Categories
Everything Compliance

Everything Compliance-Episode 60


Welcome to the only roundtable podcast in compliance. Today, we have a serving of Jonathan Armstrong, Jay Rosen, Matt Kelly, and our newest panelist Jonathan Marks with a veritable potpourri of topics and issues. Rants and shouts outs (with commentary) conclude this episode.

  1. Jonathan Armstrong celebrates the anniversary of GDPR by looking back over the past year at some of the key decisions and enforcement actions.
  2. Jay Rosen takes a look at a rare release of a monitor’s report, in the Wynn Casino monitorship and data mines it for the compliance professional.
  1. Matt Kelly considers the difference in response by Facebook v. Twitter in the incendiary and racist tweets by Donald Trump.
  1. Jonathan Marks looks at the DOJ’s 2020 Update to the 2019 Evaluation of Corporate Compliance Programs.
  1. Tom Fox talks about how fighting racism and white supremacy is the responsibility of everyone. It is based on piece by Ben DiPietro here.

The members of the Everything Compliance are:

  • Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com
  • Mike Volkov – One of the top FCPA commentators and practitioners around and the Chief Executive Officer of The Volkov Law Group, LLC. Volkov can be reached at mvolkov@volkovlawgroup.com
  • Matt Kelly – Founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com
  • Jonathan Armstrong –is our UK colleague, who is an experienced data privacy/data protection lawyer with Cordery in London. Armstrong can be reached at armstrong@corderycompliance.com
  • Jonathan Marks is Partner, Firm Practice Leader – Global Forensic, Compliance & Integrity Services at Baker Tilly. Marks can be reached at marks@bakertilly.com

The host and producer (and sometime panelist) of Everything Compliance is Tom Fox the Compliance Evangelist. Everything Compliance is a part of the Compliance Podcast Network. He can be reached at tfox@tfoxlaw.com

Categories
Life with GDPR

Verbal Reporting under GDPR


In this episode I visit with Jonathan Armstrong are back to discuss issues relating to data privacy, data protection and GDPR. Today, we consider the issue of verbal reporting under GDPR, in the context of the case of Scott v. LGBT Foundation. Some of the highlights are:

  1. What were the issues and interests involved in this case?
  2. What is a relevant filing system for automated data under GPDR?
  3. When does the public health and safety outweigh data privacy?
  4. Was Scott’s data processed by the LGBT Foundation?
  5. What is the necessity test?

Check out the Cordery Compliance, client alert on the case of Scott v. LGBT Foundation, click here. For more information on Cordery Compliance, go their website here. Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.

Categories
Compliance Kitchen

CCPA – GDPR Comparison, ETIAS Registration for EU Travel


Stop by for a quick visit on CCPA and GDPR and how to register for your future EU travel, when we can hopefully travel again.

Categories
Daily Compliance News

April 28, 2020-the Mike Ward edition


In today’s edition of Daily Compliance News:

  • Has there been too little GDPR enforcement? (NYT)
  • Lessons for these ‘uncertain times’? (WSJ)
  • Tech tools can help compliance. (WSJ)
  • OSHA issues guidance. (WaPo)
Categories
Life with GDPR

Episode 35- What does Brexit Mean for GDPR?

In this episode Jonathan Armstrong and I consider the implications of GDPR enforcement going forward after Brexit. Recognizing the situation is incredibly fluid, there are nevertheless some areas of risk management that you can begin to prepare for in the event of a deal for an orderly Brexit, a no-deal Brexit or an extension of the deadline Some of the highlights in this episode include:

  1. What does Brexit mean for GDPR enforcement?
  2. How will the UK-ICO move forward after Brexit?
  3. What are the implications of a no-deal Brexit? What can a company do to prepare at this point?
  4. How will the Irish regulators react to Brexit?
  5. What will Brexit mean for internal investigations, both in the UK and EU?
  6. What happens if there is an extension?
Categories
Life with GDPR

Episode 33- Lessons Learned in Year 1 of GDPR, Part 3

In this podcast, data privacy/data security expert Jonathan Armstrong and Compliance Evangelist Tom Fox use the framework of GDPR to discuss a wide range of issues relating to these topics. They consider what the US compliance and InfoSec security expert needs to know about what is happening in the UK, Europe and beyond. In this episode, we conclude our three-part series of some of the key lessons learned from the first year of GDPR. Some of the issues and highlights are:
 Remediate then report. The remediation of an issue before reporting can be the key issue for regulators on whether they will move forward with a more public spanking. It is important to show that you have learned lessons and applied them to the facts of your data breach. Don’t try and cheat the victims by imposing new contractual terms such as Equifax did in its recent settlement. Think of the simple way for a data breach to occur, a briefcase left on the Tube.
Don’t Diss the DPA. Why would a company take on the regulator? You must respect the regulator even if you disagree with them. You can make a bad situation worse by attacking the regulators. This does not mean you cannot forcefully argue you position or zealously represent you client but calling regulators idiots in public filings will not help you position or your case.
Keep logs. This is important in case you need to revisit a decision later. Regulators can ask to see these logs at any time, not simply during an investigation or enforcement action. A compliance officer should be involved in the maintenance of the log system. Document Document Document. Unannounced inspections are beginning to occur.
Debrief and Learn. Revisit the facts to see what lessons are to be learned. Continuous improvement. Even on a journey of 1000 miles, it is important to look back. Once again if you make a change due to a breach or other event, document what you have done so you can show the regulators.
For more information on Cordery Compliance, go their website here.
For more information on data breaches, see here.
Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.
Categories
This Week in FCPA

Episode 171 – the Jay Clayton Speaks (or not) edition

As SEC Chair Jay Clayton scolds the rest of the world for its lack of anti-corruption enforcement and does say why he wants to dump a PCAOB Member, Tom and Jay are back  to discuss some of this week’s top compliance and ethics stories which caught their collective eyes.

  1. SEC Chair scolds weak overseas anti-corruption enforcement. Dave Micheal reports in the WSJ Risk and Compliance Journal.
  2. Why does SEC Chairman want to get rid of PCAOB member, Kathleen Hamm? Francine McKenna explores in MarketWatch.
  3. Fair Pay to Play? California pass law allowing college athletes to be compensated. Michael McCann reports in com.
  4. Did the SFO put in a ‘self-certification’ requirement in its recent Guidance on Cooperation? Aziz Rahman says yes in the FCPA Blog.
  5. How can independent integrity monitors help to limit adverse consequences in health care? Jay concludes his series on monitors in the health care industry in CCI.
  6. NYU PCCE gets new Executive Director as Alycin Cooley joins the group. NYU Compliance and Enforcement Blog.
  7. How can you process personal employee data under GDPR? Laura Wright, Sarah Greenwood and Andrew Reeves opine in the FCPA Blog.
  8. What happens when employees ethical values are greater than those shown by their employer? Michael Toebee explores in an interesting post on CCI.
  9. One commentator suggests we hold back on international enforcement against bribe-takers. Anton Moiseeineko writes in theFCPA Blog.
  10. Tom continues his preview of the Converge19 speakers in a special bonus series of podcasts on the Compliance Podcast Network. Check out the following: Monday-Ricardo Pellafone and Ashley Lewis on Building Your Brand; Tuesday-Michael Williamson on moving to a values based culture; Wednesday-Mike Volkov on the Nuts and Bolts of Sanctions Compliance; Thursday-Nicole Pitts on Increasing Employee Engagement and Friday- Eric Feldman on the CCO’s role in performance management. The podcast is available on multiple sites: the FCPA Compliance Report, iTunes, JDSupra, Megaphone,YouTube,  Spotifyand theCompliance Podcast Network.
  11. The Everything Compliance gang will be doing its first live podcast at Converge19. You should be there! Listeners to this podcast can obtain a complimentary ticket by using the promotion code foxvip, for registration and information, click here.

Tom Fox is the Compliance Evangelist and can be reached at tfox@tfoxlaw.com. Jay Rosen is Mr. Monitor and can be reached at jrosen@affiliatedmonitors.com. For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Categories
Life with GDPR

Episode 32- Lessons Learned in Year 1 of GDPR, Part 2

In this podcast, data privacy/data security expert Jonathan Armstrong and Compliance Evangelist Tom Fox use the framework of GDPR to discuss a wide range of issues relating to these topics. They consider what the US compliance and InfoSec security expert needs to know about what is happening in the UK, Europe and beyond. In this episode, we continue our three-part series of some of the key lessons learned from the first year of GDPR. Some of the issues and highlights are:
DPIA Everything. It’s mandatory under GDPR. It is a process analysis so you will need Subject Matter Expertise. How often do you revisit DPIA? Regulators are beginning to look at the process of your DPIA. When new process comes into play, you should do a new DPIA. Do you require DPIA when you hire 3rdparty vendor or in the M&A situation? If not you should do so moving forward.
Do SARs and DSRs are real good.How do you deal with these types of request? More importantly do you have a centralized team to understand the reason behind the request. Who could make that analysis? Is it a work in progress for your organization? Robust response to SARs is critical, as they are here to stay as core component of GDPR.
Respect the time. Time limits are much more generous in the US. Some regulators suggest not to be obsessed with time. Will courts allow ‘reasonable delay’? Corporations trying to extend the 72 hour by time zone arguments and other ridiculous argument by US corporations. (Listen for the Thanksgiving Weekend exemption) Regulators can fine you for being late. Are US companies getting the message? It’s a mixed bag, some are not doing so.
For more information on Cordery Compliance, go their website here.
For more information on data breaches, see here.
Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.
Categories
Life with GDPR

Episode 31-Lessons Learned in Year 1 of GDPR, Part 1

In this podcast, data privacy/data security expert Jonathan Armstrong and Compliance Evangelist Tom Fox use the framework of GDPR to discuss a wide range of issues relating to these topics. They consider what the US compliance and InfoSec security expert needs to know about what is happening in the UK, Europe and beyond. In this episode, we begin a three-part series of some of the key lessons learned from the first year of GDPR. Some of the highlights in this episode include:
Do you have a plan? You need to have a plan for a data breach because it is not if but when you will be hacked. Armstrong advises you can be two plans; one for all employees which is straight-forward so that all employees will be able to understand it. You should have a second plan, which you rehearse which is for all compliance/IT/data security. It should be process driven so it allows flexibility for those responding.
Know your data and know your third parties. Many companies have disaggregated data because they have so many vendors and platforms where data is stored. You must know who has your data. Do you have visibility into 3rd, 4thand 5thparties from the data perspective? You should also capture where data is going in an organization, particularly customer and employee data. Finally, and sadly overlooked by many US companies is the question of data protection of a US parent when a UK/EU sub is audited?
Assemble your data response team now and practice, practice, practice.You need to look at your data security response. What does the A Team teach you about data response? You should strive for strength in diverse skills and practice your response. Look at PR rapid response, your compliance, your legal response all in addition to your IT/data security response. Regulators looking at share price drop off, this shows the need for a rapid, practiced response.
For more information on Cordery Compliance, go their website here.

For more information on data breaches, see here.
Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.
Categories
Everything Compliance

Everything Compliance-Episode 50-July Reflections Edition

Welcome to the only roundtable podcast in compliance. Today, we have the full quintet of Mike Volkov, Jay Rosen, Matt Kelly, Jonathan Armstrong and Sarah Hadden. Rants and shouts outs follow the commentary for this episode.

  1. Jay Rosen considers why governmental entities other than the federal government benefit from independent integrity monitors in their oversight capacity. This includes state AGs, state regulators, counties, cities and school districts. Jay reflects on the anniversary of his father’s death and shouts out to his memory for all the great advice he got from him.
  1. Jonathan Armstrong considers how the ICO has bared its teeth in two recently proposed enforcement actions for data breaches; British Airways and Marriott. Jonathan shouts out to the England team which won the recently concluded Cricket World Cup and to the graciousness in defeat of the New Zealand team which lost in heartbreaking fashion.
  1. Sarah Hadden reflects on her six-month ride as owner/publisher of Corporate Compliance Insights. Hadden shouts out to a team of a female filmmakers who have formed One Vote at a Time dedicated to the eradication of gun violence. Not only do they believe in a future free of gun violence but they deploy skills to elect legislators at all levels of government to fight for it.
  1. Matt Kelly considers the compliance lessons from the Trump Administration’s detention camps on the US/Mexico border. Kelly rants about the USOC which is hiring its very first CCO. He also notes that it took him six clicks to find the USOC Code of Conduct on the Commission’s website.
  1. Mike Volkov discusses the new DOJ Antitrust Division’s Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations. Volkov shouts out to the Greater Houston Business and Ethics Roundtable (GHBER) as a model for local business ethics groups.
  1. Tom joins in a shout out to the author Andrea Camilleri, at the age of 69, took up mystery novel writing and came up with the Inspector Montalbano detective books.

The members of the Everything Compliance are:

The host and producer (and sometime panelist) of Everything Compliance is Tom Fox the Compliance Evangelist. Everything Compliance is a part of the Compliance Podcast Network.