In 2020, compliance challenges that public organizations need to prioritize include data protection, identity verification, protection for the vulnerable, conflict of laws and governance. In responding to these compliance challenges, public organizations need to consider a mix of both traditional mechanisms (such as training and internal audit), as well as technological/automated solutions.
It is often assumed that the private sector has the most significant compliance challenges. The assumption, perhaps, is that a commercial motive means that private industry is less interested in the public good. Increasingly, however, compliance challenges are ‘sector-neutral’: they apply equally to the public and non-profit sectors as they do to the private sector.
In this article, we consider some of the key compliance challenges that any public organization needs to take into account in 2020. These are:
- Data protection
- Identity verification
- Protection of the vulnerable
- Conflict of laws
We look at each of these challenges in turn before looking at the steps a public organization needs to take in response.
What is the public sector? What are public organizations?
There is no universally applicable definition of the ‘public sector’ or ‘public organizations’. Traditionally, the public sector was either part of, or funded by, the state or government. However, as organizations that don’t fit this definition have increasingly taken on jobs previously carried out by arms of the state, this definition has expanded.
Increasingly the public sector has come to be defined not by its funding or ownership structure, but by its purpose: a public organization is one not primarily motivated by profit, but rather by the public good or welfare.
While this definition leaves the border between the public and non-public somewhat fuzzy, seen in this way, examples of public organizations could include:
- National/federal/state government departments
- Local/municipal/county government departments
- Universities or colleges
- Utility and energy companies
- Emergency services
- Postal services
Increasingly, we conduct our transactions online. When we pay taxes, pay electricity bills or register for schools via the internet, we place significant amounts of our information in the hands of a public organization.
Regulators have recognized that individuals still have rights to that information, and that that information needs to be protected. Perhaps the most well-known is the European Union’s General Data Protection Regulation (GDPR), introduced in early 2018. Other similarly comprehensive data protection and privacy regimes include:
- The California Consumer Privacy Act 2018 (California);
- The forthcoming Consumer Data Right and Privacy Act 1988 (Australia);
- The Data Protection Act 2000 (United Kingdom);
- Personal Information Protection and Electronic Documents Act 2000 (Canada).
These laws and regulations do have significant differences, but all of them require that organizations have robust procedures, policies and training in place to protect personal information. They also all require that data breaches be notified and that organizations be able to demonstrate their compliance.
Some data protection requirements that might apply, depending on the jurisdiction, include:
- A right of the individual to access their personal information;
- A right of the individual to update or delete their personal information;
- A right of the individual to opt-out of an organization collecting or making certain uses of their personal information.
Public organizations also have the special data compliance challenge of complying with any ‘freedom of information’ laws that apply in their jurisdiction. These laws generally require that public or official information be disclosed to the public unless there is a good reason not to do so.
Public organizations need to ensure that the people or entities they are dealing with are who they say they are. There has been considerable emphasis on how special identifying codes (such as ‘Legal Entity Identifiers’, or ‘SWIFT’ codes) can be used by private businesses to ensure that parties to financial transactions are aware of the risk profile of the other party they are dealing with. However, identity verification is just as important – if not more important – for public organizations. For example, identity verification is increasingly a legal/compliance requirement in order to:
- Ensure that the right person receives a service (such as enrollment in a school or a government subsidy)
- Protect individual privacy (such as where an organization has access to sensitive health data).
Protection of the vulnerable
There is an increasing expectation that all public organizations do more to protect the vulnerable in society. And this is increasingly recognized by the law. Consider, for example, the requirement that utility companies provide special protections for vulnerable customers. Another example is the requirement that schools enroll students with disabilities in federally-funded schools.
All public organizations need to ensure that they have mechanisms in place to ensure compliance with the particular protections that apply to their customers or clients.
Conflict of laws
Increasingly organizations are operating across international borders. In response, regulators are increasingly extending the reach of laws and regulations across those borders. For example, both the General Data Protection Regulation and the California Consumer Privacy Act apply to organizations outside the European Union and California, respectively, where they serve clients or customers in those areas. Another example is the requirement to follow European verification rules when conducting certain transactions (e.g., trading derivatives) with a European organization.
All public organizations need to have a system in place to recognize all the different sources of their legal and compliance obligations.
There have been many highly publicized cases where a failure in governance was seen as the downfall in a public organization. Increasingly it is expected that the governors of the organization (they may be called boards of directors, boards of trustees, or simply ‘the board’), step up and take on a more conscientious role.
A key aspect of this has been the role of boards as identified in International Standards. It is a requirement in various International Standards that boards have oversight of risk management, remuneration policies, internal audit, compliance management systems and other matters.
It is not acceptable for board members to attempt to delegate their oversight responsibility to executives and management.
How might public organizations respond to these compliance challenges?
Some elements of a robust compliance program are timeless. For example, all public organizations need to consider:
- All staff should be regularly trained in their compliance obligations. Records of the training need to be kept and the training process needs to be incorporated into employee and contractor performance review;
- Internal Audit/Compliance Review. All organizations need to consider how they will review or audit their processes to ensure that there is follow-through on compliance policies and programs. If an organization is not big enough to have its own unit, it should consider outsourcing to a third party. This function needs to report to the Board (not just the CEO or CFO);
- Compliance spend. Organizations need to consider whether they have devoted enough financial and staffing resources to ensure that they have prioritized compliance.
One aspect of a high-performing compliance program that is a newer development, however, is the role that automation and ‘Software as a service’ (SaaS) can play in the process. Just as technology creates some of the compliance headaches we have identified, it may also provide the ‘aspirin’. Automation that might improve compliance as well as reducing costs could be implemented in the following areas:
- Data protection. Technological tools can be used to keep data secure, collate personal information, reduce duplication and streamline responses to the public (for example, responses to data access or deletion requests).
- Identity verification. Software can be used to quickly identify that an individual or entity is who they say they are.
- Vulnerable customers and conflict of laws. Training software can be used to ensure that any staff, managers or contractors dealing with vulnerable customers are on top of their obligations and that all applicable laws are being complied with.
- Governance. Automated solutions can keep track of the upcoming scheduled actions for the board (for example, dates for internal audit plans and compliance reviews), as well as the outcomes of meetings.