Fanny Evans, Senior Associate, Morgan & Morgan
In 2013, Virginia Ginni Rometty – CEO of IBM, said “I would like you to think of big data as the next natural resource that can be to our era what steam, electricity and oil were for the Industrial Age.”
Probably, you have read or heard: Data is the new oil! Data is the new bacon! Data is the new currency! These analogies have become very popular because data is now considered one of the most important commodities.
This is the result of the emergence of many successful Social Networks that, although they are not payment platforms, have turned the data into a source of value.
The need for a data-protection compliance program in business is becoming increasingly important after several high-profile leaks of companies’ data. Some of the biggest data breaches over the last two years include T-Mobile, Marriot, British Airways, Quora, Google, Orbitz and just recently, Capital One bank in the United States. A successful data breach may occur in less than one minute. Yet, businesses may take more than weeks to realize a breach has occurred.
When giving the first steps into complex waters like data protection, it is very common that companies get lost in the avalanche of legal requirements or in developing that product or service that might result attractive to its clients. However, for a business, changing the focus to issues that they may consider more interesting should never be an option because the results of data breaches include many types of damages: fromreputational to financial. Sometimes it can even affect an entire country as happened with, in my opinion, the wrongfully or unjustifiably called “Panama Papers”.
In the European Union, data protection is a fundamental right, and the General Data Protection Regulation (GDPR) which came into force on May 25th, 2018, is the new framework for protecting that right. Other countries are looking to the GDPR as they develop or implement their own laws to protect data.
Even if companies have an “it will not happen to me” approach to data breaches, in many countries, legislation is forcing them to rethink their reasoning. Here is where compliance plays an important role to help to plan a data-protection compliance program.
Here are five steps that can help as guidance when drafting or reviewing your data-protection compliance program:
- Understand your risks and legal and ethical obligations
One of the most important elements when building a data-protection compliance program is considering your risks and what is most important and mandatory to the business, instead of jumping into the requirements of a legislation without fully understanding your needs because not all risks or obligations are managed in the same manner or to the same extent. This program needs to set out the appropriate guidance in key areas.
Having said the above, the first step should always be to understand the business necessity to comply. This involves a careful analysis of what your obligations are, what the risk of breaching those obligations might be and what risks your company is willing to take.
- Document and review your policies
Your data-protection compliance program should be properly documented. Once the obligations and risks are understood, it is vital to document them. It is not just enough to know you are data privacy compliant. Your data-protection compliance program should be clearly verifiable and readily accessible through accurate reports and documentation for internal or external examinations.
The compliance officer shall perform a formal review on a regular basis to ensure that the data-protection compliance program is progressing as planned and that it is adjusted to meet any changes in legislation or the business.
- Allocate ownership
The responsibilities and tasks related to confidentiality and data-protection may overlap with other business policies, such as information technology security, recordkeeping, risks and audit, human resources, management of confidential information and others as it requires various skills to succeed. Therefore, the most advanced and elaborated data-protection compliance program will fail if there is no clear ownership of the tasks. Each business will structure the ownership differently, but it is vital that who is the owner of each task of the program is clearly understood and that the owners have the necessary resources, including training, so that they are competent to fulfil their role in a manner that is consistent with the business’ compliance culture.
- Provide training and the necessary resources
Always train your staff. If you have an informed team it will reduce your risk. Raise staff awareness.
Not only does training staff reduce the risk of breaches, it also demonstrates compliance before internal and external inquiries. For example, if an organization was to experience a data breach and they had documented their staff training on data protection, this would be used as evidence to prove that they had taken the appropriate steps to prevent a data breach and were taking the legislation seriously, if any.
Training should aim to ensure that all members of the team have an understanding of the data that they will have access to and the risks entailed. Training should be provided on a regular basis, and it ought to be performed again whenever there are significant changes to positions, structures, risks or obligations, or when actual issues arise. Also, the business shall incorporate data protection training into its process for onboarding new employees.
Businesses shall embed data-protection compliance program into it culture so that protecting information becomes second nature. This aspect, training and continuing education, should always include senior management.
- Review the Financial Action Task Force (FATF) Guidance on the Risk-Based Approach
A risk-based approach to compliance involves identifying the areas of high risk within the business’s compliance universe and building and prioritizing its compliance programs around these risks.
In order to assist both public authorities and the private sector in applying a risk-based approach, the FATF has adopted a series of guidance in co-operation with relevant sectors. Businesses shall review the guidance applicable to its industry to make sure that the appropriate mitigation measures in accordance with the level of risk are taken.
Data is one of the most important assets a business has. For that reason alone, data protection compliance program should be a top priority for any business.
Alvaro Tomas, partner and Vice President of Operations of the Fiduciary Unit of Morgan & Morgan
The Panamanian government has issued Law 99 of October 11, 2019, which establishes a General Tax Amnesty Law (“Amnesty”) that includes the elimination, for a limited period, of the penalties and surcharges caused by non-payment of the obligations with the National Treasury for corporations and private interest foundations. This law also includes amnesty for various types of interests and penalties resulting from non-payment of other taxes (for example: property or income tax).
Tax Amnesty Terms
The Amnesty Law will be extended until February 29, 2020 with exoneration as follows:
Full exoneration (100%) for those who pay in October and November 2019;
95% for those who pay in December 2019;
90% for those who pay in January 2020 and;
85% for those who pay on February 29, 2020.
The aforementioned Amnesty is the perfect opportunity to bring your legal vehicle into good standing without additional charges or to proceed with its dissolution instead of being struck off (which is the legally correct manner).
At Morgan & Morgan we have a range of seasoned professionals working alongside the young talent that can help you with the administration of your corporate vehicles and foundations. Please write to [email protected] if you are interested in more information.
Naim Musa, Managing Director, Morgan & Morgan, Belize office
Pursuant to the International Business Companies (Intellectual Property Asset Prohibition) Regulations, 2019 and related legislation, companies incorporated under the International Business Companies Act of Belize (IBCs) shall not acquire, hold own or deal with any Intellectual Property Asset as follows:
• IBCs incorporated on or before 16 October 2017 shall not acquire, hold own or deal with any Intellectual Property Asset unless that asset is approved by the Belize International Financial Services Commission for holding IP assets up to 30 June 2021. After 30 June 2021 all Intellectual Property Assets must be disposed.
• IBCs incorporated on or after 17 October 2017 shall not acquire, hold own or deal with any Intellectual Property Asset.
Under law, “Intellectual Property Asset” means any intellectual property right in intangible assets, including but not limited to copyright, patents, trademarks, brand, and technical know-how, from which identifiable income accrues to the business (such income being separately identifiable from any income generated from any tangible asset in which the right subsists).
This law is currently in effect and we would encourage that clients take such necessary steps to dispose of all Intellectual Property Assets from any IBCs or, if applicable, seek necessary administrative approval for the holding of same. Failure to do so may result in penalties and fines.
You may forward any questions on this legislative amendment to our Belize office at [email protected]
Fanny Evans, associate at Morgan & Morgan
The British Virgin Islands (BVI) has passed legislation requiring certain legal entities carrying on relevant activities to demonstrate adequate economic substance in the BVI. The owners of any company or limited partnership registered or incorporated in the BVI should be aware of this legislation and consider how they may be affected.
The Economic Substance (Companies and Limited Partnerships) Act, 2018 (the Act) came into force on January 1st, 2019. It addresses the concerns of the European Union (“EU”) Code of Conduct Group for Business Taxation and recent OECD guidance around the economic substance of entities in jurisdictions with low or zero corporation tax. The Act demonstrates the BVI’s continued commitment to international best practice including the BVI’s implementation of the OECD’s Base Erosion and Profit Shifting (BEPS) framework and related EU initiatives.
The Act follows closely the approach taken to address the same issue by the Crown Dependencies of the UK (Jersey, Guernsey and the Isle of Man) and the other UK Overseas Territories including the Cayman Islands and Bermuda.
What is the effect?
The Act imposes economic substance requirements on all legal entities carrying on “relevant activities” unless they can evidence that they are tax-resident elsewhere. Entities which do not carry on a relevant activity are not subject to the economic substance requirements but may be subject to certain reporting obligations.
The relevant activities are:
1) banking business
2) insurance business
3) fund management business
4) finance and leasing business
5) headquarters business
6) shipping business
7) holding business
8) intellectual property business
9) distribution and service centre business
We look forward to further guidance by the government to assist in determining if a particular entity is carrying on a relevant activity or if exemptions may apply.
What are the reporting obligations and who will have access to information?
The information will be provided to the BVI International Tax Authority (ITA) via the BOSS system. BVI and foreign registered companies and limited partnerships will be required to report certain information to their BVI registered agent for this information to be uploaded onto the Beneficial Ownership Secure Search System regime (BOSS) so that the BVI International Tax Authority (ITA) can have access to it.
The ITA may use the information to discharge its duty to supervise and enforce the economic substance requirements. Information may be disclosed by the ITA to relevant overseas authorities in certain cases, including where there is breach of the economic substance requirements or where the entity claims to be tax resident in an EU member state.
What are the penalties?
Penalties are imposed for failure to provide required information or providing false or misleading information and for operating a legal entity in breach of the economic substance requirements + which may include fines, imprisonment and/or strike-off.
What is next?
The Regulations, Rules and formal Guidance Notes, will be issued within the following weeks. They will certainly provide further detail and a clearer picture so that all relevant entities will be able to undertake an internal review to determine what measures, if any, they should take in order to achieve compliance. We believe that, for many entities, the impact will be minimal and compliance will be straightforward.
We will leave, in our opinion, the best news for the end because we assume that after having read the above, the most important question to answer is:
Are these efforts being welcomed by the EU?
The EU has confirmed that the British Virgin Islands and Cayman Islands have not been included on the EU’s updated list of non-cooperative jurisdictions for tax purposes (known as the EU blacklist), which was published on March 12th, 2019. The EU’s decision confirms that both jurisdictions have implemented good tax governance principles which address the EU’s earlier concerns on the economic substance of certain entities in low or no tax jurisdictions.
BVI has overcome many pressures from various international organizations. This ability to respond demonstrates that is a highly regulated and stable jurisdiction willing to protect the wide array of services it offers. With the Economic Substance legislation BVI remarks its commitment to continue being the leading financial center.
Panama, September 25, 2018. Morgan & Morgan and sixteen attorneys of the firm were recognized in the Chambers Latin America 2019, guide of the best lawyers and law firms across 20 countries of Central America, the Caribbean, South America and Mexico.
The firm has been ranked in the first Bands within the areas of Banking & Finance, Capital Markets, Corporate/M&A, Dispute Resolution, Energy & Natural Resources, Intellectual Property, Offshore, Projects, Real Estate, Shipping and Shipping Litigation.
Likewise, the publication noted as leaders in their areas attorneys Inocencio Galindo, Francisco Arias, Ramon Varela, Roberto Vidal, Simon Tejeira, Jose Carrizo, Luis Vallarino, Ana Carolina Castillo, Allen Candanedo, Maria Eugenia Brenes, Roberto Lewis, Luis Manzanares, Enrique De Alba, Jazmina Rovi, Juan David Morgan Jr. and Francisco Linares.
One of the clients interviewed stated that “Judging by the results that the firm achieves, I can say that their advice is effective and arrives in a timely manner. I would highlight their availability and technical competence”.
About Morgan & Morgan
With over 80 lawyers and 20 practice areas, Morgan & Morgan is a full service Panamanian law firm, regularly assisting local and foreign corporations from different industries, as well as recognized financial institutions, government agencies and individual clients. Of particular note is our continuous advice for clients involved in all stages of the development of important projects related to energy, water supply, construction, oil, mining, public infrastructure, retail, ports, transportation, among others. Learn more at www.morimor.com.
Partners Roberto Lewis, Raul Castro, Luis Manzanares and Fernando Boyd contributed with the Panama chapter of Chambers & Partners Private Wealth Guide 2019.
The guide provides expert legal commentary on the key issues for high net worth individuals and covers the important developments in twenty-seven jurisdictions, including Panama.
The complete guide is available here.