Section 2

Building Your Foundation

MoreHide Arrow Down Icon Icon of solid caret pointing downwards.

Implement What You Know with Confidence

Discover action-based tools that provide simple steps for program improvement or robust plans for new ways of doing business. 

MoreHide Arrow Down Icon Icon of solid caret pointing downwards.

Your ethics and compliance program is an ecosystem of moving parts. New laws and regulations, new lines of business, new geographies, mergers and acquisitions become part of a growing enterprise that your compliance ecosystem must support. 

Effective compliance programs are able to deftly navigate these complexities because they have built strong foundations that were developed with the nature of the compliance industry in mind.

This section will give you the expert advice and programmatic best practices to ensure the first steps you take to develop your program are in the right direction. Or if your program is more mature, these resources and insights will give you the necessary guidance to course correct and improve your program’s foundation at whichever stage it is in. 

 

How to Survive General Data Protection Regulation (GDPR)

Chapter 9 of The Worst-Case Scenario Survival Guide for Compliance Professionals

Learn how to survive the General Data Protection Regulation (GDPR) with Tom Fox.

Tom Fox 03/21/2018

Chapter 9 of The Worst-Case Scenario Survival Guide for Compliance Professionals

Learn how to survive the General Data Protection Regulation (GDPR) with Tom Fox.

 

Understand the Rights Created Under GDPR

There are several new rights you will now need policies and procedures for:

Right to Be Forgotten: An individual or entity can assert the right to have personal data erased without undue delay.

Right to Portability: An individual’s right to receive the personal data concerning themselves in a structured, commonly used and machine-readable format. This includes the right to transmit those data to another controller without hindrance from the original data collector.

Right to Object: An individual can object to being profiled, as in the case when personal data is processed for direct marketing purposes.

Subject Access Requests (SARs): A process whereby someone can exercise their right to gain access to data held on them, which must be answered within one month of receipt of the request.

GDPR creates rights which in many ways are antithetical to the manner in which the U.S. engages in business and treats its employees. A major change may be required.

 

Appoint a Data Protection Officer

A Data Protection Officer (DPO) should be appointed to deal with data protection compliance. The DPO duties should include oversight and monitoring of the company’s data protection and privacy regimes. The DPO must be appropriately qualified and is charged with a number of tasks, including advising on data-processing, data privacy and protection. The DPO must be independent in the performance of their tasks and must also report directly to the highest level of management.

The Data Privacy Officer will be a key corporate position going forward.

 

Report Breaches Within 72 Hours

U.S. companies are notorious for not wanting to report data breaches for fear of reputational fallout. Yahoo!, Equifax, Facebook and Target are all examples of companies that waited months, if not years, to report data breaches. Under GDPR, companies now most report data breaches to an appropriate regulator within 72 hours of becoming aware. This means you will need to put in place a triage team which can quickly and efficiently assess what has happened, so you can meet the requirements of the law.

This reporting requirement will put significant pressure on U.S. companies that sustain such a breach to react quickly with as much information as they can muster at the time. You must put in place a clear data breach action-plan and policy as a top priority and train staff accordingly.

 

Illustration by Dex Novak