GDPR and your compliance program

Joseph Murphy – Compliance & Ethics Professional – August 2018

The world is buzzing about the EU’s General Data Protection Regulation (GDPR); Europe now sets the global standard for protecting privacy. GDPR is a pervasive regulatory system that tends to stick to anything that touches it. It is detailed and requires knowledge of the special terminology of privacy.

It also is backed by huge fines. The privacy bureaucrats can extract up to 4% of a company’s global turnover for violations. I have been told that they will probably not go after such large amounts of money in small cases. But most governments are quite fond of revenue, and the temptation under this amorphous area of regulation may be overwhelming.

But here is the special concern for us. Because the concept of privacy is so broad and the regulations so pervasive, they invite abuse by regulators in dealing with company compliance and ethics programs. Compliance and ethics, by its nature, involves interaction with “data subjects” (i.e., humans), thus giving the privacy sheriffs license to control and restrict our work.

European privacy regulators already have demonstrated indifference about other areas of the law. Protecting the environment? Fighting corruption? Unearthing cartels? A muscular approach to privacy comes first.

So in France, when companies worked to adopt speak-up programs, the French privacy regulator had a field day denouncing these efforts and dreaming up regulatory schemes to fence them in. Spanish regulators even purported to muffle abused employees by forcing them to reveal their identities if they wanted to report their bosses’ crimes and abuses. After all, it can be impossible to retaliate against employee insolence unless you know who had the nerve to speak up.

Now commentators are raising the alarm that GDPR will make anti-corruption due diligence more difficult and undermine the fight against bribery, and privacy regulators may undercut all company efforts to comply with the law and act ethically.

Conducting an investigation of alleged misconduct in your company? Doing training? Testing employees? Due diligence on new hires? Audits of company records? Whatever you do, if it involves contact with human beings, plan to spend time talking with privacy mavens.

Here is the issue. Privacy is one value, and one only. Society needs organizations to take effective steps to prevent and detect wrongdoing. If privacy merits the grand regulatory scheme of GDPR, then certainly company compliance and ethics work deserves at least as much protection. It is time for the EU and other governments to step up and enact legislation that protects compliance efforts and bars future roving regulators from hijacking our work to expand their own regulatory kingdoms.

This article first appeared in Compliance & Ethics Professional.

Leave a Reply