Implementing and monitoring effective compliance policies & procedures charlesrussellspeechlys.com
Robert Bond Partner Robert Bond has over 36 years' experience in advising national and international clients on all of their commercial IP, technology and data protection requirements. He also provides international notarial services and compliance advice. He is a legal expert and author in the fields of e-commerce, computer games, media and publishing, data protection, information security and cyber risks. He is named in the National Law Journal's list of 50 Governance Risk & Compliance Trailblazers, listed in the top 10 in the Who s Who of Information Technology Lawyers 2014 and also in "Best Lawyers in UK 2014. "He continues to impress year on year. His spark of imagination and ability to grasp the technology is amazing." Tel: +44 (0)20 7427 6660 robert.bond@crsblaw.com Chambers UK, 2014 2
Hitec Expert Solutions for Governance, Risk and Compliance Your Hitec speaker today: Barny Brummell, GRC Specialist For further information please contact:: Connor.blake@hiteclabs.com Connor Blake, Director of Alliances & Partners Tel: +441628 600 900 For more than 20 years Hitec has been helping customers address some of their most pressing operational challenges. Hitec develops, implements and Governance Risk & Compliance (GRC) software solutions worldwide, providing deep domain and application knowledge and a Customer base of over 400 organisations in 30 countries. As regulatory frameworks and professional standards are tightened, the emphasis on good corporate governance increases. Excellent Enterprise Content & Document Management as well as Governance, Risk and Compliance management are vital. That s where Hitec solutions excel. 23 January 2015 3
TOPICS Compliance from a legal viewpoint Federal Sentencing Guidelines Current issues for Compliance Officers Specific issues for the DPO Hitec solution 4
Compliance from a lawyer s viewpoint Roll out/training Policy Filings and registrations Local laws 3 rd party vendor controls Works councils and unions 5
Compliance - FSG Investigation and remediation Codes of Conduct Policy Procedures Disciplinary mechanisms Designation of Compliance Officer Reporting process Effective education/training Audits and evaluations 6
TOP DATA PROTECTION COMPLIANCE CONCERNS Using outsourcers to process personal data & being an outsourcer processing your clients personal data Corporate life & data protection Subject Access Requests Monitoring employees how, when and what? Dealing with historic files Erosion of personal / professional life borders Handling cross border litigation Protecting data when employees leave Registrations with Data Protection Authorities Data breaches and cyber threats 7
TOP EU & COMPETITION COMPLIANCE CONCERNS Remaining competition law compliant Dealing with antitrust investigations Dealing with private antitrust lawsuits Tackling anti-competitive behaviour Mergers to file or not to file? Getting to yes on merger clearance 8
TOP CONCERNS IN INTERNATIONAL EMPLOYEE INVESTIGATIONS Purpose and potential outcome of investigation? Criminal? What claims can employees make and where? Privilege and disclosure rules vary Use of subject access requests to achieve disclosure Where is data processed? Who should conduct investigations? Should third party investigators be used? Who will make any decision to dismiss, hear appeals? Practical management 9
DATA PROTECTION OFFICER WHEN Obligation to appoint a DPO Controllers and processors Who are public authorities or bodies Who process personal data of more than 5000 individuals per 12 month period Who carry out activities involving regular and systematic monitoring of individuals Who process special categories of personal data Group of undertakings may appoint a single DPO 10
DATA PROTECTION OFFICER WHO AND HOW Data Protection Officers chosen for their professional qualities Expert knowledge of data protection law and practices, including: Technical & organisations measures & procedures Mastery of technical requirements for privacy by design, by default and data security Industry specific knowledge in accordance with The size of the controller or processor The sensitivity of the data processed Ability to carry out inspections, consultation, documentation and log file analysis Ability to work with employees representation Organisation must enable the DPO to take part in advanced training measures to maintain specialised knowledge 11
DATA PROTECTION OFFICER TASKS AND FORMALITIES Tasks trusted adviser or police? Raise awareness Monitor implementation and applicability of the policies Monitor implementation and applicability of the Regulation Ensure mandatory documentation is maintained Monitor, the documentation, notification and communication of data breaches Monitor privacy impact assessment and prior consultation Monitor responses to the Data Protection Authorities Contact point to the Data Protection Authorities Inform employees representatives on employees data processing Verify compliance with laws and regulations Appointed for 4 years (employee) or 2 years (service provider) 12
OBLIGATION TO MAINTAIN DOCUMENTATION ACCOUNTABILITY PRINCIPLE Organisations must keep appropriate policies & procedures such as data retention and data management Policies & procedures reviewed at least every two years Reports of the activities of the controller shall contain summary of policies & procedures Documentation must also contain: Name & contact details of the controller, joint controller, processor and representative Name & contact details of the DPO Name & contact details of controllers to whom personal data is disclosed 13
Train your staff! 14
Compliance Cycle Board sign off/ roll out/ learning Effective Codes, Policies and Procedures Filings and registrations Localisation by law and language Global data sharing solutions Works councils and unions 3 rd party vendor controls 15
Effective Policy & Procedure Management
Why is this important? Policies and procedures are the cornerstone of an effective compliance programme. Without them, how do you expect your staff and supply chain to understand corporate standards and regulatory requirements? 17
Why is this important? If policies and procedures are not effectively managed and communicated to all stakeholders, they are almost worthless. Without policies and procedures and effective management of them, businesses are exposed to increased risk, reputational damage, and potentially fines 18
Where we help We ve gained a lot of experience over the years..for example, we have over 20 insurance companies using the product typically to address Solvency II requirements 19
Where we help to give another example, in Financial Services, our customers are addressing the requirements of FCA, SEC, BaFin amongst others 20
Where we help.to address anti bribery legislation such as UKBA, FCPA, BS 10500, and the upcoming ISO37001, as well as vital Information Security (ISO 27001) and Data Protection policies 21
Effective communication is key These methods of communication are no longer Best Practice
Increasing regulation a prime example Policies and procedures must be embedded and understood throughout the organisation through effective communication UK Bribery Act - Principle 5
So much to communicate Rules and regulations Operating procedures, Process Maps Employee handbook, Corporate Documents IT, HR etc policies & procedures UK Bribery Act, FCPA, AML Health & Safety Internet & Email Usage, BYOD 3 rd Parties? Intermediaries & Suppliers Remote Workers
Lifecycle of a Policy Creating & Updating Policies: prone to duplication and versioning issues Audit every action, but more importantly every in-action Ensure employee understanding of your key policies Review process: provide commented evidence Publish the right policies to the right people: target your employees, do not swamp them Affirmation for key policies: prove that employees have acknowledged them
Native languages Do you have a global presence?
A snapshot of the application as the user experiences it
User library & Advanced Search Engine
Automated Notification E-mail with URL
Simple & Sophisticated web front end
Policy Acceptance and Attestation Recorded
Tests & questionnaires add weight to reports
Real time SQL reports with subscriptions
Set up policy reviews to the right owners
PolicyHub highlights Easy to use branded portal for employees and stakeholders. Single secure library available 24/7 with authorised publishers. Respond dynamically to regulatory changes, communicating consistent and clear policies quickly. Automatically target relevant Policies at individuals, groups, or geographies, and Joiners/Movers.
PolicyHub highlights Link Policies to Risks, Controls and Owners. Detailed Audit Trail and reporting ensures all stakeholders have received, read, understood and agreed to sign up to the Policies. Reduce risk of regulatory fines and reputational damage. Reduce compliance costs and improve efficiency and accuracy.
QUESTIONS? 37
charlesrussellspeechlys.com