From Theory to Practice

How do businesses manage their data transfer? Legal requirements are in place but too often receive a formalistic acknowledgement.

illustrazione_Imperiali-5Compliance with legal requirements often receives a formalistic response from the corporate sector rather than being translated by companies into effective compliance programs. Mere formalism increases bureaucracy, and is not beneficial to legal fulfillment. This is why, globally, we are witnessing the national legislators’ progressive move from the former declination of abstract legal principles in their acts, towards a new pragmatic approach, where the concern for an effective behavioral change of corporate operations is key.

If Manufacturing Ltd. did not provide its workers with proper information and training on the safety measures available on the work site, it would not ensure a safe work environment. It could not be deemed in compliance with the law. Similarly, consider if Defresh Inc., a renowned US public company, despite the obligations provided for by the Sarbanes-Oxley Act of 2002 (SOX), did not implement an internal compliance management system made of quality control, auditing, independence standards, inspections and investigations on malpractices followed by disciplinary proceedings where justified. The company would violate the law because that internal management system provided for by SOX, is designed to prevent corporate and criminal fraud. Finally, imagine that Znet Inc. had charged its service administrator with specific duties regarding data security without an adequate budget. The company – in such a case – would not be in compliance with the legal obligation (EU directive 95/46) compelling “data controllers” to implement adequate measures in order «to ensure an appropriate level of security».

It is frequently adopted as a risk mitigation tool, top management usually delegates power to middle managers in specific areas – technical or operational – in order to avoid personal legal responsibility. It is seldom taken into account, however, that delegation of power is not an expedient for law elusion. Only when supported by specific competence, adequate budget, autonomous decision power and freedom from improper influence or interference from top management, delegation of power can be an effective shield against top managers’ personal responsibility.

Compliance programs aimed at implementing a management system integrated with the company operational life are not new. The group of those who have adhered to voluntary models of international standards organizations is already large. Their scope is the creation of accountability systems that go above and beyond the minimum legal requirements in specific areas.

Indeed, to depart from ‘theory’ and reach ‘practice’ or ‘effectiveness’, ‘accountability’ seems the solution. As put forward by Art. 29 Data protection Working party, ‘accountability’ shows “how responsibility is exercised and making this verifiable. Responsibility and accountability are two sides of the same coin and both essential elements of good governance. Only when responsibility is demonstrated as working effectively in practice can sufficient trust be developed.” Not only must responsibilities be expressly assigned but legal compliance must also become part of the shared values and practices of the organization. To accomplish this task, legal requirements must be translated into real practice. Corporate policies and procedures need to ensure that the principles and obligations set out in the law are complied with. Finally, the ability of companies to demonstrate compliance to external stakeholders as well as to supervisory authorities, upon request, shall ultimately be a recognition of their correct behavior and supporting evidence of reliability and trustworthiness before the whole marketplace.


Published in the hard-copy of Work Style Magazine, Fall 2010