Privacy Concerns and DOJ Guidance Drive Compliance Efforts
There is no doubt that for companies around the globe, 2020 has been a difficult year, especially as they to navigate the “new normal” caused by the COVID-19 pandemic. However, despite the difficulties businesses are facing — in fact, because of them in many cases — compliance needs to be a top priority.
The impact of the challenges of 2020 have been both financial and logistical. Since the pandemic began, companies have been forced to trim costs, cut staff, and make a number of other disruptive changes, all of this while risks rise. On top of that, despite everything that businesses are dealing with right now, they still need to ensure that they are meeting their compliance obligations to keep up with the legal and regulatory changes implemented this year.
Privacy Concerns — and Initiatives — Intensify
Not surprisingly, then, corporate compliance issues in the US have risen to the spotlight in 2020, helped along by watershed privacy legislation, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), that have changed the way companies handle personal information. The fairly recent implementation of CCPA, in the works for years in an effort to protect the privacy of Californians, has forced many businesses to alter their practices, especially when it comes to the way they handle data.
Similar in intent to the European Union’s “right to be forgotten” law and the GDPR, the CCPA enables Californians to request that their personal information not be sold, or ask that it be deleted altogether. Companies now have to publish how they collect and use personal information before prior to collection, and give individuals the ability to state their data preferences.
Adapting to such changes isn’t easy; in fact, since CCPA came into effect at the beginning of the year, there have already been a number of CCPA-based class action cases making their way through the courts, although it is as yet unclear that any of the claims have merit under the existing law.
Updated Compliance Guidelines from the DOJ
This past June, compliance was in the news once again, as the Department of Justice (DOJ) Criminal Division issued an update to the Corporate Compliance Guidelines for white collar prosecutors. The update guidance examines factors that should be considered by prosecutors when it comes to investigating an organization, such as what aspects should be looked at when deciding whether or not to bring charges. In the memo, the DOJ provides two separate questions relating to data resources and access for prosecutors to consider.
First, the DOJ says prosecutors should ask whether or not “compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions.” Additionally, according to the DOJ, prosecutors should also examine whether or not “any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments.”
In addition to its data-related guidance, the updated guidelines also discuss compliance related to mergers and acquisitions. According to the guidelines, a “well-designed compliance program” needs to have “comprehensive due diligence” of the acquisition target. The guidelines note that this allows a business to have a more accurate valuation of the target. Additionally, the updated guidelines state that if there is a lack of due diligence, then profitability can be impacted, reputation may be tarnished, and there could potentially be criminal and civil liability. Given the key role that data plays when preparing for mergers and acquisitions, companies need to make sure they are compiling and relying on the best information possible.
Whether a business needs to keep up with a recent legal or regulatory change or is navigating a merger or acquisition, the guidance reiterates that companies need to be attentive to their compliance efforts — particularly those related to handling data. By ensuring they are meeting compliance standards, companies can work to prevent unnecessary legal and financial headaches down the road.
Compliance and Data Disposal
An important compliance initiative that is gaining traction in many companies is a renewed focus on disposing of data they no longer need, colloquially known as ROT (redundant, obsolete, or trivial data). Data reduction efforts impact other corporate initiatives that attempt to reduce cost and risk on any number of fronts. The more that is known about existing data stores and the cleaner the data is, the more effectively and efficiently the company can address issues related to cybersecurity, privacy, litigation and investigations. On the upside, the availability of tools and technologies that exist today to identify and classify corporate data makes this compliance effort, which is challenging to undertake at best, easier to stomach in many companies.
Additionally, in this current climate, companies can implement new collaborative software to increase efficiency, whether it’s through monitoring workspace activity or creating a centralized knowledge base for employees to access critical information. This type of move can help reduce costs and time spent, allowing companies to focus their efforts on other obligations.
Companies will continue to grapple with any number of data challenges as the pandemic continues, and compliance efforts will remain in the spotlight. Privacy and security demands are likely to grow more pressing, and there are already known upticks in fraud throwing investigations into full swing. Shifting fortunes will change the M&A (and bankruptcy) landscape as well. However, by paying increased attention to compliance mandates and taking appropriate data clean-up measures, businesses can more successfully implement the kinds of changes that will help avoid potential legal and regulatory problems and financial pain.
For information about compliance efforts during COVID-19, see Corporate Compliance and COVID-19: Necessary Bedfellows.
To learn more about disposing of corporate data, read Compliance Imperatives for Defensible Data Disposal.