What Compliance Needs to Know About Data Privacy and Security
Lauren Connell, Managing Associate at The Volkov Law Group, rejoins us for a post on data privacy and compliance. Lauren can be reached at [email protected]
You don’t have to be a tech-savvy computer genius to address the basics of data privacy. Like many areas which compliance departments oversee, asking the right question and getting the right internal controls in place are the most important first steps to address data privacy concerns within an organization. The problem is, most companies aren’t.
Data Privacy compliance is built on the same foundation as other regulatory regimes compliance professionals are already familiar with – the FCPA, the BSA, and others. Compliance Departments in the healthcare industry are familiar with data privacy but most other industries have not built an infrastructure for compliance. That needs to change.
The US lags far behind many other countries around the world in implementing comprehensive data privacy laws. This means many US-based compliance professionals are not as familiar with what data privacy laws are and, equally important, how a company complies. Especially for companies doing business internationally, this is a small but quickly growing problem. While enforcement has been low relative to the high penalties we’ve seen for anti-corruption enforcement, we are experiencing a perfect storm: the volume of data and sophistication of technology is growing while more countries are enacting and strengthening data privacy laws.
Europe has taken the lead in data privacy. US companies used to rely upon a safe harbor when transferring personal data to the US, such as for credit card transactions or employee data, but that safe harbor, which had been in place for 15 years, was struck down in the Fall of 2015. Shortly thereafter, Germany fined three companies who had been relying on this safe harbor (after it was struck down). In that enforcement action, Adobe, Punica (a Pepsi subsidiary), and Unilever were fined $32,000.
Enforcement and legal activity continues at a fast pace. On February 2, 2017, Italy imposed a record data privacy fine of €5.9 million on a UK company for violating Italian data privacy consent rules. In that case, the UK company had sent money transfers to China without consent of users. A few days later, on February 7, 2017, Russia enacted a law increasing fines for violating Russian data protection laws.
In 2018, the EU’s General Data Protection Regulations will come into effect, introducing fines of up to €20 million or 4% of annual revenue, whichever is greater, for data breaches. In the future we may see much larger fines… now is the time for Compliance Departments to act.
At their heart, compliance departments mitigate regulatory risks – data privacy laws are not an exception. As a new but quickly growing area of concern, compliance professionals who take an active approach, putting into place basic data privacy components, will find themselves far ahead of their colleagues. Addressing data privacy should be done the same way other risks are: assess your risk sources, design appropriate risk mitigation steps (such as policies & procedures, assigning responsibility, training, and setting up internal controls), and then implement. To do so, compliance professionals must work closely with their IT department, relying upon them as a partner similar to HR.
Addressing data privacy is not as easy as other compliance department risk areas – but it is increasingly dangerous to ignore it. Perhaps just as worrisome as legal repercussions, we have all seen the adverse media that results from lax data privacy and control standards – just ask Home Depot, Target, or Yahoo – who were all the target of data security breaches and paid dearly in the news for them. Taking the time to put your company along the right path now will save you time and effort in the future and may even save you significant fines and bad publicity.