Regulators expect companies to investigate actual or potential violations completely and to disclose the nature and scope of those violations completely, in order to obtain credit for their disclosures. Identifying violations often requires the review of a variety of personal information, including citizenships and nationalities, communications, and myriad other facts and circumstances.
Investigating and reporting the results of those investigations can lead to disclosures of protected personal information – which requires an understanding of privacy laws and regulations and a balancing of interests while respecting privacy requirements.
- When companies conduct internal investigations, often to obviate the need for a government investigation into a potential violation, they have to balance the need to protect individual privacy with the desire to maximize the impact of the internal investigation and disclosure. Balancing these competing interests can be helped by explaining the need for an investigation at the individual level, including, for example, working with employees and worker councils.
- To help balance those conflicting interests, there are several additional steps a company can consider, including controlling where the data they find is kept and how it is shared, working with local regulators to have a clear set of expectations for sharing information, and looking at all jurisdictions at the outset to understand the requirements from different countries.
- Disclosing what a company finds during an internal investigation is often voluntary, but the challenges can be greater with increased use of disclosure processes around the world, and more coordination between global agencies. This is currently most noticeable in the areas of money laundering and bribery/corruption, but we are also seeing an uptick in sanctions.
- There are benefits to disclosure when done correctly, including reduced penalties and cooperation credit. Internally, companies that disclose their findings can also control the narrative and messaging to their own employees, as well as the scope of the investigation.
This presentation was originally part of the Data Privacy and Protection Boot Camp. More information is included in the full presentation.