An accountability approach consists of making obligations explicit (draw up a standard, a baseline) and demonstrating that the obligations have been acted upon (in accordance with the baseline). If an organisation adopts such an approach, the management decides to what extent the obligations are met and takes responsibility for the effectiveness of the control measures taken.
In other words, the leadership is responsible for organising compliance with legal, contractual and policy obligations.
The accountability mechanism
The accountability mechanism of being compliant with the obligations is built on the internal control of an organisation. In figure 1, we have worked this out for data protection.
The board prepares policies and indicates the extent to which legal and contractual obligations will be fulfilled. The policy gives rise to the establishment of appropriate technical and organisational control measures.
A compliance mechanism is set up to measure and record the effective functioning of the control measures taken. This ‘accounting’ forms the basis for the management to justify itself or be accountable to society.
The compliance approach, as part of the TTP policy, is about justifying the company’s obligations to partners, and partners to the company.
The following examples make this clear:
- In the context of the protecting personal data, there lays a legal accountability obligation, to the society, on the shoulders of the controller, including the underlying (sub)processors of the personal data. Society consists of the persons whose processors process data and the supervisor; and
- In the context of responsible business operations, a company wishes to make agreements with partners on the processing of company data, in particular trade secrets and intellectual property (the crown jewels of the company).
Companies don’t just have:
- a need for an integrated compliance approach for relevant legal and contractual obligations; but also
- a compliance approach that is practically applicable to cooperating parties.
What is the role of MYOBI?
MYOBI, in the role of a trusted third party (TTP), facilitates companies that embrace the TTP policy with an integral and interoperable compliance approach. The compliance approach uses the MYOBI Trust Network, and within it, the information ecosystems that companies use for:
- making agreements on the processing of company and personal data;
- compliance with the Accountability Seal Policy, which also includes the TTP Code of Conduct GDPR; and
- complying with legal and contractual accountability obligations for data protection and information security.
TTP Code of Conduct GDPR
At the request of the Association of Participants in Information Ecosystems (Association), which holds the TTP Code of Conduct GDPR, MYOBI has applied the above approach for data protection and information security to demonstrate compliance with the TTP Code of Conduct GDPR.
MYOBI incorporates compliance with the Code of Conduct in the accountability cycle of the financial statements. Based on baselines “protection of personal data” and “information security”, the management of a company expresses itself on the maturity level of compliance with the Code of Conduct. Relevant law and the frameworks of the Royal Dutch Professional Association of Accountants (NBA) and the Dutch Order of Register EDP Auditors (NOREA) are the foundation for the baselines.
Legal Entity Management
MYOBI supplement the baselines with specific requirements of the Code of Conduct and have prepared handouts on how to use the baselines. With the help of Legal Entity Management (LEM), companies assign powers to employees who are responsible for performing the tasks in the compliance and accountability process.
For the benefit of companies, MYOBI organises the process of being compliant with the TTP Code of Conduct GDPR and, if desired, other company-specific legal and contractual obligations. This approach allows a company to organise integrated compliance with the aim of an effective and cost-efficient organisation.
The TTP Code of Conduct GDPR assumes an accountability process with unambiguous baselines and quality control that comes at different maturity levels. The Association, of which users of the MYOBI Trust Network are members, recognises this accountability process. This approach offers the individual user a lot of comforts. Companies are becoming comparable to their compliance with the legal obligations of the GDPR and demonstrate this to society. This insight relates not only to the company itself but also to the underlying processors and sub-processors of (personal) data. It creates a chain of trust based on a verifiable accountability process at manageable costs.
Tools to set up the accountability process
It is wise to aline the implementation of the accountability process of the TTP Code of Conduct GDPR with financial accountability. MYOBI offers a variety of tools to set up the accountability process. They’re still tools. A company has to operationalise the accountability process itself.
A company gains insight by performing a risk analysis is. This analysis can be done for an entire company or per business unit. We can imagine that for a small or medium-sized company, one risk analysis is sufficient to understand the risks. In a large company with different activities and different use of personal data, the choice of multiple risk analyses can be better. How often the maturity level of a management objective should be determined depends on the outcome of the risk analysis(s) and the effectiveness of the compliance tools.
The baselines include management objectives. It is advisable to use the baselines for each risk analysis and determine the frequency for this. In this way, an annual plan develops.
With the help of MYOBI, for each management objective, the ‘owner’ is determined. It is often the process owner. This owner then determines who should perform the check. In LEM, the company records both the owner and the executor.
Legal Entity Management
With the help of LEM, companies grant authorities to employees who are responsible for carrying out and accounting for various business activities. This should include employees accountable for operating specific management objectives and those responsible for determining the effectiveness of control measures of one or more management objectives. The DPO will also be given authority in the LEM.
Three baselines are available to support accountability for the TTP Code of Conduct GDPR:
- Baseline Protection of personal data for the controller;
- Baseline Protection of personal data for processor; and
- Baseline Information Security.
A company may wish to use the baseline Protection of personal data for the controller for different organisational units, for example, the Human Resources department and the Debtors control. Ditto for the baseline Information Security. The companies’ license determines the number of baselines that can be used.
Based on the results of investigations, the management expresses – in a self-declaration – the maturity level of the company and thus compliance with the TTP Code of Conduct GDPR. With this declaration, the leadership is accountable for complying with the Code of Conduct. For the management, there may be grounds for carrying out additional investigations by the internal control & compliance department.
The role of the DPO
The green blocks above (figure 1) reflect the legal duties of the Data Protection Officer (DPO). The DPO advises the management on privacy policies, advises the operational organisation in the taking of appropriate technical, and organisational control measures and oversees the effective functioning of the control measures taken.
The DPO has a legal duty to govern company’ compliance with the GDPR. By confirming the self-declaration of the management, the DPO is performing this task.
The DPO carries out its own risk analysis and makes a work plan based on this. In this work plan, the DPO determines the frequency at which the analyses are carried out. The DPO may use the results of this for the DPO report during the accountability period. At the end of the accountability period, he can use it to confirm the self-declaration. With the confirmation, the DPO declare that the maturity level, as mentioned in the self-declaration, is endorsed.
In the accountability process, DPO’s opinion is of great value. This is why the DPO should be well trained to be able to confirm the self-declaration. The DPO must be appropriate to the company, have received adequate DPO training (including organising accountability for compliance with legal en contractual obligation) and have taken a good examination.
MYOBI, in the role of TTP, facilitates companies with organising accountability. The TTP Code of Conduct GDPR is leading. MYOBI manages the baselines, provides training, provides meetings and performs tests on self-declarations. MYOBI further monitors the accountability process and appeals to companies to submit the self-declaration promptly.
From Self-declaration to Accountability Seal
Upon receipt of the self-declaration, MYOBI converts the indicated maturity level into an Accountability Seal and records it in the Accountability Seal Register. The Register is available on MYOBI’s website and can be consulted by other users and other interested parties.
For each company, three Seals are shown in the Accountability Seal Register:
- The level of maturity indicated by the leadership in the self-declaration.
- The maturity level confirmed by the DPO; and
- The maturity level at which MYOBI comes out on the basis of a plausibility test.
If a company does not provide a self-declaration in time, or if the self-declaration does not meet the formal requirements (for example, the confirmation of a competent FG) then MYOBI can set the maturity level of the company to ‘0’.
Expanding the scope of accountability
The GDPR is just one of the legal obligations that a company must meet. There are other legal and contractual obligations which a company, for operational cost reasons, wants to comply integrally with. To make these legal and contractual obligations explicit, we use the results of the Contract Board (CB).
Based on sector or business activities, CB lawyers identify relevant legislation and draw up a legal policy framework. Policy frameworks provide the frameworks for Duthler Associates professionals to create baselines. CB’s lawyers also compile sector or company-specific contract portfolios using the relevant legal policy frameworks.
Companies share company and personal data with each other, under the umbrella of the TTP Code of Conduct GDPR. They are accountable for complying with this code of conduct. MYOBI ensures that companies can control the accountability process, monitor the accountability cycle and monitor the timeliness and accuracy of the operations.
The compliance approach and the operationalisation of this on the MYOBI Trust Network offer business users of MYOBI a lot of added value.
In order to ensure that the organisation of the compliance approach is as effective as possible, MYOBI enables business users to take appropriate control measures. The following measures are taken:
- Employees of companies, in their e-learning tenant, are offered training in the field of data protection and information security. The aim is to increase awareness and to determine, with the help of tests, that these employees have the level of knowledge they want;
- MYOBI offers business users a contract portfolio of processor and consent agreements aiming to conclude unambiguous arrangements for the processing of personal data;
- MYOBI offers useful tools for organising data protection;
- MYOBI offers administrations for the recording of processing and control measures as well as proof of the effective functioning of the control measures. The administrations are equipped with smart compliance that allows DPIA’s to be implemented; and
- On-call professionals are available to support the operational staff.
As MYOBI gains more experience in facilitating accountability, the control measures offered will evolve.
The Accountability Board (AB) is a body of MYOBI that monitors whether MYOBI and users of MYOBI are compliant with the TTP policy. The Board consists of experts with relevant knowledge and experience in the legal, auditing and risk management. The AB gives MYOBI requested and unsolicited advice to improve accountability. The tools that MYOBI makes available for this purpose are involved. The Board may impose sanctions if compliance with the TTP policy is not properly observed.
The AB is subject to regulation and procedures based on, among other things, the TTP Code of Conduct GDPR. The AB may conduct its own investigations to determine whether the accountability cycle is correct and can intervene if it feels that a user or MYOBI does not apply the Code of Conduct properly. It may impose sanctions, such as adjusting the maturity level in the Accountability Seal and suspending or excluding a company, to an applier of the Code of Conduct and thus as a User of MYOBI.
Organising compliance with the TTP policy
As part of the compliance approach, MYOBI prepares annually for the accountability cycle. During the year, MYOBI informs business users about current events and being accountable with data protection, provides training modules aimed at accountability and facilitates meetings. The accountability cycle uses the time frame of the last months of the accountability year and the first quarter of the new year to obtain:
- the self-declaration of the management;
- confirm self-declaration of data protection officers (DPOs); and
- the execution by MYOBI of the plausibility tests on self-statements.
MYOBI strives to include the results of the accountability process in a company’s management statement.
The self-declaration consists of a statement about the attained maturity level and the ambition for the coming year. To make a statement about the maturity level, the management (the board) needs the baselines that correspond to the TTP Code of Conduct GDPR. MYOBI makes the most current baselines available in the company’s Information ecosystem.
The Accountability Seal Policy is part of MYOBI’s TTP policy. Based on this policy, the management of a company is accountable to society and other users on the Trust Network in particular. See Accountability Seal Register for detailed information. Companies can apply the above approach in a company-specific and integrated manner for all compliance issues.