The EDPS Conference 2022 recently took place. This year’s topic was ‘Effective enforcement in the digital world‘. There was talk and discussion for two days about how to effectively enforce the GDPR. I saw representatives of the EDPS, EDPB, EC and client organizations pass by. Max Schrems was also there. I heard the struggle about enforcement and how difficult it is for a citizen to get justice because the possibilities for enforcement are limited, mainly due to budget problems of the national regulators. Powerful words were spoken such as ‘there is a law and institutions are appointed to enforce’ and ‘the DPAs have to make it work!’
Authority for Personal Data
And as a good citizen I heard this. I felt even lonelier than when the Dutch Data Protection Authority (AP) indicated that they have no time for my complaints, they have more important things to do. The latter was not said literally, but it does express my feeling at the time. I had had an extensive discussion about the use of my personal data with several companies that I believe violated the GDPR and did not want to change their behaviour. The GDPR then offers the option of having your national supervisor help you. But what if this doesn’t happen?
As a citizen you can then go to court to enforce enforcement. But that didn’t seem easy to me. That is why I wrote to the Ombudsman and presented the complaints. From that side it has been quiet for half a year. Even after several reminders, it remains silent. It doesn’t make this burger feel good.
Back to the EDPS Conference. The title of the conference gave me good cheer. Is it really going to happen? The will is there, but enforcement and, in particular, effective enforcement is not yet getting off the ground. What struck me while listening is that no one mentioned the accountant. While it also has an important role in enforcing legislation and regulations.
The (certifying) accountant has to adhere to a number of rules. This includes Standard 250, which deals with “Consideration of Laws and Regulations in an Audit of Financial Statements”. The annual accounts can be called the most important financial statement. The requirements of this ISA are designed to help the auditor identify material misstatements in the financial statements due to non-compliance with laws and regulations. The company is ultimately responsible for compliance, but the auditor is expected to detect material misstatements.
In the explanation to Standard 250, ‘data protection’ is explicitly mentioned as an example to which a company must adhere. The Dutch Data Protection Authority (AP) can fine organizations that violate the GDPR of up to 20 million euros or 4% of the worldwide annual turnover. The fine that the DPA can impose as a result can therefore become so high that this amount is of material importance for the auditor’s assessment of the annual accounts. A data breach can also lead to a mass claim by those involved, which can lead to a multiple of the fine by the regulator.
The Standard 250 only applies to listed companies. As an accountant you can then think and act very limited, but you can also use your free (and sensible) mind to use the essence of this Standard for other activities. Because SMEs also have to comply with laws and regulations and also run financial risks in the event of non-compliance that can threaten their continuity.
But also, for example, consider the composition assignment. You are an accountant without a head if you do not determine that the company complies with the GDPR.
An objective impediment exists if insufficient and appropriate audit evidence is available to the auditor. According to the audit guidelines (COS 710:7), an objective impediment can lead to a qualified auditor’s report.
If a company does not or insufficiently know which personal data it processes and where this data is, then in my opinion it cannot be said with a dry eye that the personal data is adequately protected as required by the GDPR.
This should also mean for the accountant that he/she has to make sure that the company complies with the GDPR. In my opinion, a company that has no AO/IC and no compliance set up for the protection of personal data cannot receive an unqualified statement.
Data Protection Officer
The Data Protection Officer (DPO) has a statutory duty (GDPR Article 39) to monitor compliance with the GDPR and the company’s policy for protecting personal data. The DPO reports the state of affairs (at least annually) to the management and has a file to substantiate the opinion.
In practice, however, it strikes me that the accountant often does not contact the DPO, while the accountant can prevent many of the accountant’s own activities by relying (after testing) on the work of the DPO. As a result, the accountant may indicate in the management letter that the company complies with the GDPR, while the DPO (demonstrably) arrives at a completely different opinion.
It is therefore no less than smart for the accountant to contact the DPO and inquire about the results of his supervisory duties. The accountant also helps the DPO by including it in the management letter – if necessary – if too little is done with the DPO’s findings.
And last but not least
Compliance with the GDPR is the sole responsibility of the company’s management. Even if the supervisor is not behind you with a stick. A company should feel an intrinsic responsibility to protect personal data.
The auditor and the DPO are both appointed to serve the community. The DPO directly to serve the interests of the data subjects and the accountant to test the financial result of the company, including against the legislation for the protection of personal data.
If the company has not properly organized the protection of personal data, the DPO and the accountant must point this out. For the auditor, the objective impediment or risk of a fine or a claim may be a material reason to refuse the compilation engagement or not to issue an unqualified opinion.
MYOBI offers a trust network to which companies and individuals can join who do find it important to appropriately protect personal data and to be accountable for this, internally and to the partners in the network. MYOBI supports companies with a code of conduct, accountability methodology and tools. The DPO of the company will play an important role in this.
Would you like to know more?
Would you like to know what we can do for you in the field of the network of trust and accountability? Feel free to contact us or our specialist Caroline Willemse.