We find accountability obligations in legislation, contractual agreements with partners, codes for, for example, good governance (the Dutch Corporate Governance Code), and sectoral agreements. In addition, a company policy formulated by the management often also contains accountability obligations, or they follow from it.
MYOBI’s compliance approach leads to accountability by the management for organising compliance with legal and contractual obligations. Under the motto “we can’t make it more fun, but we can make it easier”, we have made the compliance approach integral and dynamic. The aim is to reduce the total costs and efforts for compliance activities to an acceptable minimum and, where possible, to realise added value by starting an improvement cycle.
The compliance approach has the following characteristics:
- The company management adopts a law, an agreement, a code or a company policy and periodically reports to supervisors, partners or society about organising compliance with the obligations.
- The compliance obligations often lead to adapting the organisation of business activities in business processes in which management and security measures are included by default.
- Compliance refers to determining by default the effective functioning of the control and security measures taken, built into business processes and supported by IT systems.
In collaboration with data protection registrars, chartered accountants and IT Auditors from Duthler Associates, MYOBI has developed an effective and cost-efficient compliance approach for users of the Trust Network. The compliance approach can easily be expanded to a company-specific integral compliance approach.
The compliance approach to meeting the accountability obligation for organising compliance with legal and contractual obligations is part of the TTP policy. Depending on the nature and size of the business activities and the TTP Code of Conduct GDPR, the management formulates a relevant collection of standards or an assessment framework. When organising the business activities with business processes that include “by design” control and security measures, the management checks, based on the “by default” assessment framework, to what extent the control measures are effective, thus effectively protecting company and personal data.
Suppose a company applies such a compliance approach. In that case, the company’s management makes a statement about the extent to which the company organisation is compliant with legal and contractual obligations and takes responsibility for the effectiveness of the control measures taken. In other words, management is accountable or responsible for organising compliance with legal, contractual and policy obligations.
Organising the accountability obligation for managing compliance with legal, contractual and policy obligations is gaining in effectiveness by:
- Knowing all relevant company-specific obligations and translating them into an integral collection of standards; functional requirements for management and security measures.
- Incorporate the management and security measures “by design” into business processes.
- Include the compliance measures “by design” in business processes that demonstrate compliance “by default”.
- Establish an appropriate accountability mechanism.
The principles for the compliance approach are logical and are in line with legislation aimed at protecting the company and personal data. Therefore, it is a logical consequence that MYOBI has included the TTP Code of Conduct AVG in the TTP policy. This code of conduct was created as intended by the European legislator in Articles 40 to 43 of the GDPR and related guidelines from the supervisory authorities.
If the accountability obligations of the company management for organising compliance with legal, contractual and policy commitments in the field of processing company and personal data are in line with the annual regular financial, tax, statistical and banking reports, the following synergy effects arise:
- The company management asks management and employees only one questionnaire for several accountability obligations instead of always a list of questions for each accountability separately. The benefits of minor annoyance, less time spent, and fewer costs appeal to the imagination.
- Depending on the scope of the business activities, the management must account for the organisation of the business activities in the management report (Article 2:391, paragraph 5 of the Dutch Civil Code); in particular, the effectiveness of the control and security measures taken in business processes aimed at protecting the company and personal data. The compliance approach explicitly considers the broader accountability obligations of top management.
- The compliance approach is in line with a company-specific compliance program. A compliance program consists of a summary of investigations aimed at effectively organising business activities. When outsourcing processing to processors or developing IT systems with which the company management supports business processes, investigations into applying effective management and security measures “by design” to protect the company and personal data will be carried out. Often the company organises the changes of organising business activities in an “agile” way. Substantial added value is created if the compliance program connects to the agile change projects.
In short, the company management receives the most added value if the compliance approach is in line with the usual periodic cycle of accountability processes and the company agenda for preparing and implementing changes in the organisation of the company’s activities.