COVID-19 two years in: Four key trends in the state of compliance
For many, March 13, 2020 signaled the start of the COVID-19 pandemic. Working from home, social distancing, and discovering new hobbies became the “new normal” as the pandemic permeated our lives. Among the most dramatic changes we have seen is the way COVID-19 forced companies to evaluate and modify their existing operations.
Today, two years later, the pandemic still presents significant ongoing challenges. Novel, shifting federal and state mandates and guidances, evolving workforces, and changing enforcement trends continue to alter existing risk profiles. What it means to be compliant today is not what it meant in March 2020.
Accordingly, compliance professionals must evaluate their programs and controls to maintain compliance with generally applicable laws. Here are four compliance trends which companies need to confront today.
1. A broader need for third-party due diligence
For compliance programs, monitoring third parties is not a novelty. However, new risks have arisen as companies utilize vendors to combat some of the pandemic’s challenges.
One increased risk is third-party vendors’ handling of new, sensitive data. For example, in implementing COVID-19 testing and vaccination policies, companies have employed third-party vendor applications to monitor employee compliance. But this monitoring process raises health information compliance concerns over proper collection, handling, and storage of data.
Handling such health information requires companies to keep a close eye on vendor compliance, not just when engaging vendors but over the course of the relationship. Additionally, as part of the monitoring process, some vendors may send users text messages and other communications that require user consent. And these concerns extend beyond the health insurance realm, as remote work forces mandate increased collection and storage of personal data.
As companies combat these challenges, legal risk continues to abound. Governments are increasingly placing greater burdens on companies to evaluate vendors and their beneficial owners. This heightened regulatory focus has generated increased litigation, which has made third-party dealings riskier.
All told, companies utilizing third-party vendors that handle sensitive personal information must ensure those vendors are sophisticated enough and capable enough to handle that data appropriately. Confirming that vendors take proper precautions, including maintaining secure operations, has entrenched itself as a top compliance priority.
2. Data privacy is a growing concern
The increase in remote work environments has created a corporate landscape increasingly reliant on data, autonomous software, and platforms. Accordingly, regulators are taking a closer look at company actions around competition, AI use, and personal information collection, storage, and retention. Legislatures also are moving in this direction. In 2021, Virginia and Colorado joined California in passing consumer privacy acts, and Utah enacted its own law in 2022. More states are expected to follow suit this year.
Based on this sharper focus, companies without existing comprehensive data privacy programs already in place are encouraged to begin crafting them. As regulations expand, so too will exposure to data privacy risks.
This closer technological scrutiny should encourage compliance departments to leverage internal resources by working more closely with Chief Information Officers and other executive stakeholders to identify risks and establish effective controls. One effective approach: compliance officers are partnering with IT departments to solve technological problems, particularly regarding remote investigations and remote work.
3. Remote work raises fresh challenges
Before the pandemic, work-from-home and hybrid work models were not a typical feature of the workplace. But the pandemic changed the age-old office model, bringing with it the need for companies to ensure that their remote employees are still complying with relevant laws.
Remote workers raise multiple security concerns that do not arise in an office setting. For example, they may not have access to physical tools provided in the office, like shredders, printers, and scanners. This means that, based on the industry and employee roles, companies may find it necessary to enact policies that ensure proper handling and destruction of sensitive physical and electronic documents.
Additionally, proper access to sensitive documents requires constant vigilance. Companies must evaluate how and where employees access these documents and provide appropriately secure access networks to accommodate that usage. These concerns require that companies provide employees with adequate resources and training to match new hybrid workplace risks.
Further, workers untethered to a physical office may relocate to states the company does not operate in. This movement may expand the employment, tax, and privacy laws companies must comply with, again generating novel risks and compliance needs.
Last, reinforcing tone at the top has become an increasingly challenging concern, especially for remote workers hired during the COVID-19 pandemic. Without physical oversight, it is not just a challenge to keep employees engaged, it is more difficult to monitor their compliance. Employees also may have less of a sense that they are part of a team and a company culture. Compliance professionals must work with executives and managers to evaluate their business and their employees, build rapport and trust, and provide a strong, uniform message that reiterates the company culture and firmly sets out compliance expectations. This will provide the foundation for implementing workable compliance policies. Whether through virtual events or more frequent team meetings, leaders must not only enact feasible and effective policies, but also develop mechanisms to continually monitor those policies’ success.
4. Stronger whistleblower protections are being implemented at home and abroad
2021 saw a heightened focus on whistleblower protections, particularly with the adaptation of the EU Whistleblower Directive. The Directive increases encouragement and protection of whistleblowers by safeguarding identities, preventing retaliation, and increasing reporting channels. It also requires member states to introduce laws surrounding reporting channels and whistleblower protections that are not just different, but more regulated than the existing US whistleblowing regime.
As a result, a company with operations in the EU faces considerably heavier compliance burdens, depending on its size and location. It may be required to upgrade its present hotline policies and procedures by implementing local reporting channels and providing information regarding procedures for external reporting to competent authorities. Further, because the Directive also addresses how allegations are investigated – as opposed to simply how they are reported– companies are further incentivized to ensure their whistleblower policies are up to date and effective in a remote work setting.
The hallmarks of compliance
These are only a few of the concerns facing companies trekking through the business landscape today. While what it means to be compliant is not what it meant two years ago, the hallmarks of an effective compliance program have not changed. Companies still must evaluate their industry and workforce to enact and enforce practical, effective compliance programs. By maintaining this strong framework, companies can continue to promote proper compliance as the world continues to change.
To learn more about the evolving compliance landscape and its impact on your business, please contact any of the authors or your usual DLA Piper relationship attorney. And learn more about our Global Governance and Compliance work on this page.