Compliance Trends you better leave behind in 2019

Now that we are starting a new year, we can reflect on a few compliance trends that emerged over 2019 - including ill-advised practices and bad habits that compliance officers would do well to leave behind. In the Philippines, four major trends come to mind:

Ignoring vendor data security risk

Every year, more companies allow more third parties access to their confidential data — and far too many don’t have a clue about how much risk they are inviting.

Consider these stats from a 2019 survey of more than 1,000 security professionals:

• Only 35% of respondents rate their third-party risk management program as highly effective
• Only 34% of respondents say they have a comprehensive inventory of all their third parties
• Only 29% of respondents say a third party would contact them about the data breach

That is not good. Strengthening vendor risk management is not easy, but ignoring the problem will not accomplish anything. Even simple fixes like contract clauses requiring third parties to report a breach of your data are a start.

Uniform due diligence reviews

Along similar lines, a stubborn number of companies still apply uniform standards of due diligence to all third parties for anti-corruption. That’s better than no due diligence at all (see data security risks, above), but it still spawns two other headaches. Either you perform too little due diligence on a high-risk party and open the door to misconduct, or you perform too much due diligence on a low-risk party, and waste precious compliance resources.

Neither one does a company any favors. The goal should be a strong, versatile risk assessment process, so companies can have a credible defense should some third party indeed create a misconduct risk that contaminates your company’s reputation.

Thinking only about what's legal, not what's ethical

Numerous times in 2019, we saw prominent corporations sharply rebuked in the court of public opinion for transactions that might have been legal, but still didn’t pass the ethical smell test. Outlandish contracts with unqualified consultants; data sharing with shady third parties; inadequate personal data protection. I won’t name names here, but examples abound.

Fundamentally, employees and customers are gaining more power to force difficult questions about companies’ ethical principles, and they’re willing to do so. On the other hand, boards are downright terrified of heightened reputation risk.

That means standing behind the fig leaf of “Well, legally we did nothing wrong!” no longer works. Share prices can still be battered; boycotts can still take flight on social media. Companies must stop relying on what’s legal, and start defining what’s ethical.

Believing data and security breaches are not going to happen

We are seeing almost on a daily basis that data privacy is breached, that sensitive data is leaked and that the reputation of companies is challenged because the implementation of the Data Privacy Act and the Rules and Regulations issued by the National Privacy Commission are taken lightly.

It is high time that this attitude is changed and policies, procedures and controls for data protection are put in place. This requires to

1. Commit to comply – with focus on governance and the task of the Data Privacy Officer
2. Know your risk – data inventory and analysis / data protection impact assessment
3. Be accountable – create a privacy management program
4. Demonstrate compliance – implement measures re compliance monitoring to audit
5. Be prepared for breaches – have a proper breach management team in place.

And let me repeat: companies must stop relying on what’s legal, and start understanding that breaches are not happening on the legal side: they happen in operations.

Good Luck with your New Year’s Resolutions!!!

By: Henry J. Schumacher, President of the European Innovation, Technology, and Science Center Foundation (EITSC)
Contact: Schumacher@eitsc.com