Lawyers and businesses today are concerned with data privacy issues like never before—not only because of the mounting number of data privacy scandals, but also because of new regulations, most importantly the EU’s General Data Protection Regulation (GDPR). The GDPR, which was adopted in 2016 and became applicable in May 2018, reformed the entire personal data protection system in the EU by setting new rules of data protection and privacy. Moreover, the GDPR applies not only to entities that operate within the EU, but also to all entities established in the EU when operating outside the EU, as well as to entities established outside the EU when they are offering their goods and services inside the EU or monitoring individuals from the EU. The GDPR thus has global reach, as well as stringent penalties for violations.

The GDPR has implications for many different fields, and anticorruption is no exception. This is especially true for corporations conducting internal investigations of possible bribery by firm employees or agents, and when conducting due diligence on potential partners. Much of the data collected in these corporate investigations will include “personal data” as defined and regulated by the GDPR. For this reason, some commentators have warned that the effect of the GDPR on traditional corporate anticorruption investigations will amount to “a collision of galactic proportions.”

That may by hyperbole, but it is certainly the case that the GDPR will impose important new obligations that influence how companies handle anti-bribery compliance issues, both in the context of internal investigations and in the context of due diligence. Continue reading →