Building your business in accordance to all rules is vital, but… let’s admit, it can potentially be painful. Our Chief Legal Officer, Arina Tsekanina, highlights the compliance issues that SMEs face.
The process of becoming compliant might indeed be dynamic, fragmented and have so many levels that it turns into a real headache for small and mid-sized enterprises. More than that, it is resource-intensive and time-consuming. With stricter legislation over time, it is evident that compliance costs are growing exponentially.
Take for example the data protection regulations which had recently made a global fuss by shaking the digital and legal world. For companies, data protection compliance went from a ’nice-to-have’ feature to a mandatory one. It is not even a question of company size, whether or not it should comply – if in use, data processing, even to its slightest extent, speaks for itself.
The complexity of compliance is conditional based on the territorial applicability of legislation. GDPR does not leave non-EU companies in the shadow, quite the opposite – it puts specific attention to your EU customers rather than to your company’s officially registered address. So, whether you are in Germany or in Chile, as long as you process the personal data of the EU customers, you have to comply. Transparency of processing required by GDPR, includes, among others, clear identification of the bodies who handle customers’ personal data as well as the distinction between ‘controller’ and ‘processor’. This can be a tough one, when the processing is outsourced to numerous entities at the same time and the company is not keeping the track of the data flows.
Companies should remember that if they are operating on the international market, they should comply with the laws of different jurisdictions. They not only have to think about GDPR, but also identify markets of operation and research whether their company is subject to specific data localisation or data retention laws. This is the point where things might get a bit messy, especially if the applicable regulations overlap. It firstly involves tension between AML and GDPR provisions, where AML requires data retention while the GDPR denies processing of data longer than it’s necessary for purposes for which the personal data is processed.
The question of consent has grown big in IT, touching upon the common cookie-use consent and moving to consent to data processing collected by IoT, which are becoming increasingly vulnerable after amended data protection laws. And of course, where records are documented, the accountability requirement is placed.
Protection of collected data cannot be ignored anymore, nor can data flows be chaotic. At BASIS ID, we recognise how problematic it can be for SMEs to follow all the rules. BASIS ID makes the process of handling huge amounts of data easy and smooth. Alongside with specifically designed GDPR and AML features, we are offering guidance and consulting to our clients on how to process their data lawfully. Our system allows the data subject to see data flows and control the access to it, and our clients to handle data systematically within a centred setup.
BASIS ID is not only KYC solution. It is also your right hand in data protection compliance.