I’ve just returned from both the Frankfurt European Compliance and Ethics Institute and the Women in Compliance Conference in London.  As always, conferences are whirlwind events – the sessions, the networking, the drinks receptions, exhibiting for Spark Compliance, meeting old friends and new ones alike.  It’s always interesting to see what the trends are, and this year was no different.

There are three big questions on everyone’s mind here in the UK and Europe this year.  The answer to each may strongly affect the profitability and success of each company, as well as the future of the compliance function. 

Question 1: What happens after Brexit?

The exiting of Britain from the European Union is going to be a multi-year process.  The news in London focuses on the changing positions and negotiations between the UK and EU, but companies are concerned only with how the outcome will affect them. 

One of the biggest concerns affecting UK and EU companies revolves around the immigration status and ability to work for its non-native employees.  London in particular is full of EU citizens who currently have the right to work in the UK without any visa status.  Likewise, many Brits are transferred into Europe by their companies each year.  Many employers are concerned that their highly-qualified and experienced team members (including compliance professionals) may have difficulty working within the UK after Brexit, and many Brits who have moved abroad to work in places like Paris or Madrid may find themselves without the automatic right to work within the EU.

This uncertainty is unlikely to be resolved soon, but it’s on everyone’s mind.

Question 2: What happens after GDPR comes into force?

The European General Data Protection Regulation comes into force on May 25, 2018.  This law increases penalties for non-compliance significantly – up to 4% of global annual turnover for the most egregious offenses. 

One looming question is how aggressively will GDPR be enforced?  Traditionally, data protection regulators have had much less power to sanction than anti-bribery enforcers like the UK Serious Fraud Office.  Will the new legislation create a hot-bed of immediate prosecutions?  Or will the enforcement start small, allowing companies more leeway in their implementation of new procedures? 

While compliance professionals know that an ounce of prevention is worth a pound of cure, the changes required for many companies, with respect to their data management and marketing practices, make some loath to begin readiness reviews.  The enforcement community’s response to GDPR’s arrival will answer many of the questions currently on the minds of Europeans and Brits.

Question 3: Am I doing enough to protect myself from allegations of modern slavery?

The UK’s Modern Slavery Act has been in force for a couple of years.  It requires any commercial organization doing business within the UK with an annual global turnover of £36 million or more to provide a statement linked from the front page of its website stating what, if anything, it is doing to prevent modern slavery and human trafficking within its business and supply chain.

One of the challenges of Modern Slavery Act compliance is that the Act does not specify how far down the supply chain a company needs to go in order to be compliant.  Does a company simply need to look at its own activities?  Or does it need to scrutinize the activities of its main suppliers?  What about the sub-suppliers to its suppliers? 

Contracts, data privacy requirements, lack of audit rights and practicality all come into play for companies trying to ensure modern slavery and human rights abuses are eradicated from their supply chain.  The questions of how far a company needs to go to protect itself from the taint of association with modern slavery or human trafficking is one at the forefront of compliance professional’s minds here in the UK.

The Ultimate Question

All of these questions lead to the biggest question: What happens next?  It’s hard to know for sure of course, but my educated guess is that further enforcement is coming, data privacy rights will continue to clash with due diligence requirements, and that the world’s regulators will work more and more closely together such that borders become more transparent. 

As for the ultimate question, “How do I best protect the company from risk?”, finding the answer to that question is the top priority of every compliance professional, both in Europe and the rest of the world.