Timeline, compliance approach
A compliance approach consists of making obligations explicit (drawing a standard, a baseline) and, complies and demonstrate compliance with the baseline (so, being compliant with the obligations). If an organization applies a compliance approach, the management will pronounce on the extent to which commitments are met (a maturity level in the baseline) and it will take responsibility for the effectiveness of the control measures taken. In other words, management is accountable for the organisation of compliance with legal, contractual and policy obligations.
Based on the above theory, MYOBI, in collaboration with the professionals of Duthler Associates, has elaborated this compliance approach into a method, models and supporting IT on the MYOBI Trusted Network. We discuss applying the compliance approach for the obligations from the TTP policy, which includes the MYOBI Code of Conduct GDPR.The accountability mechanism of being compliant with the obligations is based on the internal control of an organisation. We have worked that out in the diagram below.
The board formulates policy and indicates the extent to which legal and contractual obligations will be met. The policy gives rise to taking appropriate technical and organisational control measures. A compliance mechanism develops in which the effectiveness of the control measures taken is measured and recorded. This “bookkeeping” is the basis for the management to account for its actions to society.
The accountability mechanism
MYOBI has applied the above governance & compliance approach for compliance with the TTP policy; compliance with the MYOBI Code of Conduct GDPR. The compliance approach is in line with the compliance and audit lifecycle of the financial statements, management report and auditor’s report. The baselines “Protection of personal data and Information security” are based on relevant legislation and the baselines of the Royal Dutch Association of Accountants (NBA) and the Dutch Order of Register EDP Auditors (NOREA). MYOBI experts supplement these baselines with specific Code of Conduct requirements and manage associated guidance.
Legal Entity Management
Using Legal Entity Management (LEM), companies assign powers to employees of various business activities who are responsible for implementing the compliance approach. The accountability mechanism is based on a derived object of research: “privacy & security accounting”, which includes registers with personal data processing, control measures taken, evidence of the effectiveness of the measures taken, incidents and data breaches, and requests from data subjects and follow-up by the organization. Periodic, consolidation and internal control is the basis for the management (the board) for being accountable for complying with the TTP-policy and protecting personal data.
Based on the records in the administrations, the management makes a statement – in a self-declaration – about the maturity level of the company, and thus about compliance with the TTP policy and the MYOBI Code of Conduct GDPR. With this statement, the management makes itself accountable for compliance with the code of conduct, compliance with legal and contractual obligations.
The role of the Data Protection Officer
An internal control mechanism is included in the governance & compliance approach. The green blocks indicate the statutory duties of the Data Protection Officer (DPO). The DPO advises on policies, day to day operations, taking appropriate technical and organizational control measures, and supervises the effectiveness of control measures taken. The DPO can demonstrate its adequate performance of the statutory tasks by confirming the self-declaration. There may be grounds for management to conduct an additional investigation by the internal control department (IC).
The role of MYOBI
MYOBI, in the role of Trusted Third Party (TTP), facilitates companies to organise an interoperable accountability mechanism. The TTP policy containing the MYOBI Code of Conduct GDPR is central to this. Every year, MYOBI holds the accountability process by managing the baselines, providing training, providing information meetings, conducting plausibility studies on self-statements and formulating results on the Accountability Seal Register.
The Accountability Board (AB) supervises that the MYOBI Code of Conduct GDPR, as referred to in Article 40 of the GDPR, is complied by companies and MYOBI.
The GDPR is only one of the legal obligations that a company must meet. Also, there are other legal and contractual obligations, which can be incorporated into the company specific policies. We use the results of the Contract Board (CB) to make these “additional” legal and contractual obligations explicit. Based on business activities, lawyers from the CB make an inventory of relevant legislation and compile a policy framework. The professionals of the Duthler Associates compose baselines from the frameworks in which legal obligations are stated. The policy frameworks are also the frameworks for the lawyers of the CB to compile the contract portfolios in which contractual obligations have been drawn up.
MYOBI facilitates companies with accountability
To ensure that the compliance approach is organized as effectively as possible, MYOBI enables business users to take appropriate control measures. It concerns the following measures:
- Provide companies, in their own e-learning tenant, with training capacity for their staff on data privacy and information security. The aim is to increase staff awareness and determine, with the help of self-tests, that they have the desired level of knowledge;
- MYOBI offers business users smart contracting with a contract portfolio consisting of consent and processing agreements. It allows the users to agree on unambiguous arrangements about the processing of personal data;
- MYOBI provides useful tools and resources for organizing data protection;
- MYOBI presents administration tools for recording personal data processing and the control measures, as well as recording the evidence of the effectiveness of the control measures taken. The administrations are equipped with smart compliances which supports performing e.g. Data Protection Impact Assessments (DPIA’s) or risk assessments; and
- Professionals are available on call to support the operational staff.
As MYOBI gains more experience in facilitating accountability, the controls offered will evolve.
The MYOBI Code of Conduct GDPR, as referred to in Article 40 of the GDPR, offers companies certainty about taking appropriate control measures aimed at protecting personal data and information security. This certainty makes it possible for companies to take effective and cost-effective steps and to respond to requests from data subjects and the regulator with confidence. On the other hand, there are requirements for the MYOBI Code of Conduct GDPR and the baselines derived from it.
MYOBI has set up the Accountability Board (AB) for this purpose, which supervises the adequate implementation of the compliance approach. AB consists of qualified staff in the field of legislation, protect personal data, information security, risk management, compliance, and audit.
MYOBI governance structure includes the AB. This Board is the independent supervisor of MYOBI, and its main task is to monitor compliance with the MYOBI Code of Conduct GDPR. The Board has established regulations and procedures to perform its supervisory duties and is accountable for them. The Board may conduct its investigations to determine whether the accountability cycle for setting an Accountability Seal has been correct. The Board is authorized to act in the event of errors found. In doing so, the Board represents the interests of the persons and companies that decide to share personal data based upon the Seals in the Accountability Seal Register.
The Board provides solicited and unsolicited advice to MYOBI, for example about the aids that MYOBI provides.
Organising compliance with the TTP policy
As part of the compliance approach, MYOBI prepares annually for the accountability cycle. During the year, MYOBI informs business users about current events and being accountable with data protection, provides training modules aimed at accountability and facilitates meetings. The accountability cycle uses the time frame of the last months of the accountability year and the first quarter of the new year to obtain:
- The self-declaration of the management;
- Confirm self-declaration of data protection officers (DPOs); and
- The execution by MYOBI of the plausibility tests on self-statements.
MYOBI strives to include the results of the accountability process in a company’s management statement.
The self-declaration consists of a statement about the attained maturity level and the ambition for the coming year. To make a statement about the maturity level, the management (the board) needs the baselines that correspond to the MYOBI Code of Conduct GDPR. MYOBI makes the most current baselines available in the company’s information ecosystem.
Accountability Seal Policy
The Accountability Seal Policy is part of MYOBI’s TTP policy. Based on this policy, the management of a company is accountable to society and other users on the trusted network in particular. See Accountability Seal Register for detailed information.
Companies can apply the above approach in a company-specific and integrated manner for all compliance issues.