Compliance | Quizlet

ISO 37301:2021

requirements that an organization mandatorily has to comply with as well as those that an organization voluntarily chooses to comply with

Non-conformity

Not complying with a requirement (not a legal requirement)

Non-compliance

Not complying with a statutory/regulatory requirement

Compliance function

person/group of persons with responsibility and authority for the operation of the compliance management system

Compliance risk

likelihood of occurrence and the consequences of noncompliance with the organization´s compliance obligations

Compliance obligations

- requirements that an organization mandatorily has to comply

- requirements organization voluntarily chooses to comply with

Compliance culture

values, ethics, beliefs and conduct that exist throughout an organization and interact with the organization´s structures and control systems to produce behavioural norms that are conducive to compliance

7 elements of compliance management (CORCOMP)

Objectives, organization, risks, program, communication, monitoring, culture

Compliance management

- defining compliance objectives

- setting-up compliance organization

- identifying and analysing compliance risks

- setting-up a program to achieve objectives and address risks

- communicating matters related to compliance

- monitoring and improving compliance programme

- creating and maintaining a compliance culture

Quality

fulfilling quality requirements (customer, supplier, voluntary, legal requirements)

Compliance

- fulfilling compliance obligations

a) voluntary obligations (corporate rules, certification schemes, mandatory standards, contractual requirements)

b) mandatory obligations

Regulatory compliance

- fulfilling mandatory compliance obligations

a) statutory requirements

b) regulatory requirements

Statutory requirements (regulatory compliance)

laws passed by parliament

Regulatory requirements (regulatory compliance)

permits, government licences, other legal acts

Compliance management system

- a system to manage your compliance (e.g. when something breaks)

- compliance objectives, organization, risks, program, communication, monitoring and improvement, culture (H&S compliance obligations, Cyber-security compliance obligations, Privacy & Data protection compliance obligations, Environmental protections)

ISO standards

- International Standardization Organization

- Based widely accepted industry practice/experience

- Widely recognized and comparable

- Can serve as basis for a certification

- Often developed by international working groups

- ISO 37301 - compliance management systems

Shall

indicates a requirement

Should

indicates a recommendation

May

indicates a premission

Can

indicates a possibilty/capability

Plug in model

- Making one system to make it easier, simpler and quicker

- generic standards, specific standards, generic guidelines, specific guidelines

-> integrated management system

Generic standards (Plug in model)

- Quality management (ISO 9001)

- Environmental Management (ISO 14001)

- Health and Safety Management (ISO 45001)

- Compliance Management (ISO 37301)

Specific standards (plug in model)

- Information security

- Emergency response in offshore production

- Business continuity

Generic guidelines (plug in model)

- Risk management (ISO 31000)

Specific guidelines (plug in model)

- Internal auditing (ISO 19011)

- Documentation (ISO 10013)

ISO certification

- If an organization implements a management system based on a recognized standard (ISO) and has been audited by an external organization => organization gets certified

+ External expertise, feedback and control

+ Management commitment

+ Attractive to customers

- Doesn´t guarantee success

- Often used "for the picture frame"

Money, effort, time

PDCA cycle

Deming, Shewhart cycle

1. plan

2. do

3. check

4. act

Compliance management system (ISO 37301)

- Effective compliance management covers compliance risks of all activities

- Assessing all activities to see if they have a compliance risk or not

Mandatorily requirements in compliance management system (ISO 37301)

- Laws and regulations

- Permits, licenses, forms of authorisation

- Orders, rules/guidance issued by regulatory agencies

- Judgements of courts/administrative tribunals

- Treaties, conventions and protocols

Voluntarily requirements in compliance management system (ISO 37301)

- Agreements with community groups, NGOs, public authorities, customers

- Organizational requirements (policies, procedures)

- Voluntary principles, codes of practice, labelling/environmental commitments

- Obligations arising under contractual arrangements with the organization

- Relevant organizational and industry standards

Compliance register

1. reference - List all laws and obligations that possibly apply to your organization

2. obligation - Briefly explain the obligations

3. applicability - Evaluate if and how the obligation applies to your organization

4. current situation - Describe the current situation (Do you comply or not?)

5. next action - List the next steps that need to be taken (audit, involving management, getting support, reviewing working methods)

Health and Safety (safety compliance in the Treat on the functioning of the EU)

- Improvement of the working environment to protect workers´ health and safety

- Working conditions

- Social security and social protection of workers´

- E.g. H&S Framework Directive

Internal market (safety compliance in the Treat on the functioning of the EU)

- EU can adopt measures for the approximation of the provision laid down by law, regulation or administrative action in MS which have as their object the establishment of and functioning of internal market

- “New approach” directives – letting the industry decide on H&S standards and then making them standards for companies (European standardisation organisations)

Health & Safety framework directive

- Obligations for employers (Art. 4)

- Duty to prevent occupational risks, provide information, training, organisation and means (Art. 6)

- Key elements and principles of risk assessment (Art. 6(3))

- Responsibility of workers (Art. 13)

- Definitions:

- Worker – any person employed by an employer, including trainees and apprentices but excluding domestic servants

- Employer – any natural or legal person who has an employment relationship with the worker and has responsibility for the undertaking and/or establishment

- Prevention – all the steps/measures taken/planned at all stages of work in the undertaking to prevent/reduce occupational risks

Other H&S directives

- Directive on Workplace Requirements

- Directive on risks from explosive atmosphere

- Directive on the use of work equipment

- Directive on Major Accident hazards

Framework directive

- Sets a minimum standards for all EU MS

- Encourages continuous improvement of health and safety

- Contains general principles

- Integrated preventive approach (eliminating risks, information, consultation, participation of workers, addressing economic and social perspectives, legal basis for hierarchy of risk controls)

- Covers public and private sectors

Hierarchy of controls

1. Elimination

2. Substitution

3. Engineering Controls

4. Administrative Controls

5. PPE

Layers of H&S directive

1. the work envirionment act

2. Decree on working environment (WED)

3. Regulation on work environment (WER)

4. Arbo catalogues

5. other legislations involved (law on sickness and disability, private law, social security law)

Dutch law on H&S

1. EU directive

2. Wet/Act - always involves the parliament (harder to change & less details)

3. Besluit/Decree - normally does not involve the parliament

4. Regeling/Regulation - adopted by a minister (easier to change & more details)

Examples of EU and Dutch security laws

law on security clearance, port security law, law on private security and detective agencies

Law on security clearences

a) VGB - certificate of no objection in positions involving confidentiality

b) VOG - certificate of conduct = applicant has not been convicted for nay crimes relevant to the performance of duties

Port Security law

regulation on enhancing ship and port facility security

Law on private security and detective agencies

Rules about:

- Certificates for private security agencies

- Education and training requirements for security guards

- Uniforms of private security guards

- Cooperation with the police

- Use of dogs

Who is responsible for critical infrastracture in the NL

Dutch ministry of counterterrorism (personnel screenings, improving S&S)

Critical infrastracture

vital processes (developed after 9/11)

Category A vital infrastracture

economic consequences, physical consequences, social consequences, cascade effect (e.g. electricity, gas, oil supply, water barriers, water + water quality, nuclear material)

Category B critical infrastracture

economic consequences, physical consequences, social consequences (e.g. gas, internet and data services, maritime transport, transport over major street networks, financial transactions, military)

Critical processes

Processes and infrastructure so essential for society => their disruption would have serious societal impacts (based on first three steps on Maslow´s - physiological needs, safety needs, belongingness needs)

Network and Informative Security directive

EU initiative (2006 European programme for critical infrastructure protection) => systems need to be secure

Recurring problem (critical infrastracture)

in many countries 80% of vital processes are in the hands of private companies (sometimes foreign) => not under direct control of the government

NIS Directive

- EU

- sets minimal standards

- goal: harmonizing the approach to cyber-security of vital processes within the EU

Obligations to MS and EU in NIS Directive

- Adopt a national strategy (security of network and information systems)

- Establish security and notification requirements of operators and suppliers

- Designate national competent authorities, single points of contact

NIS directive factors

- Government (Computer Emergency Response Team, Security Strategy, Competent Authority, Single point of contact - one number for all essential service providers)

- providers of essential services (Risk management, Mandatory breach notifications, Sanctions and audits, Fines)

- cooperation (No mandatory cooperation - government is encouraging the essential service providers to cooperate together, Limited information sharing)

Managing compliance (in critical infrastracture)

1. Understand if you are affected by the law

2. Understand the compliance obligations

3. Develop action plan to achieve compliance (compliance register)

EU laws on privacy & data protection

- The EU charter of Fundamental Rights stipulates that EU citizens have to right to protection of their personal data

- Regulation 2016/679 of the EP and the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (Directly applying in all 27 MS)

EU´s General Data Protection Regulation

- Directly applying in all 27 MS

- Processing personal data => compliance with GDPR => lawful processing

- Regulates the processing by an individual, a company/organization of personal data relating individuals in the EU

4 steps of GDPR compliance

1. Are you processing personal data

2. Does the GDPR apply?

3. Is the processing lawful?

4. Applying the principles

controllers of the data (GDPR terminology)

- Main decisions makers

- Exercise overall control over the purposes and means of the processing of personal data

processors of the data (GDPR terminology)

- Act on behalf of, and only on the instructions of, the relevant controller

Data subjects (GDPR terminology)

- People whose data is stored/processed

- Every data subject has a number of legal rights

Personal data

- Any information which are related to (directly/indirectly) identified/identifiable natural persons

- E.g. name, tel number, credit card number, personnel number, number plate, appearance, …

Categories of personal data (special categories

- because of past discrimination have special requirements

- Racial/ethic origin

- Political opinions

- Religious/philosophical beliefs

- Trade union membership

- Genetic and biometric data (gene sequence, fingerprints, facial recognition, retina scans)

- Sexual orientation

- Health

Processing personal data (GDPR)

- Any operation/set of operations which is performed on personal data/sets of personal data

- Collection, recording, organisation, structuring, storage, adaptation/alteration, retrieval, consultation, use, disclosure by transmission, dissemination, restriction, erasure/destruction

Lawful processing of data (GDPR

- Data subject gives their explicit consent (consent must be given freely => employers, because of their stronger positions, cannot ask for consent)

- Meeting contractual obligations entered into by the data subject

- To comply with the data controller´s legal obligations

- To protect the data subject´s vital interests

- For the task carried out in the public interest/exercise of authority vested in the data controller

- For the purpose of legitimate interest pursued by the data controller (e.g. fraud prevention)

GDPR consent

- Given by statement/clear affirmative action

- Freely given, specific, informed, unambiguous

- Proven by data controller

- Withdrawn as easily as given

Exceptions for GDPR

a) Processing by a natural person in the course of purely personal/household activities

b) Processing of personal data of deceased person/legal persons

c) Processing by competent authorities for the purpose of prevention, investigation, detection or prosecution of criminal offences, safeguarding against threats to public security (police, courts, intelligence agencies)

GDPR principles

Lawfulness and fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality

Lawfulness and fairness (GDPR principles)

converted by legal permission/consent

transparency (GDPR principles)

people should know that their personal data are processed and to what extent those data are/will be used

purpose limitation (GDPR principles)

data shall only be collected for specified, explicit and legitimate purposes

data minimisation (GDPR principles)

data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (if data are not given then don´t ask for them)

accuracy (GDPR principles)

data shall be accurate and where necessary, kept up to date

storage limitation (GDPR principles)

data shall be kept in a form that permits identification of data subjects for no longer than necessary for the processing purposes

integrity and confidentiality (GDPR principles)

security of personal data, including protection against unauthorised/unlawful processing and against accidental loss, destruction/damage

GDPR rights

- inform the data subject beforehand

- response to data subjects´ request

- right to access

- right to erasure, rectification and restriction

- right to data portability

- rights to object

- rights on automated decision-making