Joint study by Noerr and Technical University of Munich
New technologies create new compliance risks
Advancing digitalisation is presenting companies and their management with organisational challenges in terms of compliance. This is the result of a study conducted by Noerr and the TUM Center for Digital Public Services of Professor Dirk Heckmann at the Technical University of Munich (TUM), which the law firm presented today at the Noerr Compliance Day in Frankfurt. More than 300 senior and middle management executives were surveyed for this study.
Sophia Habbe, equity partner at Noerr’s Frankfurt office and co-head of its Compliance & Internal Investigations practice group said: “Management should be more aware than before that it is personally responsible for identifying all the risks associated with the increasing use of digital tools and for allocating sufficient resources to manage them.”
Peter Bräutigam, equity partner at Noerr’s Munich office and, according to legal directories (Juve, Chambers), one of the leading experts on IT law in Germany, added: “We recommend that our clients digitalise their companies as quickly as possible, but in doing so, they should not neglect digital compliance. Otherwise, in addition to reputational damage, they are at risk of heavy fines, claims for damages and official orders from regulatory authorities.”
Almost one in two (47 per cent) respondents confirmed that their company had been exposed to a legal compliance risk, such as hacking, extortion or data theft.
89 per cent of decision-makers surveyed have taken steps to mitigate their digital legal risks. The most common means are internal SWOT (strengths and weaknesses) analyses (63 per cent), followed by appointing compliance officers or strengthening compliance departments (48 per cent). 23 percent of the respondents stated that their company had appointed a chief digital officer.
The professional background of compliance officers shows a mixed picture: The majority of employees entrusted with compliance tasks still have a degree in business management or law. Specific technical expertise, on the other hand, seems to be underrepresented. Only slightly more than a quarter of compliance officers have a technical or IT background.
It is striking that companies with more than 1,000 employees, listed companies and those with a foreign parent company implement measures against digital risks more frequently than smaller, non-listed companies headquartered in Germany. For example, 77 per cent of the listed companies surveyed have conducted internal SWOT analyses, while only 61 per cent of the unlisted companies have done so.
According to the study, most companies underestimate the legal risks associated with new technologies. While 24 per cent of respondents rated the risk of legal violations in the use of mobile phones as high or very high, only 9 per cent did so for artificial intelligence and blockchain, and only 8 per cent for big data analytics.
This is at odds with the constantly growing regulatory requirements, such as those placed on data protection or IT security. In its Schrems II ruling of 16 July 2020, the European Court of Justice declared the “EU-US Privacy Shield” invalid and thus made legally compliant data transfers to the USA considerably more difficult. Yet, many cloud services are provided or hosted by US providers. Since supervisory authorities focus on ensuring that the transfer of personal data to third countries is data compliant, there is a risk of high fines and claims for damages by third parties affected by breaches.