Lighthouse Servicers  


10 GDPR Imlpementation Pitfalls to Avoid

The new General Data Protection Regulation went into effect on May 25, 2018, and promises to be a game-changer for organizations that conduct business in the European Union. GDPR requires companies to reevaluate their policies and procedures regarding the handling of personal data. Noncompliance with GDPR can result in actions ranging from written warnings to financial penalties of as much as $25 million or up to four percent of annual global revenues.

As with the implementation of any broad-ranging regulation that impacts an organization’s operating practices, GDPR compliance can pose a significant challenge. A defense of ignorance won’t carry much weight with the supervisory authority (SA), the independent body charged with GDPR investigation and enforcement in each member nation.

The following list includes 10 pitfalls that can prevent you from achieving full GDPR compliance:

  1. Failure to engage the entire organization: A common mistake is viewing GDPR as only an IT issue since it pertains to data privacy. In fact, the regulation touches any area of the organization that handles personal data, as well as third-party representatives. Consequently, full GDPR compliance demands a holistic approach that encompasses and engages everyone from C-suite executives and mid-level managers to rank-and-file employees and vendors.
  2. Failure to build a GDPR team: A lack of adequate GDPR expertise can quickly put your organization on a path to noncompliance. Establishing an in-house GDPR team is a critical step for ensuring thorough preparation and maintaining compliance after implementation. Your team should consist of a designated data protection officer (DPO) and leaders from other departments such as IT and human resources.
  3. Failure to understand how data moves across and beyond your organization: The modern organization consists of multiple data flows and sources. Effective GDPR implementation requires a comprehensive understanding of all business processes – you need to know how data is collected, where it is stored and who has access to it in every business area.
  4. Failure to recognize shadow systems: The term “shadow system” refers to any information service used in your business processes that are not under the jurisdiction of your IT department. Examples include unauthorized cloud services and software packages. Ensuring GDPR compliance requires taking an inventory of each business area to identify, review, and if necessary, delete these systems. This will also help you to verify that you are covering all the data addressed by the regulation.
  5. Failure to comply with the purpose limitation concept: GDPR stipulates that personal data must be processed for a specific reason. You must be able to document that you have used the data only for its intended purpose throughout the data chain, from initial collection through final implementation.
  6. Failure to verify consent: When one considers all the methods available for collecting data these days – websites, credit card purchases, surveys, etc. it is easy to overlook a source. If you are unable to substantiate that an individual or entity consented to the collection of their personal data, you likely have committed a GDPR violation.
  7. Failure to delete data completely: GDPR sets forth more stringent requirements for the deletion of personal data when requested by a consumer. While traditional data management practices allowed for the archiving of data, GDPR takes it a step further by mandating the permanent deletion of all records and files associated with the individual. For many organizations, their GDPR preparation process will include retrieving previously archived files and expunging the information.
  8. Failure to implement sufficient data access control measures: Keeping a tight rein on the parties that have access to personal data will be more important than ever with GDPR going into effect, especially when one considers that organizations will now only have 72 hours to respond to a breach. Now is the time to review your policies and procedures regarding who can access data, along with your permission granting protocols, encryption methods, etc.
  9. Failure to update privacy notices: Under GDPR, many data privacy and security steps that were previously considered best practices will now become mandatory measures. Instead of only notifying the customer about the intended use of their personal data, it will be necessary to provide further information such as the lawful basis of processing the data, the retention period and the customer’s right to file a complaint if they believe the organization is misusing their info. You will likely need to update your privacy notices to include these details.
  10. Failure to fulfill requests for data: Once GDPR goes into effect, customers will have more robust rights regarding the obtaining of copies of their personal information that organizations have on file. It is essential to have a system in place to ensure a timely response to these requests, especially if there is a heavy demand for the information.

Mitigating Your GDPR Compliance Risk

While each organization will face unique GDPR compliance challenges based on the nature and scope of their operations and their current level of GDPR readiness, there are three steps that virtually every business should implement to reduce their exposure to risk:

  • Investing in training: GDPR will represent a significant change for many organizations; adhering to outdated operating practices will no longer suffice. It is imperative to provide GDPR-specific data protection and privacy training for all employees who handle personal information.
  • Investing in technology: Upgrades in technology, specifically the use of automated data management practices and software, can reduce the likelihood of human error and increase efficiency.
  • Investing in breach response plan development: A well-crafted data breach response plan is critical for ensuring GDPR compliance and avoiding costly penalties. Make sure your plan will allow you to react in a timely and sufficient manner.

While many organizations view GDPR compliance as a burden, a more productive approach is to see it as an opportunity to dramatically improve your data privacy maintenance practices, which can transform the way your customers perceive your organization.


Are You Effectively Managing and Monitoring Third Party Risk in Your Organization?

Organizations may choose to enlist the services of third parties for a variety of reasons – gaining access to expertise that is not available in house, acquiring additional capital and other resources, and expanding the size and scope of their enterprise, to name a few.

But while establishing third party relationships can provide many valuable business benefits, it can also increase an organization’s vulnerability to certain types of risk. Because third-party entities such as consultants, agents, vendors, suppliers, distributors and partners in joint ventures are not employees of the organization, it makes their actions much more difficult to control. Hence, the need to develop and implement effective risk management strategies becomes imperative for organizations that deal with third parties in any way.

What Approaches Are Organizations Taking to Third Party Risk Management and Due Diligence?

A recent study shed some light on how organizations are approaching the process of third party risk management. The study respondents consisted of senior professionals encompassing various ethics and compliance, human resources, employee relations, risk management, legal, and information security functions.

The study identified several common themes regarding the objectives of risk management programs, key areas of concern and the execution of third party risk management strategies:

  • Many respondents indicated that those in charge of the third-party risk management program within their organization do not have complete control over their budgets, which means they may not always have the resources they need to perform their jobs as effectively as possible.
  • Approximately two-thirds of organizations evaluate third parties on their own prior to initial engagement. However, only 14 percent of the respondents indicated they use an outside vendor to conduct ongoing third party monitoring. This often results in inconsistencies when reevaluating third party performance from an ethical perspective.
  • The top concern regarding third party ethical breaches is bribery and corruption, followed by conflicts of interest. Organizations are becoming increasing aware of ramped up enforcement activities related to the Foreign Corrupt Practices Act and the UK Bribery Act, as well as the existence of incentive programs for whistleblowers.
  • Outsourcing third party due diligence typically leads to greater satisfaction regarding the overall effectiveness of the third-party risk management program. Specifically, survey respondents reported higher satisfaction levels in the following areas:
    • Legal/regulatory compliance
    • Creating a culture of compliance
    • Program documentation management
    • Program defensibility
    • Overall program performance

What It All Means to Your Organization

The study reached several important conclusions that impact every company that engages with third parties:

  • You are ultimately responsible for the actions of third parties: Customers, stakeholders, regulators and the public do not distinguish between organizations and the third parties that represent them. Therefore, when a third party acting on your behalf engages in unethical behavior, your organization will be deemed responsible for any negative consequences.
  • Many organizations are not taking appropriate steps to monitor third party risk programs: While the majority of organizations appear to have instituted a third-party risk management program that includes some form of vetting process, relatively few have adequate controls in place to monitor third parties on an ongoing basis. The institution of a continuous third party due diligence monitoring program is crucial to the long-term success of your risk management efforts.
  • The more comprehensive the risk management program, the better: While the concept of what constitute a “comprehensive” risk management program is still evolving, the results of enforcement activities in cases involving the Department of Justice and Securities and Exchange Commission clearly indicate that “more is better.” Specifically, your organization should take transparent steps to ensure that third parties are receiving adequate training on, and ultimately adhering to your code of conduct and other ethics and compliance-related policies and procedures.
  • An automated third party due diligence vendor can provide a cost-effective monitoring solution for your organization: While too little due diligence leads to insufficient risk management program monitoring, too much due diligence can result in a valuable waste of time and resources. Working with an automated vendor enables you to get the level of analysis that meets your monitoring and budgetary requirements. It can also overcome the shortcomings that may exist in your internal monitoring program.

Relying on third parties is an unavoidable reality in today’s global business climate. A carefully developed and closely monitored risk management program is essential for any organization that wants to mitigate the inherent risks that come with third party engagement.


The Role of Ethics and Compliance in Maintaining Effective Cybersecurity

The compliance risks that organizations face come in many forms. While issues such as bribery, conflicts of interest and fraud have traditionally been major concerns, cybercrime is now the compliance threat that is drawing the most attention from ethics and compliance officers these days.

According to a joint survey of more than 900 ethics and compliance professionals conducted by the Society of Corporate Compliance and Ethics and the Health Care Compliance Association, 39 percent of the respondents listed cybercrime/cybersecurity as the issue they would be focusing on the most in 2016, followed by social medial compliance (38 percent), leveraging compliance practices with business practices for greater effectiveness and efficiency (34 percent), establishing and maintaining an ethical culture (32 percent) and increasing the effectiveness of internal investigations (31 percent).

The pervasiveness of cybercrime poses a daunting challenge for the ethics and compliance function. In the past, organizations were primarily concerned with identifying and correcting internal cultural aspects that could lead to compliance breaches. The presence of cybercrime has now forced ethics and compliance to broaden its scope to address threats from hackers and other third parties from outside the organization.

Increased Regulatory Focus on Cybersecurity

When one considers that cybercrime impacts approximately 556 million individuals each year, it’s not surprising that cybersecurity has become a top concern for a variety of regulatory agencies. For example, in 2014 the Securities and Exchange Commission announced that it would be including a review of cybersecurity policies as part of the routine examination procedures of its registrants. Other federal and state regulatory bodies are formulating or have already developed a set of best practices to ensure organizations are taking appropriate cybersecurity measures. In general, these cybersecurity reviews focus on the following areas:

  • Adequacy of cybersecurity policies and procedures as well as proper enforcement
  • Conducting of regular and thorough cybersecurity assessments
  • Effectively responding to any identified cybersecurity deficiencies
  • Taking appropriate steps to protect computer networks and sensitive customer information
  • Installation and effectiveness of firewalls and/or anti-virus software
  • Instituting appropriate user access measures
  • Ensuring comprehensive third-party vendor oversight
  • Responding promptly to any identified security breaches

Developing/Maintaining an Effective Cybersecurity Program for Your Organization

Because of the enhanced enforcement practices, cybersecurity is no longer solely an information technology issue; it also requires the involvement of the ethics and compliance function to ensure adherence to all applicable laws and regulations. Giselle Casella, Senior Principal Consultant at the ACA Compliance Group recommends the development and implementation of the following action plan:

Performing a Comprehensive Risk Assessment

The ethics and compliance department should work in tandem with IT to conduct a comprehensive risk assessment on at least an annual basis to identify the organization’s primary cybersecurity threats. The assessment should be tailored to the unique security risks the organization faces and should take into account factors such as:

  • The existence of any sensitive information the organization handles/stores such as personal customer data, trade secrets and proprietary information
  • Current data breach monitoring and detection procedures
  • Relationships with third parties and any policies in place regarding the sharing of information
  • The need to update outdated cybersecurity software and other related technologies
  • Any previous occurrences of cybercrimes and data breaches
  • Degree of vulnerability to attacks by entities such as terminated employees, hackers and even organized crime
  • Potential financial and reputational damage that could result from cybercriminal activity
  • Procedures in place to respond to and recover from a significant cybersecurity event

Establishing Appropriate Cybersecurity Policies and Procedures:

The completion of the cybersecurity risk assessment should be followed by the development of written policies and procedures, which should be updated as necessary after each subsequent risk assessment. These policies and procedures should cover the following areas:

  • Clearly identifying the employees charged with the responsibility of cybersecurity program oversight
  • Ensuring that access to all sensitive data is limited to employees and third parties on a “need to know” basis
  • Clearly outlining protocols for safeguarding data and computer networks
  • Identifying the internal control mechanisms in place for monitoring and responding to data breaches
  • Stipulating all relevant vendor/third party oversight policies
  • Compliance with any laws/regulations regarding identity theft
  • Identifying any procedures in place for testing the effectiveness of the organization’s cybersecurity programs

As cybercriminals continue to find new, inventive ways to penetrate an organization’s cybersecurity defenses, organizations must continue to ramp up their efforts to protect their data – and their good name. When combined with the need to comply with increasing stringent data privacy regulations, the ethics and compliance officer can expect to have an increasing role in an organization’s efforts to combat cybercrime in the years to come.


Steps for Mitigating Reputational Risk

In a time where the Internet and social media are shaping the way we communicate, having a plan to mitigate reputational risk is mandatory for any organization hoping to thrive in the 21st century. Organizations that do not take a proactive approach to protecting their brand from online saboteurs and the various offline threats that may damage their reputation could find themselves facing a reputational crisis that will severely impact their profitability, or possibly put them out of business.

What is Reputational Risk?

Jim DeLoach, Managing Director of global management consulting firm Protiviti, defines reputational risk as “the current and prospective impact on earnings and enterprise value arising from negative stakeholder opinion.” Thus, an organization’s reputation represents the perception of its honesty and integrity. Even a false rumor or inaccurate perception perpetuated by competitors, dissatisfied customers or anyone with an ax to grind can cause irreparable harm to an organization’s brand.

While reputational damage may result from external events, the organization’s own actions – whether intentional or unintentional – that are perceived as dishonest, misleading disrespectful or incompetent can also lead to a reputational or brand crisis of epic proportions. For example:

  • An organization uncovers a significant accounting error that causes it to restate its financial results for the previous three years. Investors subsequently lose confidence and begin to doubt the leadership team’s credibility, resulting in a dramatic decrease in the stock price. The negative publicity also creates a substantial decline in revenues.
  • As a cost-cutting measure, a company with a solid reputation for producing high-quality products releases a poorly made item that fails to meet the expectations of its loyal customer base. Despite reworking the product to improve the quality, customers continue to perceive it as cheap and unreliable and refuse to purchase it.
  • A business fails to provide an adequate response to a customer who is injured by a defective product. The customer contacts the media, which launches an investigation and discovers a slew of similar incidents. The media outlet releases a story that garners negative attention, causing many long-term customers to boycott the company’s products.
  • During a televised interview to promote a new line of “plus-size” clothing, the CEO of a fashion company makes an insulting comment about overweight individuals. Despite issuing a public apology, customers avoid buying the items, and the company’s other product lines also experience a decline in sales.
  • After landing its first major government contract to install a new computer system for a government agency, an IT company fails to complete the project on time and within budget. The organization is effectively banned from doing further business with the government, and the negative fallout leads to several long-term private sector customers refusing to accept bids for future contracts.

Developing an Effective Strategy for Mitigating Reputational Risk

As the legendary football coach Vince Lombardi once said, “The best defense is a good offense.” When applied to the task of managing reputational risk, the most effective strategies implement a proactive approach and include a carefully crafted crisis response plan. Elements of a solid reputational risk management strategy include:

  • Making an investment in your organization’s reputation: Making an ongoing commitment to building your organization’s reputation can mitigate the damage when a crisis occurs. You can achieve this by assessing the current status of your reputation, which entails surveying your most valued stakeholders to determine any deficiencies. You can then address these areas by integrating them into your traditional risk frameworks.
  • Establishing the tone at the top: Ensure that your organizational leaders make reputational risk management a high priority. Members of the board of directors and C-suite executives must support the risk management plan and devote adequate resources across all functions, departments and teams. Some organizations have taken the additional step of setting up a special committee under the board of directors to address ethics and compliance-related issues such as reputational risk management and hold the board accountable.
  • Conducting a comprehensive reputational risk assessment: You likely already conduct regular assessments to identify areas of vulnerability such as third-party liability, conflicts of interest and corruption. Your evaluation should also include reputational risk. A thorough, well-executed reputational assessment encompasses both internal and external factors; begin by performing an audit of all the potential reputational risks your organization could face. Then, rank the risks to determine the areas where you need to devote the bulk of your available resources.
  • Developing a reporting and evaluation system: You will need a reliable monitoring method for your reputational risk management efforts. Implementing a systematic process to obtain regular feedback from your stakeholders can help you assess your current reputational risk “temperature” and modify your program as needed. You should also assign members of your compliance team to monitor all forms of media (especially social media) to identify new areas of concern in the early stages.
  • Crafting a crisis management plan: Even if you make every effort to mitigate your risk, there is no guarantee that a reputational crisis will not occur – and when it does, prompt action is imperative to minimize the damage. While it is impossible to anticipate every potential threat, your risk assessment should have placed you in a position where you’re able to respond to the most likely “worst-case scenarios.” The most effective crisis management responses occur when the organization gets out in front of the situation by addressing it promptly and honestly. When executed properly, it might even be possible to gain something positive from a negative event.

A Case Study in Effective Reputational Risk Management: The Tylenol Tampering Incident

Johnson & Johnson set the gold standard for how to respond to a potentially devastating reputational crisis. In the early 1980s, several individuals died after consuming capsules of poisoned Extra-Strength Tylenol, which was then J & J’s biggest seller. The company took the unprecedented step of recalling millions of bottles of Tylenol capsules and offering to replace them for free with a safer tablet form of the product.

Johnson & Johnson subsequently reissued Tylenol capsules in a tamper-proof package, supporting the relaunch with an extensive media campaign that emphasized the company’s commitment to consumer safety. Based on the ongoing success of the Tylenol Extra-Strength capsules, it’s clear that J & J’s proactive response managed to preserve its reputation.


Integrating Compliance: How to Engage Your Employees

Creating a climate that encourages ethical behavior and compliance with corporate ethics policies begins at the top. Management sets the tone—but what then? How does ethical behavior become integrated into the corporate culture? How does it become a way of life?

How to engage your employees

Once management is committed, there are a number of ways to promote an ethical culture among the workforce.

  • Create a sanctuary
  • Create a consistent policy
  • Go public

Create a sanctuary

"You can set up all the compliance programs you want, but it won't help if people feel threatened by reporting an infraction if they fear it will hurt their career," says David Batstone, author of "Saving the Corporate Soul."

When a company initiates a compliance program, the goal is transparency and accountability. In order for employees to be engaged in the process, they must feel safe talking about ethical issues. This means both open doors and complete confidentiality on the part of management. But that is only the first step.

Employees may suspect that fraudulent activity is happening but are often reluctant to report or “blow the whistle” because they lack confidence in internal reporting systems, or fear retaliation. Employers who want to remove these obstacles should consider setting up ethics hotlines run by third parties, where employees can report suspected misconduct.

The main benefit of a third party hotline is that it provides a direct and confidential communication channel where employees and external stakeholders can report any unethical practices. The hotline personnel would then investigate and report their findings to the top levels of management within the company or its board members so that corrective action can be taken.

A hotline helps to assure that employees won’t turn a blind eye to suspicions of unethical activity. At the same time, it reduces the risk that people will go outside the organization with their concerns, which could cause both financial and reputation damage.

Create a consistent policy

Most companies today are oriented toward the legal aspects of compliance—“We’ve got to obey the rules." The fear of getting caught is a big motivator. But the best companies are those who say, “We need to promote ethical values as the centerpiece of how we manage our company.

Computer chipmaker Intel Corporation stands out because of its ethics program and its commitment to corporate social responsibility. It has been recognized for leadership in integrating values across the company as well as for expecting socially responsible behavior from its suppliers. However, as the company morphed into a multinational firm it encountered some cultural challenges.

"You've heard of bribery and fraud issues in China, Russia, and elsewhere that we define as corruption which in some cultures they view simply as 'the way we do business,' " says Dave Stangis, Intel's director for corporate responsibility. However, Intel wanted to conduct business on the same ethical basis everywhere it operates, so it developed ethics training programs worldwide involving all of their employees.

"We have very high but simple ethical expectations," Stangis says. "Not only will you comply with the law, but everyone, including the board of directors and officers are not to do anything that can appear to be an ethical violation." Training emphasizing case studies and work situations is regularly updated and repeated. (Christian Science Monitor, Nov. 2005)

Go public

There is probably no better way to assure continued participation and support of a company’s compliance program than to go public with it. Not with a roll of drums and great fanfare, but with coherent, consistent exposure, both internal and external.

Begin by recognizing good behavior among employees and groups by recognizing ethical behavior. Use your website and other social media to let customers, clients, vendors, and the general public know that you comply with ethical standards and policies that are appropriate to your industry or profession. Develop a simple policy statement that can be printed or communicated electronically to everyone you conduct business with. When employees know that they are the real live examples of the company’s ethics and compliance viewpoint, they will be far more likely to do the right thing, even when no one is watching.

For more information about developing compliance commitment among your employees, check out these resources: Lighthouse eLearning: ethics & compliance training, and “An ethical cultural shift would make compliance easier” in Western Mail.





Lighthouse Services, Inc. 1710 Walton Rd., Suite 204, Blue Bell, PA 19422 215.884.6150
© Lighthouse Services, Inc. All Rights Reserved