What the Compliance System contains
We live in turbulent times. Economically, socially, politically. And also legally. There are more and more new laws, regulations, decrees and case law. Most of the new regulations affect businesses in all sectors.
What are the risks for businesses if they fail to comply with some of these obligations?
This article was written in 2023. If you are looking for up-to-date information on this topic, please contact us at office@arws.cz or by phone on +420 245 007 740. We will be happy to advise you.
At the end of this article you will find our latest publication available for download and you can watch our latest webinar.
Author of the article: ARROWS law firm (Mgr. Jiří Halaburt, LL.M., Mgr. Petra Macková, office@arws.cz, +420 245 007 740)
In the first place fines. A number of new laws introduce relatively high fines in the tens or hundreds of millions. So even a fine "in the lower half of the statutory rate" can pose a problem.
But there may be more negative consequences.
For example, did you know that you will have to comply with some obligations, for example in the area of cyber security, even if you "only" provide your services to a large insurance company, a healthcare facility, an operator, a county or a municipality?
Financial institutions also have responsible corporate governance requirements for their clients. The next time you apply for operating financing or insurance, you may very realistically be asked by a bank or insurance company how you are meeting your legal obligations. And if you can't answer quickly and credibly, your loan or insurance may be more expensive. Or you may not get it at all.
Reputation is also important. With clients, customers, investors, and regulators. In the real world, media coverage of data leaks or breaches of consumer or employee rights also have a number of negative consequences.
Let's take a look at the most important news in more detail:
1) GDPR
Do you think you're done here at least? Wrong.
The General Data Protection Regulation, GDPR, may have been with us for almost 5 years now, but the evolution has not stopped. Supervisory authorities issue new methodologies, courts clarify the interpretation and give heavy fines. For poorly set cookies, leaking personal data or late notification of a security incident to a supervisory authority.
The really high fines, in the tens of millions of euros, tend to fall abroad. However, the GDPR has, among other things, introduced so-called cross-border supervision. What does this mean? If you offer your services in other EU member states, for example if you sell your product or services there, you can also be audited by the authority there.
Let's not just talk about fines. Even remedial measures such as an order to delete an illegally processed client or marketing database or to change the way contracts are signed in a client application are enough. This can often be a more powerful intervention in a business than a "mere" fine.
Let's go through some examples of what has changed in data protection in 5 years:
- Do you use a US application or data processing tool? In accounting, marketing, CRM? Then you were required to enter into a new data transfer agreement by December 2022. Do you have one?
- Do you use cameras - to protect operations, entrances, warehouses, employee life and health? And did you know that since last year, online cameras have been in the GDPR regime? Surely you've mapped them, documented them, sorted out the security and signed the appropriate contract with the supplier. But it might be worth checking.
If you carry out large-scale or higher risk processing of personal data, you are required to appoint a Data Protection Officer. Provide him or her with sufficient capacity, resources and organisational assignment to effectively control how personal data is handled in the organisation. Ensure that he or she does not have a conflict of interest, for example if he or she is also the head of IT, HR or responsible for operations. I'm sure you know that. But did you also know that the appointment, role and status of the Data Protection Officer is a common control theme in 2023 for authorities across the EU?
2) Whistleblowing
The obligation to address whistleblowing will apply to all businesses, regardless of the sector in which they operate. The bill is already in Parliament and we can expect it to be adopted during 2023.
What obligations will it bring?
Employees, contractors, trainees and contractors' employees will be able to blow the whistle, perhaps anonymously, on a business's breach of its legal obligations. For example, on tax, product and environmental quality, consumer protection, cyber security or data protection. And employers will have an obligation to investigate the report and protect the whistleblower from retaliation. Termination, job reassignment, pay cuts will all be more difficult for whistleblowers.
Employers with more than 50 employees will also have to set up an internal confidential line for whistleblowers to contact with their suspicions. And appoint an internal or external investigator for all such whistleblowing.
Fines of up to one million crowns can be imposed for endangering a whistleblower or failing to investigate a whistleblower's complaint. Plus the attention of the authorities and other reputational problems.
3) ESG
The acronym ESG is being heard more and more often. It is part of a trend towards a more environmentally and socially sustainable and responsible way of doing business.
ESG encompasses three areas that a sustainable and responsible business should reflect.
- E stands for environmental, i.e. to know and mitigate the impact of its activities on the environment.
- S stands for social, i.e. the impact on social responsibility, on the rights of specific people (clients, employees, local community, etc.).
- G stands for governance, i.e. rigorously controlling one's activities and ensuring compliance with legal and regulatory requirements.
Legal obligations regarding ESG so far only affect larger companies and financial institutions. Banks and insurance companies are also starting to assess their commercial clients and suppliers from an ESG perspective. They are asking for information and figures on the environmental impact of their activities, how they protect employees, client rights, etc.
Therefore, to ensure access to banking and insurance products, it can be strongly recommended that a company is clear about its ESG performance and what it can do and demonstrate in this area. There are several steps that can be taken to easily achieve rapid and demonstrable improvement.
4) E-commerce
Do you offer your services online? Do you use online marketing, communicate with customers electronically, send emails, messages to apps, have a web presence? Then you should be aware of several important legislative developments:
- The Button Amendment, effective January 6, 2023, has brought new obligations for selling and communicating with clients online, but sometimes also for the offline world. For example, new rules for displaying discounted prices, for checking online reviews, setting a maximum delivery time for goods ordered online.
Have you already implemented these changes? If you haven't, you could face millions of dollars in fines.
- New rules have been in place for the use of cookies and similar web analytics tools since last year. To use cookies for profiling and bidding for advertising, you must get clear and active consent from the site visitor beforehand. In practice, this raises a number of issues, which is why the Data Protection Authority has issued detailed guidance on the new cookie regulation.
Are you familiar with the cookie methodology from the DPA, do you follow it?
- Electronic marketing, sending newsletters, information about discounts or new products by e-mail or mobile phone messages has had its own rules for quite a long time. And the Data Protection Authority has also been issuing million-dollar fines for quite a long time when someone crosses the line between a legitimate commercial message and spam. But the bureau is still going further. It has also been fining for marketing communications sent out by the wrong supplier, because the customer is always responsible. And this interpretation is confirmed by the court.
Do you know who sends out newsletters for you? Do you check to see if they are doing it correctly?
4) Cybersecurity
The European Union has adopted a new directive on cybersecurity, called NIS2. In 2023 we will see a new law on cyber security and implementing decrees. The changes will be effective from 2024.
What will be the main changes?
Cybersecurity regulation will impact thousands more businesses. The obligation to adopt security policies, manage risks, apply and improve security measures and manage their suppliers will no longer just apply to government departments and the largest banks and hospitals, but will also extend to smaller businesses. For example, to the energy sector, food production, processing and distribution, the manufacture of some transport equipment or the provision of internet services.
The new obligations will also apply to businesses that "only" supply their services to someone who will be newly in the NIS2 regime.
What are the risks if you ignore cyber security and NIS2? Service limitations, outages, data leaks. High fines. Deterioration of market position.
5) Overall compliance system.
There is a lot of legal news. And we haven't mentioned everything.
- Are you also protecting your business from corporate criminal liability?
- Did you know that for the first time, the Office for the Protection of Competition took the compliance program into account when imposing a sanction and reduced the penalty?
- Do you know what the rules are for consumer protection, product safety, what is changing in the Labour Code?
To avoid being surprised by an inspection, a fine, an unknown new regulation or a flaw in processes, it is advisable to implement at least some elements of a compliance system. It does not have to be a robust and comprehensive system that covers all processes, products and organisational units. It is up to you which activities and risks you assess as critical. It may be just e-commerce activities, cyber security, product quality, supplier control, etc.
A compliance system, if set up correctly, will ensure that nothing unexpected happens in those areas, that the business has it under control, including regulatory compliance, responding to external and internal changes, etc. And when something happens or something threatens to happen, it knows and reacts quickly.
When compliance is done well, it is not just a necessary and boring formality. It can help you effectively improve the quality of your business, avoid many risks and reduce costs.