Skip navigation

Deferred policing agreements (DPAs) will become increasingly important in both the Uk and other parts of the world. Will the European authorities follow the example of the US, French and unified governments with regard to the application of data protection authorities? If so, what lessons can companies learn from the past use of data protection authorities to demonstrate their compliance programs in the future? While each country may assess a company`s actions differently, previous cases have shown that regulators will generally focus on the following when deciding whether to go to court or enter a CCA. When a company does not have a robust compliance program, behaviour similar to that of transactions that ultimately led to regulatory control can be common. In fact, the latest high-level cases in which the DpAs were presented with all the conditions presented to the company to improve its compliance structure. In the United Kingdom, Tesco Ltd has been tasked with conducting a comprehensive review of controls, the functioning of its governing body, the separation of functions and staff training in internal policies. The data protection authority also set the implementation deadlines, after which audits should be carried out to ensure that appropriate changes have been made. In addition, if the misconduct has caused significant damage to the public, or if it is a large group of executives involved, there is probably a stronger argument in favour of prosecution instead of a dpa. Therefore, the sooner a company implements a program to mitigate these activities, its chances of securing a CCA are better. Some cases in the United Kingdom have provided clarification and perspectives on how a company should handle the case when it has discovered irregularities that could amount to a misdemeanor. For example, the CEO of Skansen Interiors Ltd.

became aware of certain irregular payments to third parties when he took office. He immediately opened an internal investigation, introduced a new anti-corruption policy and rejected the alleged perpetrator. The company then presented itself to the police and convictions were seized for those involved. However, after apparently doing everything to appease the authorities, the company was cited for non-corruption. Although the company submitted that it had “appropriate procedures” on the spot, it was found guilty. However, the authorities did not impose sanctions because the company had ceased to act at that time. Despite the apparently difficult decision in law enforcement, this case highlighted the steps a company should take, even if it is small, to avoid wrongdoing: it stressed the importance of keeping accurate records and having current guidelines on law in this area. Workers should be informed and trained about the existence and relevance of the policy.

The absence of a designated compliance officer and the need to define clear notification lines were also factors in this case. Despite its confusing message around self-reporting, the case provides some clarity on what a company should do to detect faults and the steps to be taken in their discovery. As soon as questionable activities are brought to light, when a company does not feel urgent in improving its compliance efforts, it sends the wrong message to regulators regarding the priority given to compliance. In its press releases, the DOJ often talks about a company`s commitment to the process, including turnaround. Therefore, when a company takes steps to significantly improve its compliance program without the government ordering every step of the way, it sends a strong message to regulators that the management team wants to change the way the business operates, increasing the chances of obtaining a CCA. Although regulators can provide data protection services without reportinging themselves, they provide a more favourable light to the actions of the