Categories
FCPA Compliance Report

FCPA Compliance Report: Jonathan Armstrong on Sweeping Changes in The UK Government: Insights on Compliance

Welcome to the award-winning FCPA Compliance Report, the longest running podcast in compliance. In this edition of the FCPA Compliance Report, Tom Fox welcome Jonathan Armstrong to discuss the seismic shift in the UK’s political landscape following the election last week.

The election was literally one for the ages. It led to a significant Labor victory over the Conservatives. They delve into the implications for compliance and governance in both the UK and globally. Topics include the new government’s proactive approach, anticipated shifts in bribery enforcement, and fiscal policies.

They also explore potential changes in AI regulation, employment law, data protection, and international relations, especially concerning Russia and China. The conversation highlights Labor’s balanced strategy, aiming for sensible, centrist policies while addressing key issues like corruption, AI, and data privacy.

Highlights in this Episode:

  • An election result for the ages
  • Impact on Bribery and Corruption Enforcement
  • Trade Sanctions, Russian Oligarch’s and Forced Labor
  • AI and Beyond
  • Data Privacy and Data Protection
  • Labor and Employment Rights

 Resources:

Jonathan Armstrong on LinkedIn

UK General Election 2024 – What Might This Mean for Compliance?

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

For more information on the Ethico ROI Calculator and a free White Paper on the ROI of Compliance, click here.

Categories
Compliance and AI

Compliance and AI: Jonathan Armstrong – Understanding The EU AI Act and It’s Implications

What is the role of Artificial Intelligence in compliance? What about Machine Learning? Are you using ChatGPT?

These are but three of the many questions we will explore in this exciting new podcast series, Compliance and AI.

Hosted by Tom Fox, the award-winning Voice of Compliance, in this podcast, Jonathan Armstrong joins me to discuss the European Union Artificial Intelligence Act.

This podcast takes a deep dive into the EU AI Act, its current state, and its implications for AI regulation and compliance within Europe and beyond. Armstrong begins by clarifying the misconception that AI is unregulated in Europe by detailing existing cases where regulators have leveraged GDPR to address AI-related issues, including suspensions and fines against AI companies. The EU AI Act, which reached political agreement in December 2023, has a risk-based approach, a two-year period until full implementation, and a potential impact on corporations, particularly in terms of compliance and competitive advantage.

Armstrong also considered the Act’s extraterritorial reach, enforcement challenges, and the potential for high fines, drawing parallels to GDPR enforcement patterns. We covered the complexities of AI application compliance, the importance of proactive preparation by corporations, and the need for increased board-level awareness and diversity to effectively manage AI-related risks and opportunities. The podcast concludes with a Q&A session that further explores the proactive versus reactive stances of EU clients towards the AI regulatory environment, the importance of board governance in AI oversight, and the challenges posed by ‘shadow AI’ within organizations.

Key Highlights:

  • Introduction to the EU AI Act
  • Exploring Regulatory Actions and GDPR in AI
  • The EU AI Act: Overview and Implications
  • AI Compliance Challenges and Corporate Preparation
  • Board Governance and AI Oversight
  • The Future of Board Diversity and AI Expertise

Resources:

Jonathan Armstrong on LinkedIn

Punter Southall

Tom Fox

Instagram

Facebook

YouTube

Twitter

Categories
Compliance and AI

Compliance and AI: Karen Moore on The American Privacy Rights Act and AI

What is the role of Artificial Intelligence in compliance? What about Machine Learning? Are you using ChatGPT? These are but three of the many questions we will explore in this exciting new podcast series, Compliance and AI. Hosted by Tom Fox, the award-winning Voice of Compliance, this podcast, Karen Moore joins me to discuss the proposed American Privacy Rights Act (APRA) and its intersection with artificial intelligence.

Moore has expressed cautious optimism towards the act, paying particular attention to how the Act impacts artificial intelligence and automated decision-making processes. Drawing on the act’s provisions, Moore emphasizes the importance of the preemption clause, which indicates a shift towards federal regulations superseding state laws. She also underscores the potential challenges and complexities that lie ahead for companies, especially large data holders or high-impact social media companies, in adhering to the APRA’s requirements, such as conducting design evaluations, transparency obligations, and data minimization. This perspective is shaped by her extensive background in the field and her intricate understanding of the Act’s impact on data processing and AI algorithms.

Key Highlights:

  • Introduction to the American Privacy Rights Act Discussion
  • Exploring the Preemption Clause and AI Implications
  • Automated Decision-Making and Its Complexities
  • The Impact on High-Impact Social Media and Large Data Holders
  • Data Minimization Requirements and AI Challenges

Resources:

Karen Moore on LinkedIn

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
TechLaw10

TechLaw10: Eric Sinrod & Jonathan Armstrong on Privacy/Data Protection Enforcement: GDPR vs. CCPA

In this edition of TechLaw10, Jonathan Armstrong, Director—L-EV8, talks to Professor/Attorney Eric Sinrod from his home in California. They discuss enforcing data protection and privacy laws in the US and the EU.

The questions they consider include:

  • Is CCPA in California being enforced?
  • What does CCPA require?
  • Does CCPA have extra-territorial reach?
  • What is causing the rise in CCPA litigation?
  • Which industries are seeing the most cases?
  • What is the average CCPA settlement?
  • Is GDPR in the EU & UK being enforced?
  • Which EU data protection regulators are the most active?
  • How are class actions fair in Europe?
  • How is data protection law changing the world of advertising?

Jonathan and Eric examine the latest statistics on enforcement activity and the future.

Discover L-EV8 as a new training business with Jonathan Armstrong

You can listen to earlier TechLaw10 audio podcasts with Eric and Jonathan at www.techlaw10.com.

You can find out more about Eric here at  Duane Morris LLP and more about Jonathan here at L-EV8 

Connect with the Compliance Podcast Network at:

LinkedIn: https://www.linkedin.com/company/compliance-podcast-network/

Facebook: https://www.facebook.com/compliancepodcastnetwork/

YouTube: https://www.youtube.com/@CompliancePodcastNetwork

Twitter: https://twitter.com/tfoxlaw

Instagram: https://www.instagram.com/voiceofcompliance/

Website: https://compliancepodcastnetwork.net/

Categories
Life with GDPR

Life With GDPR: Karen Moore on The EU, Corporate Sustainability Due Diligence Directive

Tom Fox and Jonathan Armstrong, renowned expert in cyber security, co-host the award-winning Life with GDPR. Jonathan is on a short hiatus and in this episode, we have a special guest, Karen Moore who discusses the EU’s Corporate Sustainability-Due Diligence Directive.

Karen Moore is a well-versed professional in the area of impact assessments and due diligence, with a particular focus on human rights and environmental issues to prevent and address potential harm. Her perspective, shaped by her extensive experience, is that impact assessments and due diligence are key indicators of a corporation’s commitment to preserving the environment and upholding human rights.

Moore emphasizes the importance of these processes not only within a company’s own activities, but also within those of its suppliers and indirect suppliers. She stresses the need for a robust due diligence process, including tracking progress, publishing annual statements, implementing complaints procedures, and involving all employees.

Additionally, she highlights the challenges of managing these processes, such as complex questionnaires for third-party suppliers and the need for streamlined assessments. She believes in a proactive approach to corporate responsibility, going beyond regulatory requirements to foster sustainable practices and ethical decision-making.

 Key Takeaways:

  • Ethical and Sustainable Business Practices Compliance Guidelines
  • Ethical Evaluation for Data Privacy Compliance in the US
  • Ethical Data Handling for GDPR Compliance
  • Ethical Business Practices in Supply Chains

 Resources:

Connect with Tom Fox

Connect with Jonathan Armstrong

Connect with Karen Moore

Categories
Blog

Insights on the EU Corporate Sustainability Due Diligence Directive from GDPR

Regarding corporate social responsibility and data protection, impact assessments and due diligence can seem like a labyrinth of legal jargon and regulatory requirements. However, understanding the importance of these processes is crucial for any corporation looking to not only comply with regulations but also build trust with customers and stakeholders. In this blog post, we will dive into the intricacies of impact assessments and due diligence, answering common questions and providing practical tips for corporations navigating the complexities of the Corporate Sustainability Due Diligence Directive (CSDDD).

We will consider the following questions:

  1. What role does GDPR compliance play in navigating the complexities of the CSDDD?
  2. Why are privacy impact assessments important for the CSDDD?
  3. How can corporations comply with the CSDDD?

In the ever-evolving landscape of corporate responsibility and ethical governance, staying ahead of regulatory directives is crucial for businesses looking to comply and positively impact society and the environment. One such directive that is making waves in the corporate world is the CSDDD. In the wake of its near full adoption by the European Council, the implications of this directive are profound, prompting organizations to rethink their approach to sustainability, human rights, and environmental impact.

The parallels between the CSDDD and the General Data Protection Regulation (GDPR) serve as a reminder of the importance of proactively addressing ethical considerations within corporate governance. Just as with the GDPR, which focuses on data privacy and protection, the CSDDD underscores the necessity of corporate diligence in ensuring environmental responsibility, human rights protection, and fair business practices.

GDPR compliance is a critical component of navigating the complexities of the CSDDD. GDPR sets strict guidelines for how companies handle the personal data of EU citizens. By ensuring compliance with GDPR regulations, corporations can demonstrate their commitment to data protection and privacy, essential for building trust with customers and stakeholders in today’s data-driven world. One of the key components of GDPR compliance is to conduct regular audits of your data processing activities to ensure compliance with GDPR requirements. Implement robust data protection measures, such as encryption and access controls, to safeguard personal data and mitigate the risk of data breaches.

The essence of both GDPR and CSDDD is to take a proactive approach to compliance. By instilling a culture of responsibility within the organization, companies can effectively navigate the complexities of regulatory frameworks like the CSDDD. From conducting impact assessments to tracking progress and publishing annual statements, the directive emphasizes transparency and accountability in corporate operations.

Compliance with the CSDDD requires a proactive approach to data protection and privacy. Corporations must establish robust data governance frameworks, implement privacy-by-design principles, and regularly audit their data processing activities. By prioritizing data protection and privacy, corporations can demonstrate their commitment to responsible data management and build trust with customers and stakeholders. You should work to develop a data protection policy that outlines your organization’s commitment to data protection and privacy. Train employees on data protection best practices and provide ongoing support to ensure compliance with the CSDDD.

This is also true of privacy impact assessments (PIAs), essential for identifying and mitigating privacy risks associated with data processing activities. By conducting a PIA, corporations can assess the potential impact of their data processing activities on individuals’ privacy rights and take steps to minimize any adverse effects. PIAs are especially important in the context of the CSDDD, where data protection and privacy are paramount concerns. You should work to integrate privacy impact assessments into your data processing workflows to identify and address privacy risks proactively. Engage with data protection authorities and stakeholders to ensure transparency and accountability in your privacy practices.

While the CSDDD is a European directive, its reach extends beyond the EU’s borders, impacting US companies with significant operations or income derived from the region. This broad scope necessitates a thorough evaluation of supply chains, supplier relationships, and potential risks associated with non-compliance. The CSDDD’s requirements for due diligence and supplier engagement underscore the interconnected nature of global business operations.

As organizations strive to align with the CSDDD, integrating existing laws and guidelines from related legislation, such as GDPR, becomes essential. From incorporating OECD guidelines to addressing human rights and environmental impact, companies must adopt a comprehensive approach to compliance. By leveraging technological solutions and strategic staffing, businesses can streamline their compliance efforts and enhance their impact on society and the environment.

The convergence of directives like the CSDDD and GDPR heralds a new era of ethical governance for businesses worldwide. By embracing the principles of sustainability, human rights protection, and environmental stewardship, organizations can meet regulatory requirements and contribute to a more responsible and equitable corporate landscape. As we navigate the complexities of corporate responsibility, let us heed the lessons from these directives and strive to do the right thing, both ethically and legally.

Navigating the complexities of impact assessments and due diligence in the context of the CSDDD may seem daunting. Still, with a proactive approach to data protection and privacy, corporations can demonstrate their commitment to responsible data management and build trust with customers and stakeholders. By prioritizing GDPR compliance, conducting privacy impact assessments, and implementing robust data protection measures, corporations can navigate the complexities of the CSDDD effectively.

Categories
TechLaw10

TechLaw10: Eric Sinrod & Jonathan Armstrong on 5 years of GDPR

In this edition of TechLaw10,  Jonathan Armstrong talks to Attorney and Professor Eric Sinrod from his home in California. They discuss the fifth anniversary of GDPR coming into force.

The topics include:

  • What are the fine levels under GDPR?
  • The use of Data Protection Impact Assessment
  • Cookies
  • AI
  • Data Transfer
  • The rise of GDPR-like legislation around the world
  • The future of GDPR

You can listen to earlier TechLaw10 audio podcasts with Eric and Jonathan at https://www.duanemorris.com/site/techlaw10.html

Connect with the Compliance Podcast Network at:

LinkedIn: https://www.linkedin.com/company/compliance-podcast-network/
Facebook: https://www.facebook.com/compliancepodcastnetwork/
YouTube: https://www.youtube.com/@CompliancePodcastNetwork
Twitter: https://twitter.com/tfoxlaw
Instagram: https://www.instagram.com/voiceofcompliance/
Website: https://compliancepodcastnetwork.net/

Categories
Blog

Solar Winds Under GDPR: Corporate Responsibility and Risks in Data Protection

The General Data Protection Regulation (GDPR) has significantly changed how organizations handle data protection and privacy. It emphasizes the importance of transparency and honesty in disclosing data breaches and vulnerabilities. In a recent episode of the podcast Life with GDPR, Tom Fox and Jonathan Armstrong from Cordery Compliance discussed the topic of corporate responsibility and risks in data protection, with a particular focus on the SolarWinds case.

To recap, in late 2023, the SEC filed a lawsuit against SolarWinds Corp and its CISO, Tim Brown, following the 2020 data breach, bringing the issue of executive liability in cybersecurity disclosures to the forefront. The lawsuit raised important questions about the personal liability of senior executives for inaccurate risk disclosures and has potential implications for other industries under US securities law.

The 2020 breach, orchestrated by Russian hackers, targeted SolarWinds’ software, Orion, and exposed highly sensitive information. The hackers gained access to SolarWinds and planted spyware in the Orion program. SolarWinds then distributed an update to its corporate customers, unknowingly spreading the Russian spyware. This allowed the hackers to access the highest levels of the US government and major corporations.

The SEC’s lawsuit against SolarWinds and Tim Brown focused on the poor disclosures about the company’s information security throughout 2018, 2019, and 2020. While SolarWinds publicly claimed to have good cybersecurity, internal communications revealed that employees were aware of the company’s cybersecurity issues and considered them a mess. This discrepancy between internal knowledge and external disclosures formed the basis of the SEC’s allegations.

The SEC complaint alleged that SolarWinds’ public statements about its cybersecurity practices and risks were at odds with its internal assessments, including a 2018 presentation prepared by a company engineer and shared internally, including with Brown, that SolarWinds’ remote access set-up was “not very secure” and that someone exploiting the vulnerability “can do whatever without us detecting it until it’s too late,” which could lead to “major reputation and financial loss” for SolarWinds. Similarly, as alleged in the SEC’s complaint, 2018 and 2019 presentations by Brown stated, respectively, that the “current state of security leaves us in a very vulnerable state for our critical assets” and that “[a]ccess and privilege to critical systems/data is inappropriate.”

Beyond this SEC enforcement action, there were other implications as well. One key takeaway from the episode is the pressure on corporate leaders, including CISOs, Data Protection Officers, and Compliance Officers, to disclose data breaches promptly. While GDPR offers some protection to Data Protection Officers, they are not entirely exempt from liabilities. The SolarWinds case serves as a reminder of the need for specific and timely disclosure of breaches and the importance of addressing system vulnerabilities.

The risks associated with data breaches are not limited to regulatory fines. Litigation risks are a significant concern for organizations, with shareholders and whistleblowers potentially seeking legal action. The episode highlights the importance of transparency and not misrepresenting information to regulators. Misrepresentations can lead to severe consequences for individuals in positions of responsibility within corporations.

Budget constraints can also hinder the timely fixing of vulnerabilities, ultimately leading to breaches. Organizations need to take proactive measures to identify and address vulnerabilities promptly. Realistic resource assessments are crucial to ensuring that adequate resources are allocated to data protection efforts. Additionally, having adequate insurance protection, such as Directors and Officers (D&O) insurance, can help protect individuals in positions of responsibility from potential liabilities.

The episode also emphasizes the need for organizations to consider the impact on their stock exchange filings when deciding whether to disclose a data breach. The decision to admit a violation of a stock exchange can be challenging and depends on factors such as materiality. Organizations need to assign a dedicated team to consider these factors, mainly when engaged in transactions like mergers and acquisitions or fundraising.

Transparency and honesty are key principles in data protection and privacy. Audit reports and investigation findings must be acted upon promptly to address vulnerabilities. Emails and other forms of communication can serve as evidence in legal proceedings, highlighting the importance of careful communication within organizations.

The potential for litigation is significant in data breach cases. Shareholders may seek legal action if they believe the value of their stock has been affected. Whistleblowers, incentivized by various jurisdictions, may also come forward with information. This highlights the need for organizations to maintain a culture of transparency and integrity and for individuals to review their remuneration packages to avoid conflicts of interest.

In conclusion, GDPR, corporate responsibility, and risks in data protection are interconnected. Organizations must prioritize transparency, honesty, and timely disclosure of breaches and vulnerabilities. Proactive measures, realistic resource assessments, and adequate insurance protection are crucial to mitigating risks. By considering the impact on stock exchange filings and maintaining a culture of integrity, organizations can navigate the challenges associated with data protection and privacy in the GDPR era.

Categories
Life with GDPR

Life With GDPR: Critical Perspectives on Big Law Firm Cybersecurity

Tom Fox and Jonathan Armstrong, renowned experts in cyber security, co-host the award-winning Life with GDPR. In this episode, they look at a breach of a big law.

In the wake of a recent spearphishing attack and data breach at a UK law firm, the legal community is abuzz with discussions on the responsibility of lawyers to prevent such attacks. Tom Fox, known for his critical perspective on big law firms, highlights the mistakes made by the firm in question, emphasizing the increasing concern over cyber-attacks targeting law firms and the need for timely reporting to regulatory authorities. Jonathan Armstrong, on the other hand, underscores the importance of proactive cybersecurity measures and timely reporting, commending the firm for taking immediate action but criticizing the delay in reporting the breach. Both Fox and Armstrong bring their unique perspectives shaped by their experiences in the field. Join them on this episode of the Life with GDPR podcast as they delve deeper into this topic.

Key Takeaways:

  • A spearphishing Attack Leads to Data Breach
  • Cybersecurity Measures for Law Firms
  • The Power of Dedicated Data Protection Training

 Resources:

For more information on the issues raised in this podcast, check out the Cordery Compliance News Section. For more information on Cordery Compliance, go to their website here.

Also, check out the GDPR Navigator, one of the top resources for GDPR compliance, by clicking here. Check out the Cordery Data Breach Academy here.

Connect with Tom Fox

●      LinkedIn

Connect with Jonathan Armstrong

●      Twitter

●      LinkedIn

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program Through Data Analytics: Day 10 – The Impact of Privacy Regulations on Compliance

What is the impact of privacy regulations on data-driven compliance? Every CCO must be aware of the importance of privacy in data-driven compliance and the challenges and tradeoffs involved in implementing effective compliance strategies. A key mandate is for CCOs and compliance professionals to have a compliance program that provides visibility into their data. This emphasizes the importance of having efficient and effective compliance solutions in place or as I have previously noted CCOs must have access to their compliance data literally at their fingertips.

This is one of the drivers for key trends shaping compliance technology in 2025 and beyond. The RegTech market is growing rapidly, and there is increased regulatory focus on cryptocurrency activities, ESG, and information security and cybersecurity. These trends indicate the evolving landscape of compliance and the need for organizations to stay updated and adapt their compliance strategies accordingly. By embracing connected compliance and leveraging technology, organizations can navigate the complex regulatory landscape and ensure compliance with privacy regulations while driving business efficiency.

 Three key takeaways:

  1. CCOs and compliance professionals must have a compliance program that provides visibility into their data.
  2. ESG regulations affect not only regulated industries but also any company holding private customer data or involved in large supply chains.
  3. By embracing connected compliance and leveraging technology, organizations can navigate the complex regulatory landscape and ensure compliance with privacy regulations while driving business efficiency.

For more on KonaAI, click here.