Editorial

Privacy, Data Protection and Cyber security will most likely be points, high on the agenda for most Risk Committee meetings. These are the themes for this, the third edition of the Compliance, Ethics and sustainability Journal for 2025.

In their article "Apple Inc v Secretary of State for the Home Department", Julian Hayes, Megan Curzon and Jenna Gayle examine the legal stand-off between the international tech giant Apple and the UK Home Secretary. Apple is challenging the Home Secretary's decision to impose a Technical Capability Notice, which is a requirement to maintain the capability to remove end-to-end encryption from its iCloud storage. The authors explore the resulting diplomatic furore and discuss the conflict between privacy and security. They examine the legislation, discuss the pros and cons of encryption and potential solutions to an age-old dilemma.

The increasing prevalence of cyber-attacks across the globe has led to a consequential increase in legislation to protect critical national infrastructure, including in new industry sectors not traditionally seen as critical.  However, for many organisations the focus on reporting cyber security incidents, as opposed to the perhaps now established process of reporting personal data breaches, is something that may not be familiar to some compliance professionals. Kelly Hagedorn, Alice Portnoy and Hanna Hewitt explore this issue in their article, "Navigating a New Era of Reporting Cyber Incidents In the UK and EU", which seeks to map out the changing reporting landscape in both the UK and EU, providing an overview of what compliance professionals need to consider when updating their processes and procedures around cyber incident reporting.

Can the use of AI solve all of our compliance investigation problems? The answer to this question is examined by Carys Whomsley in her article, "Public Data, Private Risks". She argues that whilst their utility is there to be seen, the use of chatbots powered by Large Language Models comes with an inherent privacy risk. Whomsley also highlights some of the other issues that investigators will need to address if they want to harness the power of AI in open-source investigations, including  hallucinations and copywrite issues. The article examines these issues in turn and suggests how these tools will need to evolve to be sufficiently robust to have a prime place in a compliance investigators armoury.

The co-existence of whistleblower protection and strict data privacy regulation often creates challenging situations for organisations and whistleblowers. Blowing the whistle can easily involve the dissemination of personal data, potentially constituting a data breach under GDPR. "Privacy vs. Whistleblowing: Can Data Breaches Be Justified During Public Disclosure?" This question will be answered in this article by Anastasia Avramenko. Balancing public interest, fundamental rights of individuals and the harm from data breaches, the author examines EU legislation and maps a suggested way forward through this complex landscape.

When discussing sensitive personal data, the compliance officer likely thinks first of the financial industry, where transactions reveal detailed profiles, especially when combined with publicly shared social media insights. However, one other category of personal data, literally close to our hearts and equally important, is the data about our health. The healthcare industry shares some data security challenges with other industries but also comes with its own particularities. The article "Europe's Health Industry and Regulation, Anonymisation and Security" by Tanya Chib, Dr. Anna Hakkers & Renate van Kempen, combines the insights of three experts on regulation, cybersecurity and anonymisation in this vital industry, and provides the reader with an overview of the relevant regulations and some of its practical challenges regarding data security.

A large number of books and articles appear on the topic of business ethics that address pressing issues in a practical way and make concrete recommendations for promoting the ethics and integrity of organisations and their employees. Not everyone knows where to find these publications or has time to read them. That's why Edgar Karssing discusses articles and books in this area and writes about them. In this issue Karssing published the second part out of two articles on power and ethics. In the two articles Karssing highlights several questions and perspectives related to this theme. In this second article the attention is focused on (i) the background of power by Robert Greene, (ii) the seven rules of power by Jeffrey Pfeffer and (iii) the ethics of political action.

We hope you find this issue insightful and engaging.

Edward Nkune, Pauline Wijma & Birgit Snijder-Kuipers