Fines in a nutshell
On a non-technical front, GDPR fines are imposed through two tiers of administrative fines. The first is a maximum of 2% of global annual turnover or 10 million euros, whichever is higher, while the second is 4% of global annual turnover or 20 million euros, whichever is higher. The salt in the wound will be the fact that the percentage calculation is the global annual turnover, and not the operations in a specific nation where the breach occurred. The consideration of the preceding year’s turnover as the basis for calculation will come as little or no relief, in most cases.
The EU privacy act in a nutshell
Organisations that deal with data of entities of the EU are classified as Data Controllers and Data Processors. Compliance refers to the following applicable aspects for data controllers and data processors.
- The act lays down rules on the use of personal information. In other words, it relates to data that can be used in identifying an entity through some means.
- The privacy law mandates that consent be sought for storing personal information, with intimation regarding the nature of information held.
- It permits individuals to request that information about them be erased, i.e. the request of individuals to be ‘forgotten’ needs to be granted, with the exception of certain types of transaction/records.
- The act mandates the adherence to laid down procedures to notify the designated authorities when data is stolen or illegally accessed.
- The data collated is never to be used for any purposes other than the reason for which it was sought in the first place. The data, after its use, needs to be securely deleted.
These are the basic, broad regulations that are applicable to Data Controllers and Data Processors.
Processes determine compliance and not location of data processors
The very fact that the Act pertains to the data of EU entities may give rise to speculations that data processors outside the EU will have to submit to increased scrutiny. It is the processes and procedures that determine the compliance and not the location. In a technology-driven world, offshore, remote working and outsourcing are the buzzwords when it comes to improving performance and cost-effective nature of operations. It is therefore incumbent upon data controllers to use the services of outsourcing companies who are compliant with GDPR through the right processes. The need for compliance is the need of the hour, and the location is not the criteria. A data processor based in the EU may turn out to be non-compliant, resulting in fines on both the data controller and data processor. Whereas, a data processor outside of the EU may be fully compliant. This underscores the fact that location is not the criteria, but compliance.
How accounting companies can turn compliant?
GDPR, by virtue of being a regulatory law, can impose administrative fines on data controllers and data processors. Accounting outsourcing companies need to understand that becoming compliant with the GDPR is actually beneficial. Not only will it help to avoid possible fines, it will actually help to improve the security of operations and thereby prevent data loss, which can adversely impact accounting outsourcing companies through serious loss of reputation. GDPR compliance not only keeps exposure to fines lower, it actually improves the levels and layers of security. What should ideally have been a voluntary improvement from companies has now become an enforced option. Here are some of the basic actions that need to be taken by an accounting outsourcing company to turn compliant with the GDPR.
- Companies need to ensure that data is protected by design, and by default. This effectively means that the processes in place should be specifically designed to protect the data of EU entities, and that this protection should be a process by default.
- Companies need to designate a data protection officer who will ensure that the above processes are enforced. This can involve a tool based approach to map the data that is being processed and monitor the same.
- Standard operating procedures need to be put in place and enforced to ensure that data protection meets all compliance requirements.
- Companies need to periodically conduct training and orientation programs to raise awareness on the regulations and ensure that compliance measures are not slack at any point of time.
- The audit procedures and authentication tools need to be strong, ensuring that access to information is restricted to only those resources and processes that are necessary.
- Accounting companies need to prove their intent to be compliant. This will prove to be a mitigating factor in the unfortunate event of any violation, by proving that all efforts were taken to protect the data.
- The data lifecycle has to be managed as per the requirements of the act. This means that old processes need to be discarded and replaced with new processes.
- Companies need to set up an effective hierarchy/system to manage incidents and transmit information about such incidents to the concerned authorities and the entities whose data was compromised, within the stipulated time of 72 hours.
- Companies need to establish a chain of command, a channel to transmit such messages and carry out checks periodically to ascertain effectiveness of the channel/system.
Accounting outsourcing companies offer manifold benefits to businesses through operations, and GDPR compliance will help to improve the security of processes, while preventing administrative fines. Companies need to become fully compliant to be able to continue leveraging their expertise and cost effective solutions as part of deliverables.
People Also Search:
What happens to companies that fail GDPR compliance?
GDPR and accounts outsourcing: consequences of working with a non-compliant partner