How Has Accountor Prepared for the GDPR?

We have acknowledged and identified at early phase that the GDPR will have material impacts on our services and processes. We have initiatives to ensure that we are doing correct activities and that we have sufficient resources to achieve GDPR compliance. Therefore, we have initiated a group wide GDPR project in 2016 to implement applicable requirements into our daily operations.

We have cultivated our privacy culture by building a comprehensive privacy framework starting from Privacy Policy approved by our Board of Directors, as well as, drafted relevant instructions, guidelines and implemented those into our daily operations.  Accountor’s top management is firmly following all initiatives for strengthening our responsible business manners including implementation of the GDPR. Each of our business unit is responsible for the implementation of data protection in their operations by taking into account applicable data protection requirements and the nature of our business. This also includes documentation, personnel awareness, and training as well as process and system changes in the existing operations. Existing agreements will be reviewed and required updates concluded where necessary.  

Data Protection Officer and Other People Responsible for Data Protection

We have nominated a person in all our units and companies who is responsible for data protection in their respective business. Moreover, we have appointed a Data Protection Officer for the group who supports and advises units in their data protection activities. A data protection officer

  • develops and secures the implementation of data protection
  • informs and instructs the management of their obligations
  • monitors compliance with the applicable legislation

Together with other dedicated resources, all our units are implementing the GDPR requirements where necessary in connection with their own projects and initiatives. Progress of the GDPR project is reported to our Chief Operating Officer.

Privacy Framework, Documentation and Internal Training

We have built a group wide privacy framework starting from Privacy Policy and moved gradually into detailed guidance and interpretations on, inter alia,

  • individual’s rights,
  • data protection impact assessment and
  • a valid consent.

Group level tools and methods are available for units to ensure their processor’s GDPR compliance or for conducting a data protection impact assessment. New agreement templates are also prepared be used in sales and in procurement.

Additionally, we have documented our processing activities in different organizations in accordance with the requirements. For example, a detailed roadmap for each unit has been prepared in order to close gaps between existing processing operations and the requirements have been identified.

In addition, we continuously train relevant stakeholders in each unit in order for them to understand the GDPR and respective obligations better. The specific GDPR training material has been prepared for all Accountor’s employees in accordance to their respective duties.

Units Implementing the GDPR

However, we have very different units and companies in Accountor Group. Since each unit is responsible for their own implementation activities, they are at different stages in their implementation activities depending on amongst other their maturity and organizational structure. For example, some units are currently updating their customer agreements and some are still in the planning phase. Further, some units are conducting data protection impact assessments for their existing processing operations while some are still defining their internal process for such purpose. 

Further, units are working with system development in order to implement individuals’ rights in each system. The implementation of activities is followed regularly and reported to our top management.

Information Security

Since the security attacks are continuously getting stronger, it means that our security must be constantly monitored in order to stay protected and insulated from evolving threats. The impact and risks of personal data processing are assessed before starting processing and thereafter when needed, so that data protection is embedded into and maintained in all operations.

Furthermore, we plan to build data protection safeguards into our products and services from the earliest stages of development. We are currently in a process to build Group level Information Security Governance framework to cover all business operations and units. Group wide incident management process is under preparation and a potential tool for those purposes is piloted.

Data protection activities are documented appropriately and reviewed on a regular basis. Our aim undoubtedly is to be GDPR compliant

  • in all identified activities in our systems, processes and necessary documentation
  • in existing instructions and guidelines
  • in a timely manner before the regulation enters into force in May 2018