Tag: GDPR

Categories
Life with GDPR

Episode 33- Lessons Learned in Year 1 of GDPR, Part 3

In this podcast, data privacy/data security expert Jonathan Armstrong and Compliance Evangelist Tom Fox use the framework of GDPR to discuss a wide range of issues relating to these topics. They consider what the US compliance and InfoSec security expert needs to know about what is happening in the UK, Europe and beyond. In this episode, we conclude our three-part series of some of the key lessons learned from the first year of GDPR. Some of the issues and highlights are:
 Remediate then report. The remediation of an issue before reporting can be the key issue for regulators on whether they will move forward with a more public spanking. It is important to show that you have learned lessons and applied them to the facts of your data breach. Don’t try and cheat the victims by imposing new contractual terms such as Equifax did in its recent settlement. Think of the simple way for a data breach to occur, a briefcase left on the Tube.
Don’t Diss the DPA. Why would a company take on the regulator? You must respect the regulator even if you disagree with them. You can make a bad situation worse by attacking the regulators. This does not mean you cannot forcefully argue you position or zealously represent you client but calling regulators idiots in public filings will not help you position or your case.
Keep logs. This is important in case you need to revisit a decision later. Regulators can ask to see these logs at any time, not simply during an investigation or enforcement action. A compliance officer should be involved in the maintenance of the log system. Document Document Document. Unannounced inspections are beginning to occur.
Debrief and Learn. Revisit the facts to see what lessons are to be learned. Continuous improvement. Even on a journey of 1000 miles, it is important to look back. Once again if you make a change due to a breach or other event, document what you have done so you can show the regulators.
For more information on Cordery Compliance, go their website here.
For more information on data breaches, see here.
Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.
Categories
This Week in FCPA

Episode 171 – the Jay Clayton Speaks (or not) edition

As SEC Chair Jay Clayton scolds the rest of the world for its lack of anti-corruption enforcement and does say why he wants to dump a PCAOB Member, Tom and Jay are back  to discuss some of this week’s top compliance and ethics stories which caught their collective eyes.

  1. SEC Chair scolds weak overseas anti-corruption enforcement. Dave Micheal reports in the WSJ Risk and Compliance Journal.
  2. Why does SEC Chairman want to get rid of PCAOB member, Kathleen Hamm? Francine McKenna explores in MarketWatch.
  3. Fair Pay to Play? California pass law allowing college athletes to be compensated. Michael McCann reports in com.
  4. Did the SFO put in a ‘self-certification’ requirement in its recent Guidance on Cooperation? Aziz Rahman says yes in the FCPA Blog.
  5. How can independent integrity monitors help to limit adverse consequences in health care? Jay concludes his series on monitors in the health care industry in CCI.
  6. NYU PCCE gets new Executive Director as Alycin Cooley joins the group. NYU Compliance and Enforcement Blog.
  7. How can you process personal employee data under GDPR? Laura Wright, Sarah Greenwood and Andrew Reeves opine in the FCPA Blog.
  8. What happens when employees ethical values are greater than those shown by their employer? Michael Toebee explores in an interesting post on CCI.
  9. One commentator suggests we hold back on international enforcement against bribe-takers. Anton Moiseeineko writes in theFCPA Blog.
  10. Tom continues his preview of the Converge19 speakers in a special bonus series of podcasts on the Compliance Podcast Network. Check out the following: Monday-Ricardo Pellafone and Ashley Lewis on Building Your Brand; Tuesday-Michael Williamson on moving to a values based culture; Wednesday-Mike Volkov on the Nuts and Bolts of Sanctions Compliance; Thursday-Nicole Pitts on Increasing Employee Engagement and Friday- Eric Feldman on the CCO’s role in performance management. The podcast is available on multiple sites: the FCPA Compliance Report, iTunes, JDSupra, Megaphone,YouTube,  Spotifyand theCompliance Podcast Network.
  11. The Everything Compliance gang will be doing its first live podcast at Converge19. You should be there! Listeners to this podcast can obtain a complimentary ticket by using the promotion code foxvip, for registration and information, click here.

Tom Fox is the Compliance Evangelist and can be reached at tfox@tfoxlaw.com. Jay Rosen is Mr. Monitor and can be reached at jrosen@affiliatedmonitors.com. For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Categories
Life with GDPR

Episode 32- Lessons Learned in Year 1 of GDPR, Part 2

In this podcast, data privacy/data security expert Jonathan Armstrong and Compliance Evangelist Tom Fox use the framework of GDPR to discuss a wide range of issues relating to these topics. They consider what the US compliance and InfoSec security expert needs to know about what is happening in the UK, Europe and beyond. In this episode, we continue our three-part series of some of the key lessons learned from the first year of GDPR. Some of the issues and highlights are:
DPIA Everything. It’s mandatory under GDPR. It is a process analysis so you will need Subject Matter Expertise. How often do you revisit DPIA? Regulators are beginning to look at the process of your DPIA. When new process comes into play, you should do a new DPIA. Do you require DPIA when you hire 3rdparty vendor or in the M&A situation? If not you should do so moving forward.
Do SARs and DSRs are real good.How do you deal with these types of request? More importantly do you have a centralized team to understand the reason behind the request. Who could make that analysis? Is it a work in progress for your organization? Robust response to SARs is critical, as they are here to stay as core component of GDPR.
Respect the time. Time limits are much more generous in the US. Some regulators suggest not to be obsessed with time. Will courts allow ‘reasonable delay’? Corporations trying to extend the 72 hour by time zone arguments and other ridiculous argument by US corporations. (Listen for the Thanksgiving Weekend exemption) Regulators can fine you for being late. Are US companies getting the message? It’s a mixed bag, some are not doing so.
For more information on Cordery Compliance, go their website here.
For more information on data breaches, see here.
Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.
Categories
Life with GDPR

Episode 31-Lessons Learned in Year 1 of GDPR, Part 1

In this podcast, data privacy/data security expert Jonathan Armstrong and Compliance Evangelist Tom Fox use the framework of GDPR to discuss a wide range of issues relating to these topics. They consider what the US compliance and InfoSec security expert needs to know about what is happening in the UK, Europe and beyond. In this episode, we begin a three-part series of some of the key lessons learned from the first year of GDPR. Some of the highlights in this episode include:
Do you have a plan? You need to have a plan for a data breach because it is not if but when you will be hacked. Armstrong advises you can be two plans; one for all employees which is straight-forward so that all employees will be able to understand it. You should have a second plan, which you rehearse which is for all compliance/IT/data security. It should be process driven so it allows flexibility for those responding.
Know your data and know your third parties. Many companies have disaggregated data because they have so many vendors and platforms where data is stored. You must know who has your data. Do you have visibility into 3rd, 4thand 5thparties from the data perspective? You should also capture where data is going in an organization, particularly customer and employee data. Finally, and sadly overlooked by many US companies is the question of data protection of a US parent when a UK/EU sub is audited?
Assemble your data response team now and practice, practice, practice.You need to look at your data security response. What does the A Team teach you about data response? You should strive for strength in diverse skills and practice your response. Look at PR rapid response, your compliance, your legal response all in addition to your IT/data security response. Regulators looking at share price drop off, this shows the need for a rapid, practiced response.
For more information on Cordery Compliance, go their website here.

For more information on data breaches, see here.
Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.
Categories
Everything Compliance

Everything Compliance-Episode 50-July Reflections Edition

Welcome to the only roundtable podcast in compliance. Today, we have the full quintet of Mike Volkov, Jay Rosen, Matt Kelly, Jonathan Armstrong and Sarah Hadden. Rants and shouts outs follow the commentary for this episode.

  1. Jay Rosen considers why governmental entities other than the federal government benefit from independent integrity monitors in their oversight capacity. This includes state AGs, state regulators, counties, cities and school districts. Jay reflects on the anniversary of his father’s death and shouts out to his memory for all the great advice he got from him.
  1. Jonathan Armstrong considers how the ICO has bared its teeth in two recently proposed enforcement actions for data breaches; British Airways and Marriott. Jonathan shouts out to the England team which won the recently concluded Cricket World Cup and to the graciousness in defeat of the New Zealand team which lost in heartbreaking fashion.
  1. Sarah Hadden reflects on her six-month ride as owner/publisher of Corporate Compliance Insights. Hadden shouts out to a team of a female filmmakers who have formed One Vote at a Time dedicated to the eradication of gun violence. Not only do they believe in a future free of gun violence but they deploy skills to elect legislators at all levels of government to fight for it.
  1. Matt Kelly considers the compliance lessons from the Trump Administration’s detention camps on the US/Mexico border. Kelly rants about the USOC which is hiring its very first CCO. He also notes that it took him six clicks to find the USOC Code of Conduct on the Commission’s website.
  1. Mike Volkov discusses the new DOJ Antitrust Division’s Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations. Volkov shouts out to the Greater Houston Business and Ethics Roundtable (GHBER) as a model for local business ethics groups.
  1. Tom joins in a shout out to the author Andrea Camilleri, at the age of 69, took up mystery novel writing and came up with the Inspector Montalbano detective books.

The members of the Everything Compliance are:

The host and producer (and sometime panelist) of Everything Compliance is Tom Fox the Compliance Evangelist. Everything Compliance is a part of the Compliance Podcast Network.

Categories
Life with GDPR

Life With GDPR: Episode 30- British Airways GDPR Enforcement Action

In this podcast, data privacy/data security expert Jonathan Armstrong and Compliance Evangelist Tom Fox use the framework of GDPR to discuss a wide range of issues relating to these topics. They consider what the US compliance and InfoSec security expert needs to know about what is happening in the UK, Europe and beyond. In this episode, we discuss the recently announced proposed fine by the UK Data Protection Regulator against British Airways (BA) after its data breach. She intends to fine the airline £183.39 million (approximately $230MM).
Some of the highlights in this episode include:
  1. This proposed fine represents the largest GDPR fine in the UK.
  2. As the fine is now open to comment by BA and other national data protection regulators, the amount of the final fine may change.
  3. The BA CEO comes out swinging against this fine.
  4. What was the role of the ICO as ‘lead regulator’?
  5. Will BA’s tone-deaf posturing hurt or help it with the final penalty?
  6. What did BA know and when did they know (yes that is the famous Watergate question) will be a critical analysis.
  7. What remedial measures did BA engage in after it became aware of the breach?
  8. What are the lessons to be learned by the data privacy officer?
For more information on Cordery Compliance, go their website here.
For additional reading see the Cordery Compliance article, “UK Data Protection Regulator Announces Intention to Fine BA after Data Breach”.
Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.
Categories
Daily Compliance News

Daily Compliance News: July 9, 2019, the who you gonna call edition

In today’s edition of Daily Compliance News:

  • ICO proposes a $230MM fine to BA for data breach. (CorderyCompliance)
  • Carnival Corp to hire first CCO. (WSJ)
  • Who answers 911 calls? (Hint: Not the Ghostbusters) (NYT)
  • New DFS chief wants to protect consumers. (WSJ)
Categories
Daily Compliance News

Daily Compliance News: July 2, 2019, no job for you edition

In today’s edition of Daily Compliance News:

  • Is GDPR holding businesses back? (FT)
  • Non-Competes for Interns? Really? (WSJ)
  • Will Trump’s goal of energy independence kill off the US energy industry. (NYT)
  • The worst run franchise in the NBA takes its ineptness to a new level. (Sports Illustrated)
Categories
Daily Compliance News

Daily Compliance News: June 8, 2019-the thrown under the bus edition

In today’s edition of Daily Compliance News:

  • FIFA VP detained for questioning by French Police.(NYT)
  • In the UK, expect fines to increase under GDPR. (Compliance Week)
  • Want to go the ISS? NASA has a ticket for you (limited leg room in coach) (NYT)
  • What happens when new CEO throws old CEO ‘under the bus’? Meg Whitman explains. (FT)
Categories
Life with GDPR

Life With GDPR: Episode 29- GDPR Year 1 Review-Part II, the Issues

In this podcast, data privacy/data security expert Jonathan Armstrong and Compliance Evangelist Tom Fox use the framework of GDPR to discuss a wide range of issues relating to these topics. They consider what the US compliance and InfoSec security expert needs to know about what is happening in the UK, Europe and beyond. This episode is the first of a two-part series where  Jonathan Armstrong and myself consider some of the highlights from the first year of GDPR implementation and enforcement. In this Part I we considered some of the enforcement numbers. In this Part II, we discuss some of the substantive issues. Some of the highlights in this episode include:
  1. Security issues-multiple regulators for large breaches and questions of whether TOMs are adequate.
  2. 6 Principles of GDPR-highest is around transparency.
  3. Data Subject Rights are seen as the biggest corporate pain points.
  4. DPIAs have been embraced by many companies and are seen by regulators as the backbone of a corporate compliance program around data security/data privacy.
  5. Industry sweeps are beginning to occur.
  6. Mixed quality of legal advice is hurting many companies in their compliance efforts.
  7. Some significant cases are headed to trial and then appeal.
  8. GDPR is here to stay.
For more information on Cordery Compliance, go their website here.
For additional reading see the Cordery Compliance article, “GDPR One Year On”.
Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.