Data Privacy In 2022: What You Need To Know

Data Privacy Week (January 24-28) is an international effort to drive awareness about personal data privacy. Millions of people are unaware of how their personal data is being collected, used, or shared in our increasingly digital society. As a business, it’s more important than ever to have a data privacy strategy to protect customers and employees and remain compliant with applicable regulations.

In an era of heightened risk and uncertainty, remote workforces, and complex technologies, having effective policies and procedures that are easy-to-understand and accurate has become critical to keeping pace in the developing global regulatory landscape. 

Data Privacy and Protection – Why Is It Important?

Data privacy is the set of strategies and processes that focus on how personal data is collected, processed, stored, shared, retained, and destroyed, while data protection focuses on securing the availability and integrity of data and protecting assets from unauthorized access. A data privacy and protection strategy are crucial for any organization because it aims to provide individuals with transparency, control over their data and how it is used, and to protect personal data from unintended access and use. Without a data privacy and protection strategy, your organization may be more vulnerable to consumer complaints, regulatory investigations and fines, and fraudulent activities like identity theft, phishing, and hacking.

value-creation-drivers.png

Source: https://www.bdo.com/services/business-financial-advisory/governance,-risk-compliance/data-privacy

Components of a Data Privacy and Protection Strategy

When developing a strategy, you need to understand:

The Business

Understanding the business is key to a data privacy and protection program. The more you know about the business, the more you’ll understand about the types of data it processes and the level of protection required, and so on.

The Data

Many organizations collect personal data from both internal and external sources. For example, a bank collects financial information from customers. A healthcare organization collects health information. All organizations collect and process personal data of their employees. It’s important to identify the categories of personal data as this will inform various privacy notices, policies, and procedures.

The Purpose

It’s one thing to identify data, but to understand what the data is and how it serves a purpose in your organization is an entirely different task. This is important when building a data privacy and protection strategy because it helps you populate your personal data inventories and records of processing (where applicable or legally required), identify opportunities for data minimization, confirm that the data collected is proportional to the purpose, and implement appropriate safeguards.

Data Privacy and Protection—5 Steps to Get Started

Identifying data, how that data is used, classifying the data, and outlining what actions to take with each type of data is key to data privacy. Here are five things all organizations can do to begin or enhance their data privacy strategy:

1. Identify where your data is located

It can be a challenging task but identifying where your data is should be the first step in protecting it. Where does all your data live and where does it go? What types of data exist? Where is it physically hosted? Discovering your data is a foundational task because it informs the rest of your data privacy and protection strategy.

2. Identify what your data is

You cannot protect your data without first understanding what you have. After identifying where the data is, the next step is to create a personal data inventory and record what you do with that data. At this stage you may also tag the data by classification. Data classification helps to organize the data into groups – most often according to level of sensitivity – to enable efficient data protection.

It’s also important to note that data protection and e-discovery have certain functional overlap and that we see a rise in privacy programs leveraging e-discovery solutions as part of their privacy strategy and toolsets. Data investigation is also less burdensome when your data is classified; therefore, the two can be interdependent.

3. Determine who has access to the data

Who currently has access to each type of data? This includes internal stakeholders, as well as third-party recipients, such as service providers or partners. Knowing who is receiving or accessing the data and where they are located affects the rules you’re placing around the data and transfers. Certain privacy laws may also require data localization or additional technical, organization, and contractual safeguards to transfer data cross-border.

4. Define how you will implement privacy controls

Once you understand your data, you can better customize privacy policies and procedures. For example, you can use your personal data inventory to guide where and how to execute a data subject/consumer rights request. Understanding your business, technologies, and risk profile can also help you create a customized privacy by design program and methodology that embeds privacy controls during the early stages of a project or development lifecycle.

5. Implement technical and organizational controls

A data privacy strategy relies upon the implementation of strong security controls. This includes organizational or programmatic controls such as policies, training and awareness, incident response plans, and password policies, as well as technical controls such as encryption, anonymization, logging, multi-factor authentication, and vulnerability detection. One important safeguard for data protection is Data loss prevention (DLP) which prevents unauthorized leakage of data outside of the organization. Once data is classified, the technical implementation of DLP can establish policies for each layer of classification to prevent unwanted sharing. Once implemented, continuously monitor and maintain the policies to stay up to date with business needs and regulatory requirements.

Data privacy can be a tricky concept if you haven’t yet addressed it within your organization. The data privacy specialists at Urish Popeck can help you understand the risks and maturity of your current business environment and discover whether your program meets applicable regulatory requirements and leading practices. To learn more, contact us today.

Written By Taryn Crane, Mark Antalik and Steve Combs. Copyright © 2022 BDO USA, LLP. All rights reserved. www.bdo.com

Retaining Talent During The Great Resignation

The COVID-19 pandemic created a number of challenges for both employers and employees. Virtually overnight, many non-essential businesses shut down or transitioned to remote operations, forcing both companies and workers to navigate a new virtual working environment. Most employers slowed down hiring, and employees were hesitant to leave their jobs given the market uncertainty. As the pandemic continued, what were thought to be short-term changes became the “new normal” and many companies began to delay, and even cancel, their return-to-work plans given the pandemic’s persistence and the uncertain and ever-changing regulatory mandates on workplaces.

Over time, some businesses began to realize that not only could work be done from anywhere, but that they and their employees could thrive in this virtual environment. Many of those same companies could also expand their talent pool by hiring a remote workforce, while saving money by shrinking their physical footprint. From an employee perspective, remote work opens up the opportunity pool in a way not previously available. Now, with a computer and a reliable internet connection, employees can potentially work for companies located anywhere around the globe.

This has also created a situation whereby many workers’ expectations regarding work are beginning to change, and some no longer want to be in the office from 9 to 5. While there are obvious exceptions for businesses where a physical presence is necessary (such as restaurants, medical centers, manufacturing plants, logistics and delivery warehouses), workers’ expectations are changing across industries and business situations.

Coupled with pent-up demand from employees hesitant to leave their jobs earlier in the pandemic, this dynamic has led to what is being dubbed the “Great Resignation.” Desiring more flexibility and better pay, and seeking more from work and opportunities that better align with their personal values, employees are pursuing new opportunities or deciding to leave the workforce for a variety of reasons, leaving employers concerned about retaining talent. Losing talent can be costly, and high-performing employees are difficult to replace.

So how can companies retain talent during the Great Resignation?

In our experience, employees rarely leave solely because of compensation issues. Yes, employees may leave if they are underpaid relative to the market and another employer will properly compensate them for their skills. But in general, employees leave for other reasons — new responsibilities, more advancement opportunities, more job flexibility, better work/life balance, or to become caregivers, for instance. As companies think about retaining talent, a holistic review of the employee value proposition that looks beyond compensation can be helpful.

The employee value proposition is a broad look at why employees come to work each day. It is the reason employees choose to work at a particular business vs. another. This typically includes traditional items such as compensation and employee benefits, as well as non-compensatory items such as job flexibility, mental health benefits, learning/development, advancement opportunities, vacation time, other perquisites, and corporate mission/purpose.

Below are seven potential actions for companies looking to retain talent, as well as some key considerations:

Provide Monetary Retention Awards

When thinking about retaining talent, cash and/or equity retention awards are often one of the first levers considered. While such awards can be an effective tool to keep employees engaged, unless additional actions are taken, they may simply delay resignation instead of preventing it.

Review Compensation Philosophy and Structure

While companies should review their compensation philosophy and structure periodically to ensure continued alignment with company strategy, periods of high talent demand/turnover and business disruption increase the importance of making sure employees are paid competitively for their services. A holistic review can analyze how companies pay, in addition to how much employees are paid, to determine whether employees are properly motivated and rewarded for the right behaviors given any business or strategy changes as a result of the pandemic and its ongoing impact on the economy. The shift from physical to online operations, addition of new product lines, etc. all have implications for business financials and strategy, and it is important for compensation structures to evolve with the business.

Corporate transactions are another major source of employee uncertainty. M&A activity of any type often leads employees to ask questions, such as whether roles will continue to exist post-transaction, what changes to compensation levels/structures are coming, and who will lead the company going forward. As leaders and owners navigate these decisions, monetary retention policies or temporarily enhanced severance programs can be particularly helpful in smoothing employee anxiety and limiting unwanted turnover leading up to and for a period of time after a transaction. As with non-transaction-related retention, any temporary program should be coupled with a holistic review of the employee value proposition going forward to increase the company’s ability to retain talent after payments are made.

Set Clear Working Expectations

One significant source of frustration for employees is uncertainty regarding work expectations (for example, working hours, working location, maintaining flexibility) going forward. Companies have taken varied approaches when it comes to announcing (or not!) clear work-from-home vs. work-in-office policies, and some employees are leaving to find employers that espouse approaches that match their preferred working style. While having an explicit policy may alienate some workers and create some regrettable turnover, setting clear working expectations can increase trust and minimize one area of uncertainty for workers.

Clarify the Mobility Policy

Many employees became mobile during the pandemic, whether out of necessity or simply because the opportunity presented itself. Some people needed to spend time caregiving, while others used the pandemic as an opportunity to give up the confines of a specific residence and instead traveled and worked throughout the country (and even the world). Regardless of the rationale behind this change, living and working in different locations potentially creates liabilities for both employees and employers that may not have been entirely understood or planned for in advance. Creating an explicit policy regarding where employees can work, and the potential consequences of changing physical work locations, can minimize frustration for all parties.

Mobility policies are rapidly evolving, and local governments (both domestic and global) are working hard to ensure they are not losing out on much-needed tax revenues. Because the burden of ensuring that all employment and tax obligations are observed falls on employers, a head-in-the-sand approach will not work. We expect this to become a significant issue for organizations that have not figured out a way to track where employees are working and accurately report this information.

Review Benefits Package

The pandemic has led many people to rethink their priorities and place a higher value on elements other than compensation. This includes items such as retirement benefits, mental health offerings, flextime, caregiver support, the opportunity for volunteering time off, and backup babysitting. Companies can use surveys to understand what their employees currently value and evaluate whether there is an opportunity to address employee needs.

Most people have read that COVID unequally impacts women who are leaving to be caregivers; however, many organizations have been slow to roll out official policies to support caregivers. Best-practice suggestions include listening to employees to understand what they need and reviewing current policies to meet those needs. Offering flexible or non-traditional working hours, role sharing, temporary part-time hours, unpaid time off, sabbaticals, backup childcare and other similar measures can go a long way to supporting caregivers.

Clarify Growth Opportunities

Employees often consider new roles because of the excitement of taking on a growth opportunity, such as a leadership opportunity, new responsibilities or a new focus area. At times, opportunities at a given employer may be limited given the employee’s role and the company structure, and there may be little the employer can do to retain a particular employee. Many times, however, the lack of intracompany mobility is due not necessarily to a lack of opportunities, but to employees’ lack of awareness that opportunities exist. Opportunities can come in many forms and include everything from educational courses, lateral movement or promotions. Having open dialogues, working with employees to create tailored plans, and then integrating those plans as part of the regular performance management process can go a long way to show employees that they are individually valued and that there are benefits in staying with their current organization.

Increase Access to Leadership

Perhaps more than ever before, employees are purpose driven. People want to feel that what they do matters, and they want to identify with their company and its leadership. Actively creating a mentoring culture and providing access to leaders is one way an organization can increase productivity and engagement that directly reduces turnover. Having leadership bring their authentic selves to work, while sharing situations they are navigating, can encourage cohesion. Inviting employees to share their experiences and perspectives with leadership on a range of issues from inclusion to workplace flexibility to health and wellness will help solidify company culture and community.

Every company’s situation is unique, and how companies address the Great Resignation should take into consideration both their business strategy and their talent needs. Companies can also use this opportunity to create a process for reviewing and updating related policies and procedures over time. Retaining talent is an ongoing process and what works now may need to evolve to work tomorrow.

Written by Jason Brooks and Liz Mack. Copyright © 2021 BDO USA, LLP. All rights reserved. www.bdo.com


DHS Report To Congress Reinforces The Need For Importers To Have ESG Policies In Place And To Know Their Vendors

Need help navigating your company’s ESG compliance and reporting policies? Contact us today!

The U.S. Department of Homeland Security (DHS) posted a report on its website on September 22, 2021 that establishes timelines for Customs and Border Protection (CBP) to respond to allegations of forced labor.

Although U.S. law has prohibited the importation of merchandise produced or manufactured by forced labor (including child labor) for more than 90 years, the issue has been under heightened scrutiny of late. A provision requiring parties to prohibit the importation of goods made by or with forced labor was included in the 2020 U.S.-Mexico-Canada Trade Agreement (USMCA), which mandated, in part, that the President establish a task force to set timelines for CBP to respond to allegations of forced labor in supply chains. These initiatives highlight the growing global focus on Environmental, Social, and Governance (ESG) issues in corporate boardrooms and on government enforcement agendas.

An Executive Order issued in 2020 established the “Forced Labor Enforcement Task Force” to improve coordination among various U.S. governmental agencies to prevent imports to the U.S. that are produced using forced labor. The task force is led by DHS and includes representatives from the Departments of State, Treasury, Justice and Labor, as well as the United States Trade Representative and U.S. Agency for International Development. The breadth of agencies represented by this task force underscores the importance the government is now placing on the issue of forced labor.

CBP is the sole government agency charged with enforcing all federal government regulations at the border and, therefore, investigates allegations of forced labor. CBP has the authority to detain, seize or exclude goods produced with forced labor and can issue a detention order known as a Withhold Release Order (WRO) if an allegation “reasonably but not conclusively” indicates that goods were produced with forced labor.

Under CBP’s rules, U.S. importers have an obligation to exercise “reasonable care,” which means that all declarations must be compliant, including compliance with the requirements that no imported goods have been manufactured with forced labor. To fulfill their responsibilities, importers should establish procedures to assess suppliers, including upstream processes for purchased goods, to understand the risks associated with the use of forced labor. Critically, the law prohibits the importation of goods made “wholly or in part” by forced labor, so that, for example, goods purchased from the European Union and produced using Chinese components, materials and parts should be considered in internal risk review processes as well. The prohibition against the importation of goods made with forced labor applies to goods from all jurisdictions.

The new timelines for investigations of allegations of forced labor will be initiated when a petition is filed alleging goods made with forced labor are likely to be imported into the U.S. Petitions can be filed by any party or Customs can self-initiate a case based on information from government sources or private reporting. Within 30 days of receipt of the petition, CBP will accept or reject it. If accepted, CBP will initiate an investigation and approximately 90 to 180 days later determine whether a reasonable suspicion of a violation of the forced labor statute exists. If a positive determination results, CBP will issue a WRO and a press release. Thereafter, if any goods are withheld by CBP at a port of entry, importers will have three months to rebut the presumption, and other administrative actions may occur, including refusal of entry of the goods and possible forfeiture/re-export.

Importers should be prepared to respond to any allegation of forced labor against goods they are intending to import into the U.S. As noted above, importers only have three months to respond to goods withheld subject to a WRO, at which time it may be too late to conduct a thorough investigation as to whether the merchandise was made in whole or in part by forced labor. Such an investigation is time-consuming and usually cannot be completed after a shipment is withheld and the importer must rebut the presumption that the merchandise at issue was made with forced labor. This scenario could negatively impact a company and result in potential seizures or exclusion of goods, loss of sales, revenue and most importantly, reputational risk. Moreover, CBP can refer such cases to other agencies for criminal investigation.

This is especially important for shipments from China due to pending legislation in Congress that aims to ensure that U.S. companies are not funding forced labor among ethnic minorities such as the Uyghurs in the Xinjiang region of China. These restrictions extend to other areas of China where forced labor is suspected and, notwithstanding this pending legislation, applies to all regions of the world.  

Insight

The U.S. government, together with other countries and regions (Canada, European Union, Mexico and the U.K.) has significantly increased its scrutiny of products made from forced labor. The enhanced government enforcement should prompt companies with global supply chains to ramp up their focus on potential forced labor concerns as part of the increased focus on ESG policies.

Written by Damon V. Pike. Copyright © 2021 BDO USA, LLP. All rights reserved. www.bdo.com