Compliance becomes an internal security department matter if non-compliance means criminal wrong-doing, such as fraud.
A business will carry out compliance broadly speaking for two reasons – because of the carrot or the stick. The carrot; complying with in-country or international rules is good for the corporate reputation or required of suppliers, or helps make for an efficient business. The stick; if you don’t do it, and suffer a data leak (in the case of data protection) or a fraud scandal (in the case of corporate corruption, giving or taking bribes), you will get fined by regulators and ‘named and shamed’.
That data protection regulators in Europe such as the ICO (Information Commissioner’s Office) in the UK have had vastly greater powers to fine offenders under the GDPR and in the UK the new Data Protection Act 2018. Consider that the ICO has given the Marriott hotel chain and British Airways nine-figure fines, compared with the maximum of £500,000 for pre-2018 cases. Shouldn’t that make for greater compliance? Not necessarily, it appeared from a recent online Privsec week of webinars, by cyber-risk and data privacy managers. They remarked on the lack of enforcement since the 2018 change, despite those high-profile Marriott and BA cases. The fines, the panel suggested, are so huge that whereas previously a company would take a fine of up to six-figures ‘on the chin’, not so a fine like BA’s £190m.
Such a fine would prompt a corporate to fight legally, which causes the ICO issues. For that would set the ICO up against big corporate lawyers; and the ICO does not even get to keep the fines it levies; that money goes to the UK Treasury. The ICO has become ‘reticent’ in picking on big organisations, the panel felt. If anything, such a dilemma was even more acute for the Irish data protection regulator, the Data Protection Commission, which (simply because the Republic of Ireland is far smaller than the UK) has a smaller budget and yet has tech firms on its patch because they have chosen to site European offices there.
As for corporate bribery, one counter-fraud veteran once aired with Professional Security how a head of counter-fraud in a business may find themselves saddled with legal responsibility for the company offering a bribe. If someone in country X (even though it is thousands of miles from head office in Y) offers or accepts a bribe, the head of counter-fraud could find their head on the block if the company board has tasked them with responsibility, such as setting anti-bribery procedures, and staff training, and monitoring of effectiveness. Under the UK’s 2010 Bribery Act, a company may be guilty if it fails to prevent persons associated with them from bribing another person on their behalf. The Act also applies to overseas, such as a country manager or agent.
In recent years, slavery and labour exploitation have emerged and under the Modern Slavery Act 2015, large firms were required to make a ‘modern slavery statement’, about what they did to prevent modern slavery in their operations and supply chains; although the law did not actually require them to take any action against such slavery. In the summer of 2019 the Home Office went out to consultation on the Act and announced in September 2020 that local government will have to make such a statement; and those statements will have to be published on a new digital government reporting service.
Home Office Safeguarding Minister Victoria Atkins said: “Sadly, we know that no sector is immune from the risks of modern slavery which can be hidden in the supply chains of the everyday goods and services we all buy and use. We expect businesses and public bodies to be open about their risks, including where they have found instances of exploitation and to demonstrate how they are taking targeted and sustained action to tackle modern slavery.”
The UK Government proposes options for civil penalties for non-compliance with the Modern Slavery Act under its proposed single enforcement body for employment rights.
In March the UK government published its first ‘Government Modern Slavery Statement’; and it says that ministerial departments are working towards publishing their own modern slavery statements from 2021.
The consultation found that some complained of seeing a ‘tick-box’ approach to compliance, a complaint heard about other fields of compliance also; and, another wider complaint, that it’s in practice too hard to gather data to make compliance meaningful, if suppliers won’t co-operate. If complying is merely an exercise, and a business cannot see the profit in it, whether for the bottom line or reputation, a board or business leaders are hardly going to back it, and the wider business will take its cue from them. And given that ‘modern slavery’ is quite new, how to know what to report, and what is good practice? In its consultation response, the Government promised to ‘publish updated guidance for businesses and public sector organisations in 2020’. And if there’s no penalty for not complying, and it’s not well known among the wider public, why bother to comply? As the Government’s response admitted, ‘respondents were clear that there was a need for greater enforcement of the current requirement’.