Data controllers – any business or organisation that holds EU data, becomes a data controller. This effectively means that an organisation that outsources any task to a third party, will be deemed to be a data controller if the task comprised EU data in any form. It is important to note that this will apply to any company regardless of its location.
Data processors – any business or organisation that processes EU data will be deemed to be a data processor, regardless of location. An interpretation of this definition means that all third parties that function as outsourced bookkeeping services, and handling the data of EU entities, will fall into the category of data processors.
Responsibility of data controllers
The regime clearly specifies the data controllers need to rely on the services of only those outsourced accounting companies (read data processors) that are fully compliant with the various provisions of the GDPR act. In other words the onus of responsibility of ensuring compliance of the outsourced accounting companies (data processor) lies with the data controller. This effectively means that non-compliance by the data processor will also have implications on the data controller and the liability will rest on the data controller also.
Extent of penalties
The two levels of fines that can be imposed on entities – both data controllers and data processors are – 2% or €10 million/4% or 20 million of total worldwide revenue of previous financial year, whichever is higher. The levels of fines are determined by the nature of violation of the GDPR act. Negligence is on the lower end of the threshold for fines while willful intentions are on the higher end of the threshold.
Direct implications of dealing with a non compliant outsourcing partner
The most direct implication of dealing with a non compliant partner is the penalties that may be payable in the event of a violation by the data processor (in this case the outsourcing partner). As mentioned earlier, the data controller (organisation outsourcing the task), will also be held liable for the actions of the outsourcing partner. Irrespective of the level of fines, it is important to note that a 2% or 4% penalty on the worldwide turnover can be debilitating.
The imposition of a penalty under the GDPR act will shake the confidence of clients. In an era of heightened competition, it is hard to imagine a company covering lost ground after having lost its reputation. Clients will certainly not look forward to the prospect of dealing with a company that is compromised on data security, either directly or indirectly. Additionally clients would certainly not want to find themselves or their operations embroiled in the various processes that may arise as a result of the penalties.
Impact on routine processes
The impact of routine processes will be the indirect implications of non compliance with the GDPR act. For instance, a company that has been deemed to be in violation of the GDPR act will have to temporary suspend operations till the processes are set right. This disruption in operations will not only affect the company but will have an impact on the clients. And clients will never be comfortable with the idea of having to sit out the suspension of operations till processes are set right.
Will location of data processors make a difference?
Contrary to perceptions that the location of financial accounting outsourcing services will have a bearing on the compliance, it is a fact that the processes will be the only governing factor. For instance, a company may outsource to an outsourcing partner in the EU and still be fined, if the partner is not compliant with the regulations. A partner working out of a non EU nation may be fully complaint and consequently may not attract any penalties. It is therefore the processes that matter and not the location of the financial accounting outsourcing services.
Potential intangible effects of penalties
An organisation that has been levied a fine due to the non complaints of outsourcing partner, will find itself looking up at a steep increase in insurance premiums. Combined with the effect of disruptions in operations, and possible attrition rate of clients, this could deal a debilitating blow to operations. Companies need to therefore carefully consider the capabilities and compliance aspect of outsourcing partners.
Compliance audit of partners to prove mitigating circumstances
Organisations and companies that outsource tasks need to carry out a comprehensive compliance audit of partners. This will ensure that the Damocles sword of fines will not hang over the data processor or data controller. By insisting on compliance audit, organisations can preempt it disaster in addition to proving mitigating circumstances. Mitigating circumstances have an impact on the levy of penalties. The 2% and 4% calculations are the upper threshold of the fine. By proving intent to stay compliant organisations can ensure that they are not fined heavily.
Organisations and companies need to have a robust system in place that will report an incident immediately to the relevant authority. These aspects need to be fully understood and followed to prevent adverse impact on operations. The primary responsibility of an organisation that relies on an offshore entity is to ensure that the entity is compliant. In addition to this, it is necessary that resources are tasked with dual responsibilities – discharging the role of a data protection officer.