhance training afterwards.

The next step is monitoring as compliance with policies and procedures should be actively monitored. Technical solutions are available to help companies track compliance, but it’s crucial to involve individuals at all levels of the organization when designing these policies. Additionally, a balanced approach is needed, where employees are recognized for their service but also held accountable for policy breaches. The days of solely relying on punishment for enforcement are gone.

The data breach in the Scottish hospital serves as a wake-up call for organizations to prioritize data protection and compliance. Communication challenges during internal investigations, privacy concerns associated with alternative platforms, and the need for effective policies and training are crucial areas to address. By conducting regular data protection impact assessments, providing engaging training, and ensuring buy-in from employees, organizations can strengthen their defense against cyber threats and protect sensitive information. Always remember that compliance is an ongoing process, and continuous evaluation and improvement are necessary to adapt to the evolving digital landscape. Finally stay vigilant and proactive in safeguarding data privacy and protection.

Categories
Blog

Protecting Personal Data in the Banking Industry: Lessons from the Farage Controversy

Today I want to consider a burgeoning imbroglio in the UK involving Nigel Farage. While you might not think of Farage as a candidate for the FCPA Compliance Blog, it turns out that his current banking situation has some very interesting data privacy issues, shedding light on the data protection risks faced by banks and the importance of compliance with GDPR regulations. So in this blog post, we will explore the lessons learned from this incident and provide practical advice for financial institutions to ensure the security and privacy of customer information.

The recent episode surrounding Nigel Farage’s banking situation has sparked concerns about data protection and compliance within the banking industry. Farage, a prominent figure in the Brexit movement, had his bank account with Coutts, a high-end bank owned by NatWest, closed and was offered an account with another associated bank. The alleged reason was that he did not have a high enough net worth to merit the account with Coutts. It turned out the real reason was his right-wing politics, particularly around leading the charge for Brexit.

NatWest then compounded its problem by leaking a story to the BBC, that Farage had been dropped because, as reported in the Guardian, the CEO of NatWest, Dame Alison Rose had been the source of the leak to the BBC of this false information. All of this raised concerns about a potential data breach. Coutts had closed his account after lengthy discussions over the reputational risk that his political views posed for the bank.

Rose tried to apologize to Farage but as the New York Times reported, “The apology and a promise to review the bank’s policies were not enough to ease the pressure on Ms. Rose. Reports late Tuesday that the government, which has a 39 percent stake in the bank, was “significantly concerned” about Ms. Rose’s leadership seemed to seal her fate. Before dawn, the bank announced her immediate departure” in late July. Peter Flavel, the boss of its private bank, Coutts was also sent packing.

From the regulatory, data privacy and GDPR responses, NatWest is in severe trouble. Not only had the Bank violated its own data privacy regulations in providing the information to the now former CEO but it also released that same information to the BBC. The consequences of non-compliance with GDPR regulations can be severe, particularly in regulated industries like financial services. Banks may face potential violations and internal policy breaches, which could lead to legal action and impact their banking license and fit and proper provisions. CEOs can be held liable for consent and connivance in data protection cases, emphasizing the importance of understanding data protection laws and potential criminal offenses associated with them.

The controversy surrounding Nigel Farage’s banking situation serves as a wake-up call for the banking industry to prioritize data protection and compliance. Financial institutions cannot afford to overlook these issues, as the consequences in the era of GDPR can be significant. It is crucial to establish proper policies and procedures, provide training and education for top-level management, and ensure a compliance culture is embedded throughout the organization.

There are multiple lessons to be learned from this controversy and several key takeaways that can help banks navigate the complexities of data protection and compliance:

1.Be cautious with written communication: The incident underscores the importance of being mindful of what is written in emails, as subject access requests can expose them. Consider whether a controversial email would be better discussed through a phone call or read aloud before sending.

2. Learn from previous compliance issues: NatWest had previous issues with data protection compliance, leading to the resignation of CEO Dame Allison Rose. This highlights the need for organizations to build a compliance culture at all levels, including those in top positions.

3. Allocate resources for subject access requests: The bank’s CFO has provided extra resources to handle subject access requests, as the cost of non-compliance is usually higher than the cost of compliance. It is estimated that it takes a six-figure sum for a bank to respond to a subject access request.

4. Scrutinize politically exposed persons and connections to Russian individuals: Financial institutions have an obligation to carefully scrutinize politically exposed persons and individuals with connections to Russian individuals. Balancing legitimate activities with obeying the law is crucial.

This affair provides valuable insights into the importance of data protection and compliance in the banking industry. The Farage controversy serves as a reminder that the security and privacy of customer information should be paramount for financial institutions. By learning from past incidents, allocating resources for subject access requests, and adhering to GDPR obligations, banks can safeguard their reputation, avoid legal repercussions, and build trust with their customers.