The accountability mechanism is based on the accountability obligation of the management as elaborated in, among other things, Article 5, second paragraph of the GDPR and the usual financial, fiscal, statistical, banking and social accountability obligations. Fulfilling the accountability obligation for organising compliance with business obligations is an internal control matter. No audit work aimed at an assurance product is therefore required.
The accountability mechanism of organising compliance with business obligations relies on the effectiveness of internal controls implemented in business processes. In the figure below, we have elaborated the mechanism for protecting the company and personal data and accountability for the truthfulness of financial data.
Management formulates (1) policy, indicating the extent to which legal and contractual obligations will be met. The policy provides direction for the effective organisation of business activities through (2) business processes (in supporting IT systems) in which appropriate (3) management and security measures are included ‘by design’.
A compliance mechanism is developed in which the demonstrable continuous effective operation of the control and security measures taken is measured and recorded ‘by default’. The recording, or the (4) privacy & security accounting with proof of effective operation, forms the basis for the management to account for itself to society with a (5) Declaration of Accountability (DoA).
The Declaration of Accountability (DoA) forms the basis for:
- The Accountability Seal that management publishes in the Accountability Seal Register on the MYOBI website. With this, the management complies with the organisation of the legal accountability obligation to society.
- Specific accountability to data subjects, regulators, and a section on protecting corporate and personal data in the (6) board report of a corporate entity subject to audit.
The data protection officer (DPO) gives the company management (not without obligation) advice on formulating the data protection policy. They also ensure that the implementation of management and security measures in business processes, supported by IT, leads to the adequate protection of confidentiality, reliability and availability of personal data. The company management often also wants such protection for company data (company information and trade secrets).
The DPO supervises the management of the register of personal data processing activities. The register is part of bookkeeping in which the department management records proof of the effective operation of the control measures taken and the data leaks and management and security incidents. This privacy and security accounting forms the basis for formulating a Declaration of Accountability (DoA). The following officials confirm the DoA:
- Board – self-declaration.
- DPO – confirmation of the Board’s self-declaration.
- Possibly Internal Audit/Compliance – confirmation of the self-declaration of the Board.
MYOBI’s compliance professionals perform a plausibility check on organising the accountability obligation using an effective compliance approach.
As part of the TTP policy, the compliance approach involves accountability for the company’s fulfilment of obligations to its partners and partners. We can think of a company’s information ecosystem as a trusted network between partners. The following examples make this clear:
- In the context of protecting personal data, a legal accountability obligation to society is the responsibility of the controller, including the underlying (sub) processors of the personal data. Social intercourse consists of the persons whose data the controller processes or has processed the supervisor.
- In the context of responsible business operations, a company wishes to make agreements with partners about the processing of company data, in particular trade secrets and intellectual property (the crown jewels of the company).
Because partners are accountable for compliance with the TTP policy, particularly the Business and Personal Data Agreement, they are also responsible for the quality of their own business and personal data, at least for the quality of the data they bear responsibility in the sense of the law. An essential part of the Business and Personal Data Agreement is the obligation that all users of MYOBI are responsible for the accuracy, timeliness and completeness of their business and personal data in the Trust Network. As a result, companies can rely heavily on the integrity of this data from their partners. This also means that the information ecosystem and thus the Trust Network can function as a sales channel for sales, purchasing as a purchasing channel, and HR as an essential channel for its personnel management, among other things.
 NB. It is the benefits of deploying MYOBI Trust Service and the compliance approach performed by the professionals at Duthler Associates on behalf of MYOBI.