Categories
Life with GDPR

GDPR Draft Guidance on Fines Calculation

Jonathan Armstrong and Tom Fox return for another episode of Life with GDPR. In this episode, we review the recently released The European Data Protection Board (EDPB) recently issued its draft guidance on calculating fines entitled “Guidelines 04/2022 on the calculation of administrative fines under the GDPR”. Some of the highlights  include:

1.     There have been just under ‘1.5 billion in overall fines under GDPR.

2.     Spain has the largest number of fines but the smallest monetary amount of fines.

3.     The five-step calculation methodology.

4.     What are the aggravating and mitigating factors.

5.     Key takeaways from the draft guidance.

Resources

For more information on the draft guidance, check out the Cordery Compliance client alert on this topic; click here. For more information on Cordery Compliance, go to their website here. Also, check out the GDPR Navigator, one of the top resources for GDPR Compliance, by clicking here.

Categories
Life with GDPR

FRC Report on Compliance with the UK Modern Slavery Act Update

Jonathan Armstrong and Tom Fox return for another episode of Life with GDPR. In this episode, we review the recently released Financial Reporting Council (FRC), the UK Anti-Slavery Commissioner, and Lancaster University (Management School) report on a sample of a hundred major companies’ modern slavery statements and their strategic and governance reports. Some of the highlights  include:

1.     Why the Report?

2.     Some successes but much criticism.

3.     Public responses when slavery issues are uncovered.

4.     Why contracts are a part of the solution.

5.     Key takeaways from the Report.

Resources

For more information on the FRC Report, check out the Cordery Compliance client alert on this topic; click here. For more information on Cordery Compliance, go to their website here. Also, check out the GDPR Navigator, one of the top resources for GDPR Compliance, by clicking here.

Categories
Everything Compliance

Episode 101, the Glencore Edition


Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows. In 2021, Everything Compliance was honored by W3 as a top talk show in podcasting. In this episode, we have the quintet of Jonathan Marks, Karen Woody, Jonathan Armstrong, Tom Fox and Matt Kelly. In this episode, we take up the Glencore FCPA settlement. We conclude with our fan favorite Shout Outs and Rants.

1. Karen Woody takes a deep dive into the history of Glencore, from its founding by Marc Rich in the 1980s through the allegations of bribery, corruption and market manipulation which led to the FCPA and CFTC settlements.  Woody shouts out the US National and state parks systems which provide much needed green spaces for Americans.

2. Matt Kelly takes a deep dive into CCO certification issue and what it might mean for individual CCO criminal liability going forward.  Kelly has a dual shout out and rant. He shouts out to the Boston Celtics for having the greatest NBA Finals-Game 1 comeback to win the game. He rants about the DOJ failing to post the speech by AAG Kenneth Polite where he announced the new requirement for CCO certification.

3. Jonathan Marks explores the role of internal audit in contributing to the compliance failures and what IA can do to facilitate a culture change at the company. Marks also has a dual shout out and rant. He shouts out to the Philadelphia Phillies for firing manager Joe Girardi and rants about Glencore’s Press Release about their updated compliance which he rants “says nothing”.

4. Tom Fox considers the dual monitor aspect of the resolution and the requirements of the monitorships. Fox reads out the names of the students and teachers who were killed in the recent massacre in Uvalde,  TX.

5. Jonathan Armstrong explores the settlement from the UK perspective and considers, what if any charges against individuals that the UK-Serious Fraud Office might bring. Armstrong shouts out to the Queen’s Platinum Jubilee and Sir Andy Murray for speaking out against the murder of school children. Murray is a survivor of a similar event in Scotland.

The members of the Everything Compliance are:
•       Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com
•       Karen Woody – One of the top academic experts on the SEC. Woody can be reached at kwoody@wlu.edu
•       Matt Kelly – Founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com
•       Jonathan Armstrong –is our UK colleague, who is an experienced data privacy/data protection lawyer with Cordery in London. Armstrong can be reached at jonathan.armstrong@corderycompliance.com
•       Jonathan Marks is Partner, Firm Practice Leader – Global Forensic, Compliance & Integrity Services at Baker Tilly. Marks can be reached at jonathan.marks@bakertilly.com

The host and producer, ranter (and sometime panelist) of Everything Compliance is Tom Fox the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the Compliance Podcast Network.

Categories
Life with GDPR

Data Transfers from EU/UK to US


Jonathan Armstrong and Tom Fox return for another episode of Life with GDPR. In this episode, we take up the proposed agreement for data transfers from the EU (and UK) to the US. Some of the issues we consider in the myriad of questions around this latest version of Privacy Shield include:
1.     Is this simply an agreement to agree?
2.     Who will populate the independent court review in the US?
3.     Will US spy agencies ever comply?
4.     Will there be a real deal by the end of 2022?
5.     Is this simply a temporary solution.
Resources
For more information on the new data transfer agreement, check out the Cordery Compliance, client alert on this topic, click here. For more information on Cordery Compliance, go their website here. Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.

Categories
Life with GDPR

Clearview AI Redux


Jonathan Armstrong and Tom Fox return for another episode of Life with GDPR. In this episode, we consider the Italian Data Protection Authority (the Garante) fine against Clearview AI €20m for GDPR violations.  It is the latest in a series of regulatory actions in Europe and in Australia against Clearview AI and it also continues a trend of AI enforcement in Italy.
1.     Who is Clearview AI?
2.     What is this matter about?
3.     The background facts and the Italian investigation.
4.     What did the Garante say?
5.     Lessons learned and next steps.
Resources
For more information on the Italian Clearview AI enforcement action, check out the Cordery Compliance, client alert on this topic, click here. For more information on Cordery Compliance, go their website here. Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.

Categories
The ESG Report

Greenwashing or Getting in Trouble While Trying to Do Good with Jonathan Armstrong


 
Jonathan Armstrong has been looking at ESG from a unique angle for quite some time. In this episode of the ESG Report, he and Tom Fox are taking a look at greenwashing, and how trying to do good can end badly.  
 

 
The Issue of Greenwashing 
One area where people can do wrong by trying to do good is combining the energy crisis with ESG. Corporations attempt to get with the ESG program by talking about carbon neutrality or the use of renewable power, but many have gone beyond simply saying ‘We are carbon neutral!’ to sound more like ‘We’re doing what’s best for the planet!’ Making these claims potentially subject your company to fair trading law across Europe, and can lead to fines or even prison in extreme cases, if the statement cannot be backed up. 
 
The Dark Side 
The production of solar panels, wind turbines, and biofuels are associated with a number of issues, including forced labor, armed conflict, corruption, ecosystem destruction, and allegations of fraud and money laundering. Jonathan discusses all of these, making it clear that, “We shouldn’t necessarily assume green is good.”
 
Responses of the EU & UK 
The biggest response has come from the UK parliament, which have had a specific inquiry into supply chains and proposals for new legislation, including a toughening of the UK Modern Slavery Act. Jonathan’s advice is to provide complete due diligence on who is selling the goods, and where they are coming from, to ensure a good ESG program. “A corporation does not have a good ESG program if one of its first acts is being prosecuted for abuses involved in alternative fuel source production,” he tells listeners.
 
RESOURCES 
Tom Fox’s email
Jonathan Armstrong | LinkedIn | Twitter
 

Categories
Everything Compliance - Shout Outs and Rants

Everything Compliance – Shout Outs and Rants from Episode 98


In this episode of Shout Outs and Rants, we submit the following for your consideration:

1. Jay Rosen rants the Academy of Motion Picture snubbing of the Director of Dune for Best Director when the picture won 6 other Oscars.

2. Matt Kelly shouts out to the Golden Raspberry Foundation, who award the ‘Razzie’s’ for withdrawing their previously created award of Worst Performance by Bruce Willis in a Bruce Willis movie after the actor retired due to Aphasia.

3. Jonathan Armstrong shouts out to Tina Turner for advancing the cause of GDPR and explaining once and for all time ‘what’s love got to do with it.’

4. Karen Woody shouts out to the magic of Harry Potter World in Orlando have what she described as ‘awesome’ roller coaster rides, well worth the 3-hour wait in line.

5.Tom Fox rants Academy of Motion Picture Arts and Sciences for their incompetent response to Will Smith slapping Chris Rock at the Oscars and reminds us that workplace violence is never acceptable. 

The members of the Everything Compliance are:

  • Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com
  • Karen Woody – One of the top academic experts on the SEC. Woody can be reached at kwoody@wlu.edu
  • Matt Kelly – Founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com
  • Jonathan Armstrong –is our UK colleague, who is an experienced data privacy/data protection lawyer with Cordery in London. Armstrong can be reached at armstrong@corderycompliance.com
  • Jonathan Marks is Partner, Firm Practice Leader – Global Forensic, Compliance & Integrity Services at Baker Tilly. Marks can be reached at marks@bakertilly.com

The host and producer, ranter (and sometime panelist) of Everything Compliance is Tom Fox the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the Compliance Podcast Network.

Categories
Life with GDPR

The Case of the Rogue Employee

Jonathan Armstrong and Tom Fox return for another episode of Life with GDPR. In the 2020 Morrisons case the UK Supreme Court ruled that an employer can be legally responsible for data breaches caused by their employees, although in the particular situation in that case the court ruled that Morrisons (the employer) was not liable for the actions of their rogue employee. In this episode, Tom and Jonathan look at the more recent case of Isma Ali v. Luton Borough Council where the High Court ruled that in committing the data security breach actions the rogue employee undertook, she had solely pursued her own interests and so the employer was not liable for her conduct. Some of the issues we consider include:

1.     What were the underlying facts of the case?

2.     What was the court’s ruling?

3.     Key Takeaways for the data privacy, data protection practitioner, including:

·      Take a close look at security measures and ensuring that access rights are policed. Data loss prevention and monitoring systems should also be in place to check for large data files leaving the organization – depending on the circumstances, a rogue employee might be after a lot of data;

·      Put in place appropriate policies and procedures to make sure that data protection principles like data security and data minimization are properly understood;

·      Perform a Data Protection Impact Assessment for new processes;

·      Make sure that employees in trusted roles are reliable and that their access rights are reviewed.

·      Put in place and rehearse a data breach notification procedure, including detection and response capabilities;

·      Training staff on all of the above; and,

·      Check existing insurance or taking out new insurance to cover the range of potential risks from “innocent” errors to the actions of a rogue employee.

Resources

Check out the Cordery Compliance, client alert on this topic, click here. For more information on Cordery Compliance, go their website here. Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.

Categories
Life with GDPR

The Case of the Smart TV

Jonathan Armstrong and Tom Fox return for another episode of Life with GDPR. In this episode, dissect the case of the Smart TV and considers its implications for de minimis cases brought under GDPR. Some of the issues we consider include:

1.     What were the underlying facts of the case?

2.     Was the case filed in the correct court (High Court)? If not, why not?

3.     What was the court’s ruling?

4.     What is the viability of a de minimums claim going forward?

5.     When dealing with data protection infringement compensation claims, look to cases from other jurisdictions.

6.     No matter how seemingly trivial, organizations should be prepared for them and manage them with care.

 Resources

Check out the Cordery Compliance, client alert on this topic, click here. For more information on Cordery Compliance, go their website here. Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.

Categories
Life with GDPR

GDPR-10 Years After Original Proposal


Jonathan Armstrong and Tom Fox return for another episode of Life with GDPR. In this episode, they celebrate the 10th anniversary of the initial proposal of the law, which became GDPR. Some of the issues they consider include:

  1. What was in the original proposal that did not become enacted in the final law?
  2. Reduction in costs-what happened?
  3. Right to be Forgotten morphed into something very different than intended.
  4. Fines, Fines, Fines.
  5. Evolution of regulatory sophistication.
  6. Criticism of regulators.

Resources
Check out the Cordery Compliance client alert on this topic; click here. For more information on Cordery Compliance, go to their website here. Also, check out the GDPR Navigator, one of the top resources for GDPR Compliance, by clicking here.