Privacy Risk in Anti-Bribery and Corruption Programs

Embedded in many anti-bribery and corruption compliance programs are due diligence practices that help identify and mitigate risks associated with third parties acting on behalf of a company, especially those operating in foreign jurisdictions. The use of thorough, risk-based third party due diligence figures prominently in guidance regarding compliance programs offered by the U.S. Department of Justice, U.S. Securities and Exchange Commission and the U.K. Ministry of Justice. Regulators expect that companies understand the risk presented by their third parties, and tailor their anti-bribery and corruption compliance programs accordingly.

Like laws that criminalize bribery and other corruption, the body of international data protection and privacy law is dynamic, necessitating periodic monitoring to ensure compliance. An organization wishing to conduct due diligence may need to obtain consent from the individuals concerned to collect, use, disclose, and transfer their personal information cross-border. Consent requirements vary. Organizations are tailoring due diligence questionnaires for country-specific use based on prevailing data protection and privacy concerns. Many organizations embed data privacy notices or statements into due diligence questionnaires.

Due diligence on third party intermediaries is a key component of a company’s anti-corruption compliance program, but companies should be mindful of the evolving legal landscape concerning data protection and privacy in order to successfully manage compliance with anti-corruption, data protection and privacy laws. The ultimate objective is to ensure compliance with the requirements under an effective risk management program while not falling afoul of any other regulations.