It seems so simple – just roll-out your U.S. Code of Conduct or policies to the rest of the world.  They’re already written, right?  And you’ve had a lawyer look them over in the States.  What could be easier?  Hold on right there.  It’s not always obvious that certain words, phrases or concepts may need to be changed or removed in order to meet with the expectations of your employees in the rest of the world.  Here are the top seven things to avoid in globalizing your Code, employee handbook or policies...

A couple of weeks ago my Wildly Effective Compliance Officer Tip of the Week was about creative places to put your whistle-blower hotline.  Since that day, I’ve received several notes about creative places to put the whistle-blower hotline to advertise it.  If your hotline number is only on a poster in the break-room, why not try one of the following to spice things up?

Mobile Phone Stand

The clever folks at Balfour Beatty had a problem.  Huge numbers of their workforce never come to an office.  In fact, most of them work on construction sites all day.  Keely Hibbit, Group Head of Business Integrity, and her team sourced a mobile phone stand with the whistle-blower hotline number on it.  The stand lays flat on the back of a cell phone, then clicks open to hold the phone up (like a snap bracelet for any of you alive in the 90’s)…

This is a guest post written by Patrick O'Kane, the author of the great new book, "GDPR - Fix it Fast! Apply GDPR to Your Company in 10 Simple Steps."  I wrote the Foreword to this book and highly recommend it!

Staff training is a crucial part of protecting data privacy. One recent study found that human error is the leading cause of data breaches, featuring in 37% of data breaches. Providing staff training is an important part of avoiding GDPR fines.

Despite its importance, staff training is perhaps the most under-emphasised part of any GDPR project. Companies have been busy fixing their processes, working on their information security and updating their customer consents; however, there seems to be seems to be little attention paid to how staff training will need to be revamped in order to keep your company in line with the requirements of GDPR.

These are my 3 tips on staff training:

This is a guest post from Ramsey Kazem of my company, Spark Compliance Consulting. 

In October 2016, the International Organization of Standardization (“ISO”) published ISO 37001, the first global standard for the development and implementation of an anti-bribery management system.  The emergence of ISO 37001 was a welcomed development as it provides a universal framework for managing bribery risk that can be used by organizations of all sizes, industries, regions and risk profiles.  To date, Peru, Singapore and the Philippines have adopted ISO 37001 as their respective government’s standard, and other countries are expected to follow their lead.

A unique feature of ISO 37001 is that an organization can demonstrate compliance with the standard by obtaining a certification from an independent, accredited auditor.  The certification brings substantial value to an organization as it provides an objective means by which it can outwardly demonstrate its commitment to combating bribery.  Not only does this provide a competitive advantage over an organization’s non-certified competitors, but it also levels the playing field (from a bribery risk management perspective) for smaller organizations competing against large multinational corporations or foreign domestic firms. 

ISO 37001 is not without its critics.  The criticism, however, is generally not directed at the standard itself.  Instead, the critics take issue with the certification of the standard.  A common theme of their arguments is that the certification process is merely a check-the-box exercise where an auditor only confirms the existence of a “paper program”.  The critics argue that the process falls short because it makes no determination as to whether the program is actually put into action.  They also contend that the certification only reflects the status of the program at a given moment in time (i.e. the evaluation period) and, thus, lacks any predictive value as to how the organization will conduct itself in the future.   In short, they conclude the certification is worthless because it does not ensure that the certified organization is “doing anti-bribery compliance” or will “do anti-bribery compliance” in the future. 

There are three fundamental flaws with the critics’ argument...