Appointment of Data Protection Officer under GDPR

There is the growing misconception surrounding the need for appointing a Data Protection Officer (DPO) under GDPR which is effective on 25th May 2018. The role of DPO is critical for correct implementation of the newly drafted regulation. Relating to this, the organisation needs to ask itself four main questions before appointing a DPO which are:

1. Do they even need to appoint a DPO?
2. Should they need a DPO anyway for safe measures of compliance?
3. Can the role of DPO be outsourced?
4. Will the DPO be personally liable?
5. When should a DPO be appointed?

I will start by answering the first question. According to article 37(1), GDPR requires data controllers and processors to designate a DPO in any case where:

• The processing is carried out by a public authority or body;
• The ‘core activities’ of the controller/ processor consist of processing operations which ‘require regular and systematic monitoring of data subjects on a large scale’; or
• The core activities of the controller/ processor consist of processing on a large scale of ‘special categories of data’ or personal data relating to criminal convictions and offences.

As per the definition private sector companies will not need to appoint a DPO. Majority of the private companies do not engage in monitoring of personal data, therefore in their course of administration they will not need a DPO. For ready and seamless implementation of the three criteria stated above guidance of Article 29 of Working Party Guidelines on DPO’s issued in 2016 and then 2017 can be sought so that correct measures are taken.

The second question of whether DPO is needed anyway for safe measure of compliance can be answered by making use of Article 37(5) which basically lays down the requirements and puts an organisation under obligation to appoint someone which has adequate knowledge of data protection law and practices, in short, the qualification required for appointment of DPO. Generally, there may be someone who will be fulfilling the role of DPO to be required to meet the standard under GDPR for compliance under Article5(2). The Guidelines also suggest that the knowledge must commensurate with experience, complexity and sensitivity of data with expertise in European data protection laws and with in-depth GDPR knowledge.

It is important to note that the actual role of DPO will be different from that of a normal employee or a contractor in that case as DPO are independent species not bound by the administration and are to operate freely out of their will. This means that they cannot be assigned task or instructed to do tasks assigned by the CEO or the central administration. The level of impartiality needs to be maintained separately from the organisation so there is no corruption and bias in the process of compliance structure when adhering to the GDPR regulation.  In line with this the DPO’s employment status is protected under Article 38(3) of the GDPR, which means they cannot be dismissed or be sanctioned by the organisation from performing or not performing tasks. Therefore, the appointment of a DPO will be a critical juncture in the implementation of GDPR as this will determine the future of compliance standards set and met in the organisation.

Can the role of DPO be outsourced? This is answered under the Article 37(6) of the GDPR which makes it simplistically clear that DPO can be an employee or a contractor. Giving the concerns and apprehensions raised in the above paragraph, many experts in the field of compliance are of the opinion such role needs to be outsourced, rather than being in-house. However, there is no straightforward answer and depends on the requirement and load of the organisation compliance setup. The DPO needs to be involved as per the regulation in a “proper and timely manner, in all issues which relate to the protection of personal data”. The Guidelines state that controllers and processors must develop data processing guidelines or programmes that set out when can the DPO be consulted. If this method is conducted, organisations can perform much productively and meet their compliance goals.

Is DPO personally liable? The Working Party Guidelines state that DPO will not be personally liable in case of noncompliance with GDPR. However, the GDPR text is silent on the issue of liability and the text does not say much and is in fact silent on this. DPO’s will need to be cautious regardless.

Organisations need to decide on the appointment of the DPO and who will be the best one for their need. For this they must conduct their background screening through tools such as EmploySmart™ and finalise candidate fit for this role so that it sits well with the newly identified governance structure of the organisation. Using appropriate background checks will ensure that Data Protection Officers skills are identified before the finalisation of the job. Ultimately what is a better fit for the business, will be determined by the decision-making heads of the organisation as the time is shrinking. Consensus on DPO is the need of the hour.

Who is CRI Group?

Based in London, CRI Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening, Business Intelligence, Due Diligence, Compliance Solutions and other professional Investigative Research solutions provider. We have the largest proprietary network of background-screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are we have the network needed to provide you with all you need, wherever you happen to be. CRI Group also holds BS 102000:2013 and BS 7858:2012 Certifications, is an HRO certified provider and partner with Oracle.

In 2016, CRI Group launched Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body established for ISO 37001:2016 Anti-Bribery Management Systems, ISO 37301 Compliance Management Systems and ISO 31000:2018 Risk Management, providing training and certification. ABAC® operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. As a result, CRI Group’s global team of certified fraud examiners work as a discreet white-labelled supplier to some of the world’s largest organisations. Contact ABAC® for more on ISO Certification and training.

Filed under: Compliance Solution, Industry Insights, Resources by admin
No Comments »

GDPR: A 21st Century approach to Compliance

Ever since its conception, GDPR has caused a strong stir in the legal and compliance world. The new law builds on the previous data protection legislation but at the same time provides more resilient protections for consumers, and more privacy considerations for organisations involved in the processing of personal data. The new EU General Data Protection Regulation (GDPR) in Europe, adopted in 2016, will be applicable starting on May 25, 2018. GDPR comes with significant changes compared to the Data Protection Directive 95/46/EC involving operational changes in organisations.

To say that GDPR is an extension of the previous law will also not be true. It is an add on but a game changer as well in the field of legal and compliance. It has been dubbed as the most important change in data privacy laws in 20 years, leaving the compliance world in a bit of an abyss due to it ever evolving nuance and uncertain nature of applicability. Each country needs to have their own Data protection (outside EU) as stringent and controlled as the EU’s GDPR.

Personal data

So, what exactly does GDPR apply to? GDPR applies to personal data and personal sensitive data. If you are offering goods or services to EU citizens inside or outside the EU GDPR will apply. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier, can include for e.g. an IP address which can amount to ‘personal data’. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.

For most of the organisations, keeping HR records, employment checks, customer lists, or contact details etc, the change to the definition should make little practical difference. So one can assume that in case an individual or organisation hold information that falls within the scope of the Data Protection Act, it will also fall within the scope of the GDPR. The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This is wider than the DPA’s definition and could include chronologically ordered sets of manual records containing personal data.

Sensitive personal data

It is important to note that the GDPR refers to sensitive personal data as “special categories of personal data” as stated in Article 9. These categories are broadly the same as those in the DPA, but there are some minor changes. For example, the special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing. All kinds of background screening and due diligence fall under it.

Controller and Processor

Another main guide to get ready for GDPR includes first determining whether your organisation processes personal data as a “data controller” or “data processor” The GDPR applies to ‘controllers’ and ‘processors’(Article 19-23). A controller determines the purposes and means of processing personal data. A processor is responsible for processing personal data on behalf of a controller. Incase of a processor, the GDPR places specific legal obligations on you as a processor for example, the requirement to maintain records of personal data and processing activities. There is the result of bearing the onus legal liability if processor is found responsible for a breach.

However, controllers are not relieved of their obligations where a processor is involved as the GDPR places further obligations on controllers to ensure its contracts with processors comply with the GDPR. The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.

Consent

In furtherance of understanding GDPR it is important to know the requirement of Consent under the GDPR (Article 32) must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action – or in other words, a positive opt-in consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must be verifiable, and individuals generally have more rights where you as a person or organisation rely on consent to process their data.

For processing to be lawful under the GDPR, you need to identify a lawful basis before you can process personal data. These are often referred to as the “conditions for processing” under the DPA.It is important that you determine your lawful basis for processing personal data and document this.

Data protection officer

This becomes more of an issue under the GDPR because your lawful basis for processing influences individuals’ rights. For example, if you rely on someone’s consent to process their data, they will generally have stronger rights, for example to have their data deleted. Data protection officer (DPO) is the person responsible for GDPR compliance. As per article 35 the DPO will be required by an organisation to be hired depending on the size and processing of large volume of special category of data by an organisation. This person will operate independently of the organisation. The principles of accountability and transparency have previously been implicit requirements of data protection law, however the GDPR’s emphasis elevates their significance.

Ultimately, the aim of these measures should be to minimise the risk of breaches and uphold the protection of personal data. The background investigation companies such as CRI Group offering various screening services and conducting fraud examinations, pre- as well as post-employment screening through “EmploySmart”, “3PRM” due diligence investigation services and third-party checks will need to incorporate GDPR in their system for adequate accountability, transparency and governance in the organisation.

Who is CRI Group?

Based in London, CRI Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening, Business Intelligence, Due Diligence, Compliance Solutions and other professional Investigative Research solutions provider. We have the largest proprietary network of background-screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are we have the network needed to provide you with all you need, wherever you happen to be. CRI Group also holds BS 102000:2013 and BS 7858:2012 Certifications, is an HRO certified provider and partner with Oracle.

In 2016, CRI Group launched Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body established for ISO 37001:2016 Anti-Bribery Management Systems, ISO 37301 Compliance Management Systems and ISO 31000:2018 Risk Management, providing training and certification. ABAC® operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. As a result, CRI Group’s global team of certified fraud examiners work as a discreet white-labelled supplier to some of the world’s largest organisations. Contact ABAC® for more on ISO Certification and training.

Filed under: Compliance Solution, Resources by admin
No Comments »

Protecting Data: Businesses Needs GDPR

The General Data Protection Regulation (GDPR) will come into force in Europe in just over a year. This sea change in data privacy aims to improve protections for individuals within the European Union, providing them with more control over how their personal data is used.

It will also clarify and standardise how businesses are expected to operate regarding data protection from a legal standpoint. With this in mind, smart business owners and directors are already preparing for its implementation.

There is much work to be done, however. According to a whitepaper from the DMA, a membership-based network of more than 1,000 companies, over a quarter (26 per cent) of marketers feel their business is unprepared for the GDPR.

That’s a problem. But there is time for organisations to take steps now and ensure they are ready for the GDPR when it took effect on May 25, 2018.

First, they should understand what the GDPR will require. According to “GDPR compliance: what organisations need to know” from the information age, the following are requirements of the new regulation:

• Extended jurisdiction: Regulations will apply to any company collecting and/or processing EU citizen’s personal data regardless of where the company’s physical offices are located.
• Consent: Companies will be required to obtain individual’s consent to store and use their data and explain how it is used.”
• Mandatory breach notification: Companies will now be required to notify the supervisory authority within 72 hours of discovering a security breach unless it is unlikely to “result in a risk to the rights and freedom of individuals.
• Right to access: Companies must be able to provide electronic copies of private records to individuals requesting what personal data the organisation is processing, where their data is stored and for what purpose.
• Right to be forgotten: EU citizens will be able to request the controller to delete their personal data and stop sharing it with third parties – who are then also obligated to stop processing it.
• Data portability: The new regulation gives individuals the right to transmit their data from one controller to another. As a result, upon request, organisations must be able to provide an individual’s personal data in a ‘commonly used and machine-readable format.
• Privacy by design: Security must be built into products and processes from day one.
• Data protection officers (DPO): Both data controllers and data processors are now required to appoint a DPO.

On a disturbing note, several reports indicate that some companies in the UK have stopped preparing for GDPR due to Brexit. According to MarketingTech’s “24% of UK businesses have stopped preparations for EU Data Protection Regulations,” fully 44 per cent of respondents to a survey believed – likely in error – that they will not fall under its jurisdiction. This is a dangerous assumption, as the article notes:

‘Firstly, it is likely to be in place before any Brexit,’ said director of information management at Crown Records, John Culkin. ‘Secondly, although an independent Britain would no longer be a signatory, it will still apply to all businesses that handle European citizens’ personal information. The fines associated with EU GDPR are significant. They can be as high as €20 million or 4% of global turnover.” Looking ahead at the GDPR, it is far better to be safe than sorry. In this case, that means being prepared – or risk serious consequences.

Who is CRI® Group?

Based in London, CRI® Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening, Business Intelligence, TPRM, Due Diligence, Compliance Solutions and other professional Investigative Research solutions provider. We have the largest proprietary network of background-screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are, we have the network needed to provide you with all you need, wherever you happen to be. CRI® Group also holds BS 102000:2013, and BS 7858:2012 Certifications is an HRO certified provider and partners with Oracle.

In 2016, CRI® Group launched the Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body that provides education and certification services for individuals and organisations on a wide range of disciplines and ISO standards, including ISO 31000:2018 Risk Management- Guidelines; ISO 37000:2021 Governance of Organisations; ISO 37002:2021 Whistleblowing Management System; ISO 37301:2021 (formerly ISO 19600) Compliance Management system (CMS); Anti-Money Laundering (AML); and ISO 37001:2016 Anti-Bribery Management Systems ABMS. ABAC® offers a complete suite of solutions designed to help organisations mitigate the internal and external risks associated with operating in multi-jurisdiction and multi-cultural environments while assisting in developing frameworks for strategic compliance programs. Contact ABAC® for more on ISO Certification and training.

Filed under: Compliance Solution, Resources by admin
No Comments »

Ethics and Compliance Hotline: your frequently asked questions answered…

Ethics hotlines are growing in popularity. In 2017 the South Africa Home Affairs Minister Malusi Gigaba announced over 3,000 officials were found guilty of misconduct related to cases reported via the National Anti-Corruption Hotline (NACH). “The closure rate underscores a commitment by government departments to investigate allegations of corruption as reported through the NACH.” Ethics and compliance hotlines work! Organizations must have an ethics and compliance hotline to help promote the organization’s code of conduct and nurture a culture of honesty and accountability. 

Don’t opt out of an ethics hotline

The 2019 Global Business Ethics Survey found that more reports of misconduct were made to direct supervisors (a median of 51 per cent) compared to hotlines (6 per cent). However, it is still crucial to have an Ethics and Compliance Hotline. Why? Having an ethics and compliance hotline shows employees that the business leaders genuinely want to hear from them, making it a great employee relations tool.

The ethics and compliance hotline is an anonymous reporting mechanism. So when the normal channels of communication fail, a hotline can facilitate any flagging. They provide an accessible way for employees to report potential wrongdoing, possibly illegal, unethical, or improper. A company can better protect itself from fraud, learn of employee misconduct and proactively mitigate any corruption-related risk. Despite industry or size, any organisation should be 110% committed to having an open dialogue on ethical dilemmas regardless. 

CRI® Group encourages everyone to report any wrongdoing. We believe that everyone should have a voice and protect themselves, colleagues and the organizations that they work for. Everyone must seek to maintain transparency to comply with the code of conduct and compliance regulations. If your organization considers an ethics and compliance hotline, here are some must-knows.

Who can report? And what can you report?

All individuals – employees, clients, contractors, vendors and others in a business relationship with you or your organization – have a duty and responsibility to report any known or suspected noncompliant behavior or violations of any regulatory mandates and/or local policies, including but not limited to:

• Ethical standards violations;
• Violation of laws and company policy and internal control;
• Risk and safety;
• Theft, embezzlement or misappropriate of assets and fraud;
• Bribery and corruption;
• Employee rights, employee relations, work environment;
• Privacy laws or security of personal information;
• Discrimination;
• A dispute related to a supervisor, HR and other departments;
• Physical and verbal harassment in the workplace;
• Issues related to job responsibilities;
• The report related to a suspicious activity being a witness; and/or
• Unfair dismissals.

How to report?

You can report your concern using the Ethics and Compliance hotlines at any time, 24/7. And an effective Ethics & Compliance Hotline should allow reporting via phone, email, web-based compliant forms and even walk-ins.

How does it work?

This will depend on your organization structure; however, if you allow reporting directly by telephone, the caller should speak with the Compliance Department directly. The caller can remain anonymous or may want follow-up, in which case(s) he will give contact details. If the individual submits a report online, the system should guide the individual through the reporting process, and a PIN number will be generated automatically once they complete the report. The compliance department specialist who receives the tip is then in charge of validating it. This compliance officer typically receives special training on gathering enough information to ensure the complaint is credible. The tip is then routed to the right department within the organisation, such as audit, legal, or human resources. 

What is the process of the investigation?

The Compliance Department or Committee should then review the report and conduct an investigation. The investigation may include an interview with relevant witnesses review of records, computers, telephones and other equipment per relevant personal data regulations. The reported individual will be able to follow the status of the case and communicate with the Compliance by giving their case number. However, no party can contact the individual directly if you have chosen to remain anonymous. The investigation conclusions and recommendations are reported to Management.

Can we generate anonymous reporting?

Yes, if the individual wishes to remain anonymous when reporting their concern, they can. However, you should encourage the individual to identify themselves where/when possible, enabling your organization to investigate the report more effectively. If they provide their names, your compliance department should protect their confidentiality to the greatest extent possible during the investigation. The organization should have a Non-Retaliation and Whistleblower Policy to help ease the process.

What is a Non-Retaliation Policy?

While on the surface, hotlines may seem a convenient option to receive employee complaints, tips or concerns, often, it’s the process that surrounds the hotline which can determine whether it ultimately succeeds or fails. Areas such as employee relations are particularly challenging for anonymous tips. An organisation needs to have a whistleblower process in place – this is a critical component of any compliance monitoring system. It enables companies to identify and mitigate potential risks early before they impact operations, reputation and ultimately, financial performance. 

How can we make sure they deliver a credible report?

When reporting an issue, encourage individuals to ensure that they provide as much relevant information as possible, for example, the names of persons involved in the alleged conduct, potential witnesses, appropriate documentation or data, visual evidence etc. Provide them with forms that allow them to understand what they need to submit a credible report, with the appropriate questions and empty spaces for further feedback, including the ability to upload any initial profs. This will allow your Compliance to effectively follow up on the case.

What makes a successful implementation?

1. A strong and clear message is delivered to employees and stakeholders by a senior individual who champions the overall programme.
2. A clear understanding of how best to engage with your employees at all levels and in all countries. Remember to take into account country and cultural differences.
3. A robust internal process to deal with reported issues as laid out in your code of conduct policy or ethics programme.

Are you addressing corporate Compliance?

Prove that your business is ethical. Find out if your organisation’s compliance program aligns with worldwide Compliance, Business Ethics, Anti-Bribery and Anti-Corruption Frameworks. Complete our FREE Highest Ethical Business Assessment (HEBA) and evaluate your current Corporate Compliance Program. Let our experts prepare a complimentary gap analysis of your compliance program to evaluate if it meets “adequate procedures” requirements under the UK Bribery Act, DOJ’s Evaluation of Corporate Compliance Programs Guidance and Malaysian Anti-Corruption Commission.

Find out what’s a Gap Analysis and why do you need it?

Report with CRI® Group!

If you find yourself in an ethical dilemma or suspect inappropriate or illegal conduct, feel uncomfortable reporting through normal channels of communication, or wish to raise the issue anonymously, use the reporting process in this Code of Conduct, including the Compliance Hotline. The Compliance Hotline is a secure and confidential reporting channel managed by an independent provider. When reporting a concern in good faith, you will be protected by the CRI® Group Non-Retaliation Policy. 

REPORT NOW!  

CRI® will not accept any retaliation or discrimination against any employee or external stakeholder who uses our Compliance Hotline in good faith or participates in an investigation. Any employee who breaches the policy will be subject to disciplinary actions. If you wish to learn more just have a look at our article on Ethical code of conduct: What should be covered?

About us…

Based in London, CRI® Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening, Business Intelligence, Due Diligence, Compliance Solutions and other professional Investigative Research solutions provider. We have the largest proprietary network of background screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are, we have the network needed to provide you with all you need, wherever you happen to be. CRI® Group also holds BS102000:2013 and BS7858:2019 Certifications and is an HRO certified provider and partner with Oracle.

Meet the CEO

Zafar I. Anjum is Group Chief Executive Officer of CRI® Group (www.crigroup.com), a global supplier of investigative, forensic accounting, business due to diligence and employee background screening services for some of the world’s leading business organisations. Headquartered in London (with a significant presence throughout the region) and licensed by the Dubai International Financial Centre-DIFC, the Qatar Financial Center – QFC, and the Abu Dhabi Global Market-ADGM, CRI® Group safeguard businesses by establishing the legal Compliance, financial viability, and integrity levels of outside partners, suppliers and customers seeking to affiliate with your business. CRI® Group maintains offices in UAE, Pakistan, Qatar, Singapore, Malaysia, Brazil, China, the USA, and the United Kingdom.

Contact CRI® Group to learn more about its 3PRM-Certified™ third-party risk management strategy program and discover an effective and proactive approach to mitigating the risks associated with corruption, bribery, financial crimes and other dangerous risks posed by third-party partnerships.

CONTACT INFORMATION

Zafar Anjum, MSc, MS, CFE, CII, MICA, Int. Dip. (Fin. Crime) | CRI® Group Chief Executive Officer

37th Floor, 1 Canada Square, Canary Wharf, London, E14 5AA United Kingdom

t: +44 207 8681415 | m: +44 7588 454959 | e: zanjum@crigroup.com

Filed under: All Industries, All Regions, All Solutions, Anti-Bribery Anti-Corruption Solution, Compliance Solution, CRI News, Global, ISO 37001, Leadership Insights, Resources by admin
No Comments »

GDPR: Everything You Need to Know

From eMarketer

The European Union’s General Data Protection Regulation (GDPR) was put in place to standardise existing laws that call for transparency in how companies collect and store personal data about EU citizens. eMarketer’s Sean Creamer spoke with Scott Meyer, CEO and co-founder of Evidon, and Todd Ruback, the compliance services company’s chief privacy officer and vice president of legal, about what the GDPR will mean for marketers from outside the EU when it goes into effect on May 25, 2018.

Read the full article.

Staying one step ahead of any critical risk to your organisation is part of being an effective business leader. Contact us today to get started on implementing a robust program that will serve you well for years to come. Get your FREE QUOTE now!

Who is CRI Group?

Based in London, CRI Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening, Business Intelligence, Due Diligence, Compliance Solutions and other professional Investigative Research solutions provider. We have the largest proprietary network of background-screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are we have the network needed to provide you with all you need, wherever you happen to be. CRI Group also holds BS 102000:2013 and BS 7858:2012 Certifications, is an HRO certified provider and partner with Oracle.

In 2016, CRI Group launched Anti-Bribery Anti-Corruption (ABAC™) Center of Excellence – an independent certification body established for ISO 37001:2016 Anti-Bribery Management Systems, ISO 37301 Compliance Management Systems and ISO 31000:2018 Risk Management, providing training and certification. ABAC™ operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. As a result, CRI Group’s global team of certified fraud examiners work as a discreet white-labelled supplier to some of the world’s largest organisations. Contact ABAC™ for more on ISO Certification and training.

Filed under: Compliance Solution, Resources by admin
No Comments »