Data Protection in Accountor
Accountor is a professional service provider who takes its responsibility to comply with applicable laws and regulations valid at the given time, as well as any rules and decisions imposed by relevant authorities. This applies also processing of personal data, no matter in which role the processing is carried out. In other words, whether Accountor is acting as a data controller, or as a data processor engaged by the data controller. Each business unit is responsible for the implementation of data protection in their daily operations. Taking into account appropriate and relevant data protection requirements, units will instruct their employees and establish their processes and procedures accordingly. In order to ensure the security of personal data, appropriate safeguards and measures are established in Accountor. Several units use independent third parties to conduct security audits regularly.
GDPR
General data protection regulation EU General Data Protection Regulation (”regulation” or “GDPR”) will tighten requirements for the processing of personal data as well as bring completely new obligations for companies. At Accountor we have initiated a project in 2016 to implement GDPR requirements into our daily operations. Progress of the project is reported to the Chief Operating Officer. We have nominated a person in all our units and companies who is responsible for data protection in their respective business. Together with other dedicated resources they are implementing the GDPR requirements where necessary. The project includes different flows including documentation, personnel awareness and training as well as process and system changes. In addition, we have recruited a Data Protection Officer (DPO). With her extensive knowledge on privacy within the telecom and ICT sector, she has strengthened our data protection resources and the project as a whole. As planned our units and/or companies will continue to identify and analyze detailed development activities that are relevant in order to comply with the regulation. For example, our aim is to identify systems wherein data portability functionality is required or information systems that require an increased security level. The implementation of agreed activities in the units will be followed by the DPO and reported regularly to the top management. Vendor management and some contractual changes into our service agreements are required by GDPR. We have recognized the need to update our agreement templates and associated instructions. Existing agreements will be reviewed and required updates concluded where necessary.
Implementation
Accountor aims to implement a process for a data protection impact assessment. Such a process would be mandatory in our system and product development. Therein risks related to the processing of personal data will be described and analyzed in order to ensure compliance with the regulation. As part of the project we will continue to train our personnel on data protection. In addition, certain key stakeholders (e.g. in development and marketing operations) will receive further training in accordance to their respective duties. We have drafted and updated our internal instructions and documents on data protection and data security. We also aim to describe the implementation of data protection in our privacy statements and notices as well as product documentation in order to ensure that transparent information on the processing of personal data is always available both for our enterprise customers and individuals. Accountor will closely follow any development on data protection laws, including a reform of EU ePrivacy regulation, and the authorities’ interpretations and opinions on GDPR. All identified activities (in systems, processes and documentation) that are necessary to meet the GDPR requirements, will be implemented in a timely manner before the regulation is applicable. For more on Accountor’s data protection policy, click here.