Deloitte recently announced its alliance with Thomson Reuters to combine Thomson Reuters' global tax technology and intelligence with Deloitte's direct and indirect tax services to help companies address dynamic tax regulatory and compliance challenges.
"Technology is the centerpiece of the transformation taking place at many tax departments today," said Steve Kimble, chairman and CEO, Deloitte Tax LLP. "The emergence of new technologies allows tax departments to more effectively make use of data to develop insights for their businesses. Our alliance with Thomson Reuters will strengthen the link between tax and the broader organization, allowing the tax function to make an even greater strategic contribution to the business."
The ONESOURCE corporate tax technology platform is a critical component of the tax ecosystem, enabling tax compliance and reporting in 180 countries. Deloitte's integration of this market-leading technology platform with its tax consultancy insights will provide businesses with solutions to enhance their specific tax lifecycles. Enhancement areas include global compliance, reporting and risk management for corporate taxes, sales tax and other indirect taxes.
"In today's complex regulatory environment, tax technology enables businesses to simplify their tax processes, drive down operating costs, while simultaneously ensuring accurate and transparent global tax compliance," said Joe Harpaz, SVP and managing director, corporate segment for the tax and accounting business of Thomson Reuters. "We have joined Deloitte's alliance program to bring to market joint solutions that leverage our ONESOURCE global tax technology and applications with Deloitte's tax services to help businesses meet the current and pending challenges of multijurisdictional tax operations."
The alliance expands a longstanding relationship between Thomson Reuters and Deloitte. Deloitte is part of the Tax & Accounting Certified Implementer Program at Thomson Reuters, a training and support service for leading accounting and consulting organizations to provide implementation assistance for Thomson Reuters software products. Deloitte is certified in all of the Thomson Reuters ONESOURCE tax solutions.
Deloitte professionals have also won Thomson Reuters' annual "Taxologist of the Year – Certified Implementer" award the past two years for being the top certified implementer. Deloitte's clients have also won other categories of the Taxologist Awards through their demonstrated ability to increase tax department effectiveness using ONESOURCE.
(Source: Deloitte)
Written by Justin Baxter, Neil Adams and Neil Mockett from Crowe Horwath
With only 12 months left until the new GDPR regulations come into force, many organisations are already busy, preparing for May 2018. But for others, the challenge is still about getting started with a proportional approach that will enable sufficient progress in the time remaining, and provide a defensible position in the event of any breach or incident. Unfortunately, there is no blueprint for easy compliance and no easy, plug-in solution. Each firm will have a different starting point and will therefore need to determine its own approach.
The ICO has described GDPR as a “journey”. This is very true, however, it is one that is best prepared for by taking into account some practical advice.
Give GDPR the level of sponsorship it deserves. Compliance with GDPR regulations, and data protection more generally, should be regarded as a key operational risk. As such, the board should appoint a member of the management committee to oversee progress. The potential for significant fines, exposure to legal action, and the inevitable bad publicity and reputational impact, should an incident occur, necessitates the need for senior management oversight. However, GDPR is also about the rights of the individual, and the expectations individuals have of the firms holding their data and acting as custodian. Therefore, GDPR is also an issue of ‘conduct’ which, as Financial Services firms know all too well, can cause significant problems with the regulator if not taken seriously.
As with any business change, the direction, drive and tone from the top can be one of the main differences between success and failure, so it is worth ensuring you have the right sponsorship in place.
Getting started. There are many reasons why plenty of firms are struggling to get started. However, one of the key issues is that GDPR is a principles based regulation and, in addition to detailed guidance on a number of key areas still being work in progress, the regulation is, quite simply, open to interpretation. As a result, in the absence of a more prescriptive GDPR “instruction manual”, organisations need to determine for themselves what GDPR means. This includes the organisation deciding where to set the “bar”, especially in areas where the regulations refer to rather unhelpful terms such as “appropriate” or “sufficient”.
Really understand what happens to data across the organisation. This is such a simple statement to make, yet it is an absolutely critical starting point. Organisations have to be brutally honest about the personally identifiable data they have, why they need it, where it came from, how it is used, where it is stored and where it goes. For many organisations, performing this step is a daunting prospect. However, firms do not need to take a ‘scorched earth’ approach to understanding their data - even some high level work will most likely reveal where the key areas of concern exist.
Gaining this understanding as early as possible will prove extremely insightful, and should form the basis of many other areas of work over the next twelve months.
Identify the areas of greatest impact. Although GDPR introduces a number of new requirements, for example in relation to gaining consent, or customer requests such as the right to ‘erasure’, much of it is not actually new and it is really just an extension of the core principles of the existing Data Protection Act (DPA). An organisation’s existing maturity against the DPA will therefore have a significant bearing on the breadth and depth of scope that needs to be addressed under GDPR. In the absence of a detailed or recent DPA gap analysis, almost every organisation will have one or more open audit points relating to data protection, which is usually a good place to start.
Invest time upfront in developing formal data protection related polices and standards. Strong governance is important for lots of reasons, and well written policies and standards provide the foundations of good governance. In the case of GDPR, investing time early on to revise existing data protection policies to ensure they address the requirements of GDPR will help create clarity and focus for the organisation, and a point of reference against which compliance can be assessed. The exercise will also inevitably produce some surprises in terms of other related polices that will need to be amended to address GDPR, such as HR, Procurement, Outsourcing, and Information Security.
If in doubt, complete a Privacy Impact Assessment (PIA). The principle of embedding is key to successfully implementing any change, and in support of this aim for data protection, the ICO published guidance in 2014 on the use of PIAs as a business-as-usual (BAU) “tool”. In effect, a PIA is a structured assessment of a given business situation with the explicit purpose of assessing the level of data protection related risk. Though originally conceived as a tool to be used in BAU, completing a PIA against areas of concern or uncertainty as you work towards compliance can be a very powerful, and extremely revealing, approach.
Model your response to Customer Requests. Subject Access Requests (SARs) are not a new concept. But GDPR means they will become free of charge for members of the public. GDPR also introduces new customer rights, around areas such as portability and erasure. Therefore, it is reasonable to expect that volumes of customer requests will increase after May 2018. To address this situation, it is key to establish what would be involved in providing the information outlined in the regulations, including for the new request types. Also key is the testing of scenarios where volumes significantly increase from historical levels, in order to understand their potential operational impact.
Don’t forget Third Parties. The changes in accountability and liability regarding Data Processors are significant under GDPR. While Data Controllers remain liable for infringements caused by their Data Processors, those Processors now also have direct duties under the GDPR. It is therefore critical for both Controllers and Processors to understand what has to happen to keep processing operations compliant. As most organizations have tens, if not hundreds, of third parties that they rely upon, this can be no small task and needs to be sized and tackled with the priority it deserves.
Information Security is key. This won’t be a surprise to most people, however, too often organisations seem to “miss the wood for the trees” when it comes to information security. There is little point spending small fortunes on leading edge IT protection systems if a firm isn’t sure it has the basics in place – as an example, look no further than the recent attack on the NHS and issues caused by the lack of recent Windows patches. Also, information security is not just about the structured data held in core systems, it equally needs to apply to physical data and the unstructured or “dark” data that resides in emails, on network drives and the Excel downloads from core systems that all organisations possess.
Staff training and awareness. Kicking off a gradual programme of awareness and training around the principles of data protection, and explaining to staff how the organisation is addressing the needs of GDPR, is essential. How staff handle data related queries with customers and third parties will be a key factor in mitigating data protection risks, and demonstrating to customers, and the regulator, that the organisation takes data protection seriously. Organisations need to be careful not to neglect the ‘people’ side of things in favour of more tangible areas such as IT.
Complying with GDPR. Complying with new regulations is almost always harder than originally expected - vague requirements from the regulator, a fixed end date and a lack of in-house experience don’t tend to mix well. In reality, given the breadth of impacts from GDPR, most organisations will struggle to address every last detail before May 2018. Though this may be true, what is key is that organisations can demonstrate they understand the size and nature of the gaps they have to address, they have a plan in place and are making good progress, and they can show the regulator, and other key stakeholders, that they are in control and are taking GDPR seriously.
Crowe Horwath is a member of the Crowe Horwath International (CHI) network of accounting, tax, risk and performance management firms. Crowe has years of experience implementing regulatory and compliance changes and helping firms refine their approach to risk management. Justin Baxter is a Partner in the London office and together with Neil Adams, and Neil Mockett, they are leading the development with clients of practical and pragmatic approaches to the challenges presented by GDPR.
For more information, please email justin.baxter@crowehorwathgrc.com, neil.adams@crowehorwathgrc.com or neil.mockett@crowehorwathgrc.com
Written by Justin Baxter, Neil Adams and Neil Mockett from Crowe Horwath
The deadline for the enforcement of the General Data Protection Regulations (GDPR) provisions in May 2018 has finally reached the agenda of most companies. It coincides with an increasing fever pitch in the press and on social networks regarding cyber attacks, hackers from the east, Smart TVs watching us, et al. Privacy is news. Businesses that get caught out on privacy matters are subject to huge focus in social networking circles.
The recent focus on GDPR as “something new” is a surprise though. The regulations are an extension of the UK 1998 Data Protection Act and the EU GDPR regulations were technically in force from May 2016. It is an unfortunate fact that this new regulation is turning the spotlight on how lax some companies may have been since 1998 and as a result the scale of the current programme to address GDPR provisions suddenly appears very significant.
Privacy and Security
Privacy is an individual thing. It is increasingly apparent that as individuals we need to be more aware and protect our digital existence. Firms have to accept that the “privacy train has left the station” and people are demanding more control over personal data.
Central to the issue are two core principles: the respect for privacy; and the provision of adequate security. Importantly, underlying this is the notion of custodianship. It is this custodianship that should be considered as a key corporate responsibility and one that defines the seriousness with which firms have responded. In the event of a breach of privacy, this is where the regulators will look first.
Appreciating how you are impacted as an individual is relevant. It is hard not to conclude that the provisions of current privacy laws are not keeping up with the pervasiveness of today’s technology. It is a salutary exercise to count up the number of devices connected to the internet in your home – most are capable of enabling access and extracting information. The latest concerns expressed by Tim Berners-Lee that we have lost control of our personal data is timely. Whether we like it or not, privacy matters.
Why GDPR is different
Successfully addressing the requirements of GDPR requires a number of important challenges to be overcome.
- Striking an appropriate balance between commerciality and assessing the probability and severity of fines, loss of shareholder value and damage to reputation.
- The issues facing the firm are genuinely cross-business and will bring elements of judgement, disagreement and in some cases conflict.
- May 25th 2018 is a key date, but there is no big bang. Regulators are expecting evidence of accountability and the journey being undertaken by firms.
- There is no “one size fits all” approach. It is essential that firms can show the regulators that issues are being addressed appropriately.
- There will be a subjective nature to many of the decisions taken by each firm and guidance continues to emerge. Waiting is not an option, so pragmatic positions will have to be taken.
- There is a necessity to review the responsibilities, contracts and processing being completed by third party providers; this tends to be an area that has previously been neglected and will lead to surprises in many cases.
All these points will test a firm’s approach to risk and risk appetite for data protection related activity. At the end of the day, data protection is just another operational risk.
Stewardship: The CFO is no stranger to stewardship. The addition of custodianship should fit quite easily but requires absolute confidence that all preparations for GDPR are sufficient.
Lines of Defence: Executives within the “second line of defence” will have a key role in ensuring an independent perspective is maintained. Executives in the “first line of defence” will be confronted with many of the decisions and implications of GDPR driven changes and what is a proportionate response. The CFO and CEO may be drawn into debates about both areas.
Managing GDPR incidents: In the event of breach, it will often be the CFO and CEO in the spotlight, with tensions rising as the matter may become an exercise in crisis management. Anecdotal evidence suggests that the “finger pointing” starts very quickly. At which point, it will be too late as one of the first tests will be to evidence that reasonable steps had been taken to prevent the incident happening.
It starts with taking the view of the customer
In assessing any privacy issue, the key question is “What would you have expected the firm to have done?” Fuelled by privacy stories, customers will learn quickly of their rights and will have expectations of what response they will get when approaching your business to exercise these rights. They will also assume that should something happen it is controlled and they are informed. Firms need to beware of the power of the customer to disrupt; especially with the viral nature of social media. The inclusion of the customer view from the outset will mean that this dialogue, should it arise, will better reflect the intended approach of the firm. Custodianship is a serious responsibility.
Pragmatic steps to ensure appropriate oversight and control
Senior executives should own the GDPR programme and maintain a keen eye to ensure it does not drift into a purely second line compliance project..
Progress assessment: The hardest question to answer in absolute terms is “when will we be compliant with GDPR?” A number of dimensions can be constructed around some simple principles: the less sensitive data you lose, the more manageable the response; the more that you understand what personal data you have, the better you can secure it; the more information you can provide about a breach, the more likely you will receive an empathetic hearing from customers and regulators. Measures should be designed to help people understand “how far” you have secured a reasonable position. It will focus minds.
Risk based approach: It will be essential that a risk based approach to GDPR related decisions is taken. Decisions on data minimisation and retention periods, for example, will expose tensions between the need to comply and the commercial and practical implications of deleting customer data.
Governance and Accountability: The GDPR regulations assume an ongoing commitment by the firm to embrace privacy and security responsibilities. There is no big bang and therefore, arguably, no obvious finishing line. The voice of all stakeholders across the GDPR programme need to be represented through to the Board.
Measuring operational impacts: There will be operational implications should customers past and present exercise their new rights under GDPR. For example, early indications suggested that there would be a 25 – 40% increase in the numbers of Subject Access Right requests. To this number needs to be added an estimate for the new provisions (including the right to be forgotten, portability etc.). Will current response processes be up to it?
Pragmatism is the watchword: Implementing regulatory change is not straightforward. A pragmatic and practical approach is essential to overcome many of the issues that will be raised. The risk of projects becoming detached from the realities of running a business are high: the message of effective custodianship will help. The firm must demonstrate and justify the pragmatic judgements taken on the journey towards their compliant position. Permitting every possible aspect to be debated at length will likely result in compliance paralysis. Therefore, the importance of proportion and measured decision making cannot be overstated.
Be prepared
Personal data is an asset and companies are the custodians. The expectation we have about the behaviour of how other organisations handle our own personal data should influence our own roles within our organisations. The way we work with colleagues to achieve a level of assurance and mutual confidence is key. There are effective ways to think about and implement regulatory change, which need to ensure that the response to the various challenges of GDPR as outlined above are appropriate, measured and reasonable. In the event of having to react to any privacy incident, having a clearly agreed position on the custodianship responsibilities will be a good place to start a defence.
It’s true to say that the role of HR in the modern business landscape is shifting, as modern workplace culture continues to be re-defined.
Millennials have challenged the status quo of the conventional workplace, and HR has responded by implementing a ‘customer-centric’ approach, aiming to consistently provide a great employee experience.
This has led to a more relaxed approach, and traditional HR functions being combined such as recruitment, retention and development with the creation of a unique office culture and communications, marketing, branding and social responsibility.
But while it’s down to HR professionals to help drive this ethos, it cannot be at the cost of legal HR obligations. The common pitfalls, particularly for start-ups or SME’s with little knowledge or experience of HR is actually the most basic administration. Such as providing a water tight, comprehensive employee contract and statement of particulars, which at their most basic should include details of salary, hours of work, holiday entitlement and notice periods. If you are dealing with your HR in-house, it is best practice to have a professional over-see these legal documents as a preventative approach to disputes.
Thanks to a political and media spotlight on a global level, migrants and working rights has come under scrutiny. This is an area that businesses need to make a priority because ultimately, they take the full brunt of consequences for employing individuals that didn’t have a right to work, their leave had expired, they were employed for work they were not allowed to carry out or if their documents were false.
The result is hefty fines and damage to your brand – and the latter can prove to be just as costly. In 2015 the fines issued by the Home Office equated to £21.6 million, and it wasn’t just small companies that have been found guilty of employing illegal workers; Tesco’s has previously been fined for employing foreign students who were breaking the conditions of their visas.
Millennial’s and modern culture has also seen a shift in the way that many businesses recruit, and the entire recruitment process. Out are the questions with a very specific ‘right or wrong’ style of answer; while experience and qualifications are not completely dismissed, progressive employers want to find a culture fit and an alignment of values and vision to ensure the arrangement is mutually beneficial. Aspects such as technology and social media are driving the change (while also throwing up some tricky situations of their own!) ,but recruiters need to remain vigilant in their processes in order to guarantee that they are not acting in a discriminatory manner – whether they are aware of it or not.
To shed some light on the most common areas that businesses fail, we have created an interactive quiz that aims to shed some light on where your business could be falling short in its HR practices.
Powered by Bradfield HR
Competition compliance programmes must take account of the FCA’s rules for mandatory self-reporting of existing or potential competition law infringements. Here Finance Monthly benefits from exclusive insight, written by James Marshall and Marieke Datema of Berwin Leighton Paisner (BLP), who take a look at the powerful toolkit at the FCA’s disposal and explain what it means for firms in the year ahead.
A heavy use of market studies
Since acquiring a competition mandate in April 2013, the FCA has conducted several market studies. These allow the regulator to ‘peer behind the curtain’ in any given market to identify structural competition, consumer or market integrity concerns. In just over three years, the FCA reviewed insurance add-ons, cash savings, credit cards, retirement income, investment and corporate banking, asset management and residential mortgages.
The FCA has a uniquely powerful toolkit; it can use either sectoral (Financial Services and Markets Act 2000 (FSMA)) or competition (Enterprise Act 2002) powers to conduct market reviews.
To date, all FCA market studies, including those launched after the FCA acquired concurrent competition law enforcement powers in April 2015, have been carried out using FSMA powers, rather than pure competition powers under the Enterprise Act. The FCA chooses the most appropriate power on a case-by-case basis. In practice, the FCA enjoys the ‘best of both worlds’, in that it can pursue competition-focused investigations using extensive data-gathering powers under FSMA without being bound by tight timetables under the Enterprise Act.
If, following a market study, the FCA concludes that a market is not functioning well, it may seek regulatory changes to fix the issues identified. Potential remedies include structural reforms (e.g. rule-making, guidance and/or proposing enhanced self-regulation), or firm-specific changes (e.g. varying regulatory permissions, public censure and/or financial penalties). The FCA can also “name and shame” firms by publishing data – one of the remedies imposed in the cash savings market study, for example, was the publication of interest rates made available by over 30 banks and building societies on certain types of savings accounts and ISAs. The FCA furthermore has the power to refer a market to the Competition and Markets Authority (CMA) for a detailed “phase 2” market investigation, the outcome of which could include forced divestments or other major interventions.
A market study offers the opportunity for quite considerable change. We would therefore encourage firms affected by market studies to consider what features of the market they may wish to change or defend and then consider how to engage with the FCA on those fronts.
Zeroing-in on individual firms – ‘hard’ and ‘soft’ enforcement measures
Investigations of individual firms are common outcomes of market studies in other sectors. Early in 2016, the FCA launched its first antitrust investigation. Details of the behaviour and the firms under investigation remain confidential. The FCA Director of Competition stated that she hoped the investigation “sends a signal that we take competition law seriously alongside other regulatory enforcement” and noted that the FCA is “well placed” to detect and take action in relation to breaches of competition law. It is certainly true that the FCA is ‘well placed’ – it has a team of around 100 competition specialists, a number of whom used to work for the CMA.
We anticipate an uptick in antitrust investigations in 2017. The CMA publishes an annual report assessing the operation of the concurrent powers by the FCA and other sector regulators. In its April 2016 report the CMA stated that it hoped to see a greater number of cases opened by the concurrent sector regulators (including the FCA) in the year ahead. The FCA, like its peer concurrent regulators, has been given its competition law powers on a ‘use it or lose it’ basis. This may be a real spur for greater enforcement action in future. The competition between sector regulators and the FCA’s desire to be regarded as ‘first among equals’ may also motivate further competition enforcement. Finally, following Brexit, cases involving possible anti-competitive conduct in the financial sector that previously may have been investigated by the European Commission are likely fall to the FCA or CMA.
Despite little ‘hard’ antitrust enforcement, the FCA has been astute in its use of ‘soft’ enforcement methods and we expect this trend to continue in 2017. The FCA has made use of “on notice” letters which notify a firm that the FCA has information about a suspected breach of competition law. The firm must conduct an internal review and report back to the FCA on the scale of any competition breach identified, and what measures the firm will take to address the problem. “On notice” letters transfer the burden of investigating and remedying competition problems to individual firms. This can free-up FCA resource for higher priority matters, whilst also solving potential competition concerns - a regulatory ‘win-win’.
To date, the FCA has publicly confirmed the use of several “on notice” letters prompted by information gathered during the retirement income market study. The FCA met with the relevant firms to better understand their proposed solutions and the firms have since undertaken a number of initiatives to strengthen their compliance.
The FCA has also sent three advisory letters – intended to raise competition law awareness and promote compliance amongst targeted firms.
Self-reporting competition issues – a significant question
Both market studies and “on-notice” letters can place considerable burdens on individual firms to provide evidence in response to an FCA information request. Responding to such requests can also cause firms to ‘flush out’ potential issues which may require self-notification under the FCA’s handbook. SUP 15.3.32R (1) requires firms to notify the FCA of any significant infringement (or potential infringement) of any applicable competition law. The reference to “any applicable competition law” means that the notification obligation extends to infringements of competition law outside the UK. Despite the extensive scope of the notification obligation, only limited guidance has been provided by the FCA, in particular in relation to how firms can determine whether an infringement is “significant”.
The position adopted by the FCA is in stark contrast with the standard application of competition law. Leniency programmes generally provide that companies can choose whether or not to self-report competition infringements and there are, in many cases, incentives for companies to do so. If the relevant conduct identified by a firm is sufficiently serious, the FCA’s mandatory self-reporting obligation can effectively force a firm to apply for leniency. Moreover, the same conduct could prove problematic under both the FCA’s conduct rules and competition law. It is therefore more important than ever that regulated firms bring their competition compliance programmes in line with the self-reporting obligation and think through the wider implications of any notifications to the FCA.
