What’s in store for risk and compliance practitioners for 2023?

What’s in store for risk and compliance practitioners for 2023?

A recent UUֱ report predicts the overall demand for legal expertise will grow by 6% in 2023 despite the current economic and political landscape. Although this does not apply to all practice areas, the data indicates growth in the demand for risk and compliance practitioners in 2023.

Both 2017 and 2020 saw spikes in demand for risk and compliance expertise. In 2017 we saw 50% growth from the previous year, no doubt due to the General Data Protection Regulations and a similar surge of 37% in 2020 due to Covid and remote working posing several security risks.

Russia's invasion of Ukraine saw a smaller spike in demand in 2022. According to the UUֱ GLP Index, demand for risk and compliance is anticipated to grow by 7% in 2023.

What are the risks and trends impacting risk and compliance law? 

Cybersecurity

Cybersecurity seems to be one of the most significant risks dominating R&C at the moment. The reported that 39% of UK businesses identified cyber-attacks in 2022. This percentage could be considerably higher because less cyber-mature organisations could be unaware of attacks.

Allison Wooddisse, the head of In-house, Compliance and Practice Management at UUֱ, says phishing remains the leading cause of cybersecurity breaches. According to DCMS, 83% of all cyber-attacks or breaches are from phishing attacks.

Around four in five (82%) of boards or senior management within UK businesses rate cyber security as a 'very high' or 'fairly high' priority, according to DCMS - a significant increase from 77% in 2021.

But despite the growing awareness of this threat, as the ICO observed when imposing a £4.4m fine, the most significant cyber risk is complacency, not hackers. 

 

Download the GLP Index report for more detailed insights on risk and compliance

 

Your staff are your biggest risk and your first line of defence, says Wooddisse, who previously worked as a partner at Shoosmiths. 

"Train, educate and reinforce, reinforce, reinforce. Phishing simulator products will engender a culture of constant vigilance. One of the most common mistakes is forgetting the simple stuff, technical measures such as firewalls, enforced password hygiene, software patching and deleting dormant user accounts."

Wooddisse was also quick to stress the importance of thinking about how you would respond to a cybersecurity breach now rather than later. "You need to have a written plan up your sleeve, so you can focus your attention on dealing with the cyber breach calmly.”

"If a cybersecurity breach happens, your DPO should decide whether to notify the ICO and any affected people," says Wooddisse. "The DPO may need some legal input from you. You will also need to review your contracts to see whether you have to inform customers or suppliers in any event."

Organisations may worry most about external cyber threats. However, according to the Information Commissioner's Office (ICO) data security trends report, the greatest cause of data security breaches is human error - emails, letters and faxes sent to the wrong person, unauthorised access, loss and theft of paperwork, IT equipment, or (that old chestnut) data left in an unsecured location.

Wooddisse's advice for managing data security risks is, "As always, educating your staff is key to managing data security risks." 

When considering enforcement notices and monetary penalties issued in 2022, the UUֱ report found that the ICO issued a comparatively high 22 new notices with penalties totalling over £16m. (Still significantly lower than the £40m in fines in 2020.)

If you want to put a data breach strategy in place, UUֱ has a range of tools, templates and guidance that can help you in its Cybersecurity topic.

Data protection

Direct marketing activities remain the major data protection risk. The introduction of the General Data Protection Regulations in 2018 led to a significant transformation in the marketing practice. However, many still get stung with costly fines. 

The  page is littered with eye-watering fines for breaches of the direct marketing data protection regime, says Wooddisse.

"It isn't just rogue claims management companies that fall foul of the rules. No company is too big or too small to be penalised, and fines often run into six-figure sums—sometimes seven figures."

According to Wooddisse, some of the most common mistakes are:

  • failing to identify the correct lawful ground for processing under the UK GDPR;
  • not being upfront with people about what you intend to do with their data;
  • failing to screen against external 'Do not contact' registers such as the Telephone Preference Service (as well as internal suppression lists); and
  • not understanding how soft opt-in works for electronic direct marketing.

"The direct marketing regime is a tangled web of complexity, and some of these failures are understandable," she says. "However, when they're combined with aggressive sales tactics, you can expect to incur the full wrath of the regulator."

For more information on the do's and don'ts of direct marketing campaigns, go to How to handle personal data for direct marketing  

Financial sanctions

The financial sanctions placed on 1,300 Russian individuals and organisations due to Russia's invasion of Ukraine is another major trend impacting risk and compliance law.

All businesses in all sectors must comply with financial sanctions measures, says Laura Spooner, In-house Risk & Compliance Specialist at UUֱ.

"In practical terms, they prevent businesses from carrying out transactions for, or providing specified services to or on behalf of, an individual or organisation designated by the government under a financial sanctions regime." 

"This isn't a new 'thing', but the Ukraine conflict has sharpened the focus for businesses. In 2022 we saw 17 sets of amending regulations relating to Russia sanctions alone, and almost 50 general licences were issued by HM Treasury, compared to just a handful issued before the Ukraine conflict."

Financial sanctions compliance is problematic, as international regimes are broad, complex, overlapping and rapidly evolving. There are severe penalties for non-compliance, says Spooner, who, prior to joining UUֱ, was Risk & Compliance Manager at Collyer-Bristow LLP, where she established the firm's R&C function.

"Determining beneficial ownership, staying on top of lists of sanctioned targets, dealing with licences and breaches, and managing customer-supplier relationships all require specialist resources."

The trickiest bit, particularly in a fast-paced situation such as the Ukraine conflict, is keeping up-to-date, says Spooner, and it's imperative that businesses do. 

To stay on top of new financial sanctions, see the UUֱ Financial Sanctions page.

Conclusion

All these new risks, regulations and sanctions demanding subject matter experts bode well for increased demand for risk and compliance law services. 


Related Articles:
Latest Articles:
About the author:
Dylan covers the latest trends impacting the practice of the law. Follow him for interviews with leading firms, tips to refine your talent strategy, or anything technology and innovation.