Tag: GDPR

Categories
Blog

The UK Election and Its Implications for Compliance Professionals

Last week saw the greatest wipeout in the recorded history of UK governments, which saw the Tories being swept from power and losing over 400 seats in Parliament. The Labour Party took over with a commanding presence, securing around 450 seats, while the Tories retained only about 120 seats. I recently visited with Jonathan Armstrong, who shared his thoughts on the gravity and history of this election and what it might mean for our compliance contemporaries in the UK, the US, and worldwide, in the most recent episode of the award-winning podcast Life with GDPR.

This election is a refreshing change, irrespective of political leanings. The previous government was seen as limping along like a ship with a hole in its side, and the mood has noticeably improved since the new government took office. The Labour government, led by Sir Keir Starmer, has hit the ground running. Within hours of his appointment by the King, the new cabinet members were assigned their missions and started work immediately. This proactive approach is a sign of the times ahead.

From an enforcement point of view, this government has a firm grasp of compliance and enforcement. With his background as a defense barrister and tenure as the Director of Public Prosecutions, Sir Keir Starmer brings a wealth of experience. His leadership at the Crown Prosecution Service saw the first prosecutions under the Bribery Act, and his understanding of the criminal justice system bodes well for robust enforcement.

The now-entrenched SFO director, whom we previously called the “new” director, has taken significant steps in bribery enforcement, including the first dawn raids in years. I asked Jonathan if he saw a healthy interaction between the current SFO director and the new government. He responded that he does so.

Sir Keir Starmer and the current SFO director are on the same page regarding enforcement. The new administration has already announced a focus on investigating the PPE scandal, which involves around £7.2 billion worth of potentially corrupt contracts from Boris Johnson’s era. This will likely be a priority, and the new Covid Corruption Commissioner will work closely with the SFO, leveraging its powers to conduct dawn raids and demand documents. This indicates a continued and possibly intensified focus on bribery enforcement.

In addition to bribery and corruption, trade controls, customs, and economic sanctions are critical areas of concern. This includes sanctions involving Russian individuals and measures like the Uyghur Forced Labor Prevention Act in the United States. Here, Jonathan sees a stricter approach by Labour than the prior administration.

He believes that there was a perception that some Russian-connected individuals were overlooked in the sanctions list due to their connections with the Conservative Party. The new administration, less entangled with such interests, is likely to expand the sanctions list to align more closely with the US. Regarding Uyghur measures, the new second-in-command at the Treasury, Darren Jones MP, has a background in investigating supply chain issues and forced labor. Armstrong believes we can expect legislation similar to the US approach, emphasizing greater scrutiny and enforcement against forced labor in supply chains.

How about AI governance and enforcement, particularly with the significant tech companies dominating this space? Once again, Armstrong believes the previous administration was perceived as lenient on AI regulation, possibly due to future career aspirations. The new Labour government, however, is likely to take a stricter stance. This will involve a new centralized office to oversee AI usage, educating existing regulators on utilizing their powers, and possibly introducing new AI laws. These measures will likely mirror the EU AI Act, demonstrating the UK’s commitment to aligning with EU standards and fostering a closer relationship with the EU.

The new government views antitrust and competition law similarly to the EU. The CMA has already shown signs of cooperating with EU counterparts, conducting simultaneous dawn raids and sharing concerns about AI monopolies. The new administration is expected to continue this trend, addressing the concentration of GenAI in the hands of a few large US-based tech corporations. This collaboration with the EU will likely result in a more unified enforcement agenda across the channel.

What changes can we expect in traditional topics like GDPR and data privacy under the new UK government? The previous administration attempted to roll back some GDPR provisions, but the new government will likely take a more balanced approach. Changes will focus on areas like research while maintaining compliance with EU adequacy decisions to ensure seamless data transfers. The Labour government will prioritize maintaining a solid relationship with the EU, guaranteeing that any legislative changes do not jeopardize this adequacy decision.

Do you see the new government moving towards greater protections for workers in the era of remote and hybrid work models? Labour’s traditional ties to trade unions suggest a shift towards more pro-worker legislation. This could include regulations on maximum working hours and the right to disconnect, addressing the perceived always-on culture, particularly in US corporations. While hard and fast laws may not be imminent, there will be an emphasis on consulting employees about work-life balance and ensuring fair treatment.

This historic election marks a significant shift in the UK’s political landscape, with profound implications for compliance professionals. The new Labour government, focusing on enforcement, trade controls, AI governance, data privacy, and worker protections, promises a more robust and aligned approach with EU standards. Compliance officers must stay vigilant and adapt to these changes, ensuring their programs remain effective and compliant with evolving regulations. This new UK administration brings a fresh perspective and a more proactive approach to governance. Compliance professionals should be prepared for increased enforcement and regulatory scrutiny. By staying informed and adaptable, they can navigate these changes effectively and continue to uphold the highest compliance standards.

Categories
Life with GDPR

Life With GDPR: What Does The UK Election Mean for Compliance?

Tom Fox and Jonathan Armstrong, a renowned expert in cybersecurity, co-host the award-winning “Life with GDPR.” Jonathan has returned from his hiatus, and in this episode, we examine the UK election results and their potential impact on compliance.

The recent UK election has significant implications for compliance, particularly concerning the dynamics between the UK’s Serious Fraud Office (SFO) and the new government. Jonathan Armstrong, an expert on bribery enforcement, anticipates that the new administration under Keir Starmer will focus on high-profile issues like the PPE scandal while maintaining robust enforcement actions, including dawn raids.

Armstrong and Fox bring deep insights into the potential compliance landscape, shaped by their extensive backgrounds: Armstrong’s expertise in corruption investigations and Fox’s experience with the criminal justice system.

Fox highlights the impact of the new Prime Minister’s legal background in bolstering enforcement efforts and contemplates the future governance of AI under this administration. Both experts foresee a political shift, with Armstrong expecting the Conservative Party to lean rightward yet occupy the political center, and Fox emphasizing the continuity and experience the new government brings to compliance and enforcement issues.

 

Key Takeaways:

  • Heightened Bribery Enforcement Under New Government
  • Russian Sanctions and Uighur Import Regulations
  • Data Protection Bill Changes Post-UK Election
  • UK’s New Administration Faces Challenges and Changes
  • Center-Ground Positioning in UK Politics

Resources:

Connect with Tom Fox

Connect with Jonathan Armstrong

Categories
FCPA Compliance Report

FCPA Compliance Report: Jonathan Armstrong on Sweeping Changes in The UK Government: Insights on Compliance

Welcome to the award-winning FCPA Compliance Report, the longest running podcast in compliance. In this edition of the FCPA Compliance Report, Tom Fox welcome Jonathan Armstrong to discuss the seismic shift in the UK’s political landscape following the election last week.

The election was literally one for the ages. It led to a significant Labor victory over the Conservatives. They delve into the implications for compliance and governance in both the UK and globally. Topics include the new government’s proactive approach, anticipated shifts in bribery enforcement, and fiscal policies.

They also explore potential changes in AI regulation, employment law, data protection, and international relations, especially concerning Russia and China. The conversation highlights Labor’s balanced strategy, aiming for sensible, centrist policies while addressing key issues like corruption, AI, and data privacy.

Highlights in this Episode:

  • An election result for the ages
  • Impact on Bribery and Corruption Enforcement
  • Trade Sanctions, Russian Oligarch’s and Forced Labor
  • AI and Beyond
  • Data Privacy and Data Protection
  • Labor and Employment Rights

 Resources:

Jonathan Armstrong on LinkedIn

UK General Election 2024 – What Might This Mean for Compliance?

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

For more information on the Ethico ROI Calculator and a free White Paper on the ROI of Compliance, click here.

Categories
Compliance and AI

Compliance and AI: Jonathan Armstrong – Understanding The EU AI Act and It’s Implications

What is the role of Artificial Intelligence in compliance? What about Machine Learning? Are you using ChatGPT?

These are but three of the many questions we will explore in this exciting new podcast series, Compliance and AI.

Hosted by Tom Fox, the award-winning Voice of Compliance, in this podcast, Jonathan Armstrong joins me to discuss the European Union Artificial Intelligence Act.

This podcast takes a deep dive into the EU AI Act, its current state, and its implications for AI regulation and compliance within Europe and beyond. Armstrong begins by clarifying the misconception that AI is unregulated in Europe by detailing existing cases where regulators have leveraged GDPR to address AI-related issues, including suspensions and fines against AI companies. The EU AI Act, which reached political agreement in December 2023, has a risk-based approach, a two-year period until full implementation, and a potential impact on corporations, particularly in terms of compliance and competitive advantage.

Armstrong also considered the Act’s extraterritorial reach, enforcement challenges, and the potential for high fines, drawing parallels to GDPR enforcement patterns. We covered the complexities of AI application compliance, the importance of proactive preparation by corporations, and the need for increased board-level awareness and diversity to effectively manage AI-related risks and opportunities. The podcast concludes with a Q&A session that further explores the proactive versus reactive stances of EU clients towards the AI regulatory environment, the importance of board governance in AI oversight, and the challenges posed by ‘shadow AI’ within organizations.

Key Highlights:

  • Introduction to the EU AI Act
  • Exploring Regulatory Actions and GDPR in AI
  • The EU AI Act: Overview and Implications
  • AI Compliance Challenges and Corporate Preparation
  • Board Governance and AI Oversight
  • The Future of Board Diversity and AI Expertise

Resources:

Jonathan Armstrong on LinkedIn

Punter Southall

Tom Fox

Instagram

Facebook

YouTube

Twitter

Categories
Compliance and AI

Compliance and AI: Karen Moore on The American Privacy Rights Act and AI

What is the role of Artificial Intelligence in compliance? What about Machine Learning? Are you using ChatGPT? These are but three of the many questions we will explore in this exciting new podcast series, Compliance and AI. Hosted by Tom Fox, the award-winning Voice of Compliance, this podcast, Karen Moore joins me to discuss the proposed American Privacy Rights Act (APRA) and its intersection with artificial intelligence.

Moore has expressed cautious optimism towards the act, paying particular attention to how the Act impacts artificial intelligence and automated decision-making processes. Drawing on the act’s provisions, Moore emphasizes the importance of the preemption clause, which indicates a shift towards federal regulations superseding state laws. She also underscores the potential challenges and complexities that lie ahead for companies, especially large data holders or high-impact social media companies, in adhering to the APRA’s requirements, such as conducting design evaluations, transparency obligations, and data minimization. This perspective is shaped by her extensive background in the field and her intricate understanding of the Act’s impact on data processing and AI algorithms.

Key Highlights:

  • Introduction to the American Privacy Rights Act Discussion
  • Exploring the Preemption Clause and AI Implications
  • Automated Decision-Making and Its Complexities
  • The Impact on High-Impact Social Media and Large Data Holders
  • Data Minimization Requirements and AI Challenges

Resources:

Karen Moore on LinkedIn

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
TechLaw10

TechLaw10: Eric Sinrod & Jonathan Armstrong on Privacy/Data Protection Enforcement: GDPR vs. CCPA

In this edition of TechLaw10, Jonathan Armstrong, Director—L-EV8, talks to Professor/Attorney Eric Sinrod from his home in California. They discuss enforcing data protection and privacy laws in the US and the EU.

The questions they consider include:

  • Is CCPA in California being enforced?
  • What does CCPA require?
  • Does CCPA have extra-territorial reach?
  • What is causing the rise in CCPA litigation?
  • Which industries are seeing the most cases?
  • What is the average CCPA settlement?
  • Is GDPR in the EU & UK being enforced?
  • Which EU data protection regulators are the most active?
  • How are class actions fair in Europe?
  • How is data protection law changing the world of advertising?

Jonathan and Eric examine the latest statistics on enforcement activity and the future.

Discover L-EV8 as a new training business with Jonathan Armstrong

You can listen to earlier TechLaw10 audio podcasts with Eric and Jonathan at www.techlaw10.com.

You can find out more about Eric here at  Duane Morris LLP and more about Jonathan here at L-EV8 

Connect with the Compliance Podcast Network at:

LinkedIn: https://www.linkedin.com/company/compliance-podcast-network/

Facebook: https://www.facebook.com/compliancepodcastnetwork/

YouTube: https://www.youtube.com/@CompliancePodcastNetwork

Twitter: https://twitter.com/tfoxlaw

Instagram: https://www.instagram.com/voiceofcompliance/

Website: https://compliancepodcastnetwork.net/

Categories
Life with GDPR

Life With GDPR: Karen Moore on The EU, Corporate Sustainability Due Diligence Directive

Tom Fox and Jonathan Armstrong, renowned expert in cyber security, co-host the award-winning Life with GDPR. Jonathan is on a short hiatus and in this episode, we have a special guest, Karen Moore who discusses the EU’s Corporate Sustainability-Due Diligence Directive.

Karen Moore is a well-versed professional in the area of impact assessments and due diligence, with a particular focus on human rights and environmental issues to prevent and address potential harm. Her perspective, shaped by her extensive experience, is that impact assessments and due diligence are key indicators of a corporation’s commitment to preserving the environment and upholding human rights.

Moore emphasizes the importance of these processes not only within a company’s own activities, but also within those of its suppliers and indirect suppliers. She stresses the need for a robust due diligence process, including tracking progress, publishing annual statements, implementing complaints procedures, and involving all employees.

Additionally, she highlights the challenges of managing these processes, such as complex questionnaires for third-party suppliers and the need for streamlined assessments. She believes in a proactive approach to corporate responsibility, going beyond regulatory requirements to foster sustainable practices and ethical decision-making.

 Key Takeaways:

  • Ethical and Sustainable Business Practices Compliance Guidelines
  • Ethical Evaluation for Data Privacy Compliance in the US
  • Ethical Data Handling for GDPR Compliance
  • Ethical Business Practices in Supply Chains

 Resources:

Connect with Tom Fox

Connect with Jonathan Armstrong

Connect with Karen Moore

Categories
Blog

Insights on the EU Corporate Sustainability Due Diligence Directive from GDPR

Regarding corporate social responsibility and data protection, impact assessments and due diligence can seem like a labyrinth of legal jargon and regulatory requirements. However, understanding the importance of these processes is crucial for any corporation looking to not only comply with regulations but also build trust with customers and stakeholders. In this blog post, we will dive into the intricacies of impact assessments and due diligence, answering common questions and providing practical tips for corporations navigating the complexities of the Corporate Sustainability Due Diligence Directive (CSDDD).

We will consider the following questions:

  1. What role does GDPR compliance play in navigating the complexities of the CSDDD?
  2. Why are privacy impact assessments important for the CSDDD?
  3. How can corporations comply with the CSDDD?

In the ever-evolving landscape of corporate responsibility and ethical governance, staying ahead of regulatory directives is crucial for businesses looking to comply and positively impact society and the environment. One such directive that is making waves in the corporate world is the CSDDD. In the wake of its near full adoption by the European Council, the implications of this directive are profound, prompting organizations to rethink their approach to sustainability, human rights, and environmental impact.

The parallels between the CSDDD and the General Data Protection Regulation (GDPR) serve as a reminder of the importance of proactively addressing ethical considerations within corporate governance. Just as with the GDPR, which focuses on data privacy and protection, the CSDDD underscores the necessity of corporate diligence in ensuring environmental responsibility, human rights protection, and fair business practices.

GDPR compliance is a critical component of navigating the complexities of the CSDDD. GDPR sets strict guidelines for how companies handle the personal data of EU citizens. By ensuring compliance with GDPR regulations, corporations can demonstrate their commitment to data protection and privacy, essential for building trust with customers and stakeholders in today’s data-driven world. One of the key components of GDPR compliance is to conduct regular audits of your data processing activities to ensure compliance with GDPR requirements. Implement robust data protection measures, such as encryption and access controls, to safeguard personal data and mitigate the risk of data breaches.

The essence of both GDPR and CSDDD is to take a proactive approach to compliance. By instilling a culture of responsibility within the organization, companies can effectively navigate the complexities of regulatory frameworks like the CSDDD. From conducting impact assessments to tracking progress and publishing annual statements, the directive emphasizes transparency and accountability in corporate operations.

Compliance with the CSDDD requires a proactive approach to data protection and privacy. Corporations must establish robust data governance frameworks, implement privacy-by-design principles, and regularly audit their data processing activities. By prioritizing data protection and privacy, corporations can demonstrate their commitment to responsible data management and build trust with customers and stakeholders. You should work to develop a data protection policy that outlines your organization’s commitment to data protection and privacy. Train employees on data protection best practices and provide ongoing support to ensure compliance with the CSDDD.

This is also true of privacy impact assessments (PIAs), essential for identifying and mitigating privacy risks associated with data processing activities. By conducting a PIA, corporations can assess the potential impact of their data processing activities on individuals’ privacy rights and take steps to minimize any adverse effects. PIAs are especially important in the context of the CSDDD, where data protection and privacy are paramount concerns. You should work to integrate privacy impact assessments into your data processing workflows to identify and address privacy risks proactively. Engage with data protection authorities and stakeholders to ensure transparency and accountability in your privacy practices.

While the CSDDD is a European directive, its reach extends beyond the EU’s borders, impacting US companies with significant operations or income derived from the region. This broad scope necessitates a thorough evaluation of supply chains, supplier relationships, and potential risks associated with non-compliance. The CSDDD’s requirements for due diligence and supplier engagement underscore the interconnected nature of global business operations.

As organizations strive to align with the CSDDD, integrating existing laws and guidelines from related legislation, such as GDPR, becomes essential. From incorporating OECD guidelines to addressing human rights and environmental impact, companies must adopt a comprehensive approach to compliance. By leveraging technological solutions and strategic staffing, businesses can streamline their compliance efforts and enhance their impact on society and the environment.

The convergence of directives like the CSDDD and GDPR heralds a new era of ethical governance for businesses worldwide. By embracing the principles of sustainability, human rights protection, and environmental stewardship, organizations can meet regulatory requirements and contribute to a more responsible and equitable corporate landscape. As we navigate the complexities of corporate responsibility, let us heed the lessons from these directives and strive to do the right thing, both ethically and legally.

Navigating the complexities of impact assessments and due diligence in the context of the CSDDD may seem daunting. Still, with a proactive approach to data protection and privacy, corporations can demonstrate their commitment to responsible data management and build trust with customers and stakeholders. By prioritizing GDPR compliance, conducting privacy impact assessments, and implementing robust data protection measures, corporations can navigate the complexities of the CSDDD effectively.

Categories
TechLaw10

TechLaw10: Eric Sinrod & Jonathan Armstrong on 5 years of GDPR

In this edition of TechLaw10,  Jonathan Armstrong talks to Attorney and Professor Eric Sinrod from his home in California. They discuss the fifth anniversary of GDPR coming into force.

The topics include:

  • What are the fine levels under GDPR?
  • The use of Data Protection Impact Assessment
  • Cookies
  • AI
  • Data Transfer
  • The rise of GDPR-like legislation around the world
  • The future of GDPR

You can listen to earlier TechLaw10 audio podcasts with Eric and Jonathan at https://www.duanemorris.com/site/techlaw10.html

Connect with the Compliance Podcast Network at:

LinkedIn: https://www.linkedin.com/company/compliance-podcast-network/
Facebook: https://www.facebook.com/compliancepodcastnetwork/
YouTube: https://www.youtube.com/@CompliancePodcastNetwork
Twitter: https://twitter.com/tfoxlaw
Instagram: https://www.instagram.com/voiceofcompliance/
Website: https://compliancepodcastnetwork.net/

Categories
Blog

Solar Winds Under GDPR: Corporate Responsibility and Risks in Data Protection

The General Data Protection Regulation (GDPR) has significantly changed how organizations handle data protection and privacy. It emphasizes the importance of transparency and honesty in disclosing data breaches and vulnerabilities. In a recent episode of the podcast Life with GDPR, Tom Fox and Jonathan Armstrong from Cordery Compliance discussed the topic of corporate responsibility and risks in data protection, with a particular focus on the SolarWinds case.

To recap, in late 2023, the SEC filed a lawsuit against SolarWinds Corp and its CISO, Tim Brown, following the 2020 data breach, bringing the issue of executive liability in cybersecurity disclosures to the forefront. The lawsuit raised important questions about the personal liability of senior executives for inaccurate risk disclosures and has potential implications for other industries under US securities law.

The 2020 breach, orchestrated by Russian hackers, targeted SolarWinds’ software, Orion, and exposed highly sensitive information. The hackers gained access to SolarWinds and planted spyware in the Orion program. SolarWinds then distributed an update to its corporate customers, unknowingly spreading the Russian spyware. This allowed the hackers to access the highest levels of the US government and major corporations.

The SEC’s lawsuit against SolarWinds and Tim Brown focused on the poor disclosures about the company’s information security throughout 2018, 2019, and 2020. While SolarWinds publicly claimed to have good cybersecurity, internal communications revealed that employees were aware of the company’s cybersecurity issues and considered them a mess. This discrepancy between internal knowledge and external disclosures formed the basis of the SEC’s allegations.

The SEC complaint alleged that SolarWinds’ public statements about its cybersecurity practices and risks were at odds with its internal assessments, including a 2018 presentation prepared by a company engineer and shared internally, including with Brown, that SolarWinds’ remote access set-up was “not very secure” and that someone exploiting the vulnerability “can do whatever without us detecting it until it’s too late,” which could lead to “major reputation and financial loss” for SolarWinds. Similarly, as alleged in the SEC’s complaint, 2018 and 2019 presentations by Brown stated, respectively, that the “current state of security leaves us in a very vulnerable state for our critical assets” and that “[a]ccess and privilege to critical systems/data is inappropriate.”

Beyond this SEC enforcement action, there were other implications as well. One key takeaway from the episode is the pressure on corporate leaders, including CISOs, Data Protection Officers, and Compliance Officers, to disclose data breaches promptly. While GDPR offers some protection to Data Protection Officers, they are not entirely exempt from liabilities. The SolarWinds case serves as a reminder of the need for specific and timely disclosure of breaches and the importance of addressing system vulnerabilities.

The risks associated with data breaches are not limited to regulatory fines. Litigation risks are a significant concern for organizations, with shareholders and whistleblowers potentially seeking legal action. The episode highlights the importance of transparency and not misrepresenting information to regulators. Misrepresentations can lead to severe consequences for individuals in positions of responsibility within corporations.

Budget constraints can also hinder the timely fixing of vulnerabilities, ultimately leading to breaches. Organizations need to take proactive measures to identify and address vulnerabilities promptly. Realistic resource assessments are crucial to ensuring that adequate resources are allocated to data protection efforts. Additionally, having adequate insurance protection, such as Directors and Officers (D&O) insurance, can help protect individuals in positions of responsibility from potential liabilities.

The episode also emphasizes the need for organizations to consider the impact on their stock exchange filings when deciding whether to disclose a data breach. The decision to admit a violation of a stock exchange can be challenging and depends on factors such as materiality. Organizations need to assign a dedicated team to consider these factors, mainly when engaged in transactions like mergers and acquisitions or fundraising.

Transparency and honesty are key principles in data protection and privacy. Audit reports and investigation findings must be acted upon promptly to address vulnerabilities. Emails and other forms of communication can serve as evidence in legal proceedings, highlighting the importance of careful communication within organizations.

The potential for litigation is significant in data breach cases. Shareholders may seek legal action if they believe the value of their stock has been affected. Whistleblowers, incentivized by various jurisdictions, may also come forward with information. This highlights the need for organizations to maintain a culture of transparency and integrity and for individuals to review their remuneration packages to avoid conflicts of interest.

In conclusion, GDPR, corporate responsibility, and risks in data protection are interconnected. Organizations must prioritize transparency, honesty, and timely disclosure of breaches and vulnerabilities. Proactive measures, realistic resource assessments, and adequate insurance protection are crucial to mitigating risks. By considering the impact on stock exchange filings and maintaining a culture of integrity, organizations can navigate the challenges associated with data protection and privacy in the GDPR era.