What Does Compliance Mean for the Public Sector?

public sector compliance

In 2020, compliance challenges that public organizations need to prioritize include data protection, identity verification, protection for the vulnerable, conflict of laws and governance. In responding to these compliance challenges, public organizations need to consider a mix of both traditional mechanisms (such as training and internal audit), as well as technological/automated solutions.

Assume that the private sector has the most significant compliance challenges. The assumption, perhaps, is that a commercial motive means that private industry is less interested in the public good. Increasingly, however, compliance challenges are ‘sector-neutral’: they apply equally to the public and non-profit sectors as they do to the private sector.

In this article, we consider some of the key compliance challenges that any public organization needs to take into account in 2020. These are:

  • Data protection
  • Identity verification
  • Protection of the vulnerable
  • Conflict of laws

We look at each of these challenges in turn before looking at the steps a public organization needs to take in response.

What is the Public Sector?

There is no universally applicable definition of the ‘public sector’ or ‘public organizations’. Traditionally, the public sector was either part of, or funded by, the state or government. However, as organizations that don’t fit this definition have increasingly taken on jobs previously carried out by arms of the state, this definition has expanded.

The public sector is defined not by its funding or ownership structure, but by its purpose: a public organization is one not primarily motivated by profit, but rather by the public good or welfare.

While this definition leaves the border between the public and non-public somewhat fuzzy, seen in this way, examples of public organizations could include:

  • National/federal/state government departments
  • Local/municipal/county government departments
  • Schools
  • Universities or colleges
  • Utility and energy companies
  • Emergency services
  • Postal services

Data Protection

Increasingly, we conduct our transactions online. When we pay taxes, pay electricity bills or register for schools via the internet, we place significant amounts of our information in the hands of a public organization.

Regulators have recognized that individuals still have rights to that information, and that that information needs to be protected. Perhaps the most well-known is the European Union’s General Data Protection Regulation (GDPR), introduced in early 2018. Other similarly comprehensive data protection and privacy regimes include:

These laws and regulations do have significant differences, but all of them require that organizations have robust procedures, policies and training in place to protect personal information. They also all require that data breaches be notified and that organizations be able to demonstrate their compliance.

Some data protection requirements that might apply, depending on the jurisdiction, include:

  • Right of the individual to access their personal information;
  • The individual has a right to update or delete their personal information;
  • A right of the individual to opt-out of an organization collecting or making certain uses of their personal information.

Public organizations also have the special data compliance challenge of complying with any ‘freedom of information’ laws that apply in their jurisdiction. These laws generally require that public or official information be disclosed to the public. Unless there is a good reason not to do so.

Identity Verification

Public organizations need to ensure that the people or entities they are dealing with are who they say they are. There has been considerable emphasis on how special identifying codes (such as ‘Legal Entity Identifiers’, or ‘SWIFT’ codes) can be used by private businesses to ensure that parties to financial transactions are aware of the risk profile of the other party they are dealing with. However, identity verification is just as important – if not more important – for public organizations.  For example, identity verification is increasingly a legal/compliance requirement in order to:

  • Ensure that the right person receives a service (such as enrollment in a school or a government subsidy)
  • Protect individual privacy (such as where an organization has access to sensitive health data).

Protection of the Vulnerable

There is an increasing expectation that all public organizations do more to protect the vulnerable in society. Consider, for example, the requirement that utility companies provide special protections for vulnerable customers. Another example is the requirement that schools enroll students with disabilities in federally-funded schools.

All public organizations need to ensure that they have mechanisms in place to ensure compliance. It applies to a particular protection to their customers or clients.

Conflict of Laws

Increasingly organizations are operating across international borders. In response, regulators are increasingly extending the reach of laws and regulations across those borders. For example, both the General Data Protection Regulation and the California Consumer Privacy Act apply to organizations outside the European Union and California, respectively, where they serve clients or customers in those areas. Another example is the requirement to follow European verification rules when conducting certain transactions (e.g., trading derivatives) with a European organization.

All public organizations need to have a system in place to recognize all the different sources of their legal and compliance obligations.

Governance

There have been many highly publicized cases where a failure in governance was seen as the downfall in a public organization. Increasingly it is expected that the governors of the organization (they may be called boards of directors, boards of trustees, or simply ‘the board’), step up and take on a more conscientious role.

A key aspect of this has been the role of boards as identified in International Standards. It is a requirement in various International Standards that boards have oversight of risk management, remuneration policies, internal audit, compliance management systems and other matters.

It is not acceptable for board members to attempt to delegate their oversight responsibility to executives and management.

How Might the Public Sector and Organizations Respond to These Compliance Challenges?

Some elements of a robust compliance program are timeless. For example, all public organizations need to consider:

  • All staff should have regular training in their compliance obligations. Records of the training need to be kept and the training process needs to be incorporated into employee and contractor performance review;
  • Internal Audit/Compliance Review. All organizations need to consider how they will review or audit their processes. This is to ensure that there is follow-through on compliance policies and programs. If an organization is not big enough to have its own unit, it should consider outsourcing to a third party. This function needs to report to the Board (not just the CEO or CFO);
  • Compliance spend. Organizations need to consider whether they have devoted enough financial and staffing resources to ensure that they have prioritized compliance.

One aspect of a high-performing compliance program that is a newer development, however, is the role that automation and ‘Software as a service’ (SaaS) can play in the process. Just as technology creates some of the compliance headaches we have identified, it may also provide the ‘aspirin’. Automation will improve compliance as well as reduce costs. This could be implemented in the following areas:

  • Data protection. Technological tools can be used to keep data securely stored, collate personal information, reduce duplication and streamline responses to the public (for example, responses to data access or deletion requests).
  • Identity verification. Software can be used to quickly identify that an individual or entity is who they say they are.
  • Vulnerable customers and conflict of laws. Training software can be used to ensure that any staff, managers or contractors dealing with vulnerable customers. On top of their obligations, all applicable laws are being complied with.
  • Governance. Automated solutions can keep track of the upcoming scheduled actions for the board (for example, dates for internal audit plans), as well as the outcomes of meetings.

Importance of Public Sector Compliance

It cannot be denied that public sector compliance is important and it is an area that public sector organization should pay close attention to throughout the year. As an organization that ultimately falls under the authority of a country’s government and its citizens, it must adhere to compliance requirements for transparency and good governance purposes.

Share this article:
  • Facebook Share Icon
  • Linkedin Share Icon
  • Twitter Share Icon
  • Whatsapp Share Icon
  • Reddit Share Icon

Darius Hadid
Darius Hadid

Darius is a Corporate Compliance Specialist and has expertise in the areas of regulatory compliance and corporate bylaws. He has helped many organizations improve their governance practices and decision-making processes.

  • Connect:
  • Linkedin Account
  • Email Account

Take Your Organization’s Meetings to the Next Level

Learn how Convene can give your boards a superior meeting experience.
Enquire for a free demo with no cost or obligation.

Talk to Us