The General Data Protection Regulation (GDPR), which comes into effect on 25 May 2018, will impose new obligations on all organisations that collect, store and process individuals’ personal information.
As an accountancy firm you will no doubt keep client information on file, so it is important that you understand your new obligations when it comes to protecting your clients’ data – failure to do so could result in significant financial penalties.
Understanding the changes
A fundamental new requirement of the GDPR relates to accountability. Businesses must be able to identify their lawful basis for processing personal data, and document this. The GDPR also prioritises the issue of consent, requiring that an indication of consent must be specific, unambiguous and freely given.
Another principle central to the GDPR is the concept of ‘data protection by design and default’, by which firms build in the necessary privacy and security protections from the outset, rather than as an afterthought. In some circumstances, businesses will be required to undertake a Data Protection Impact Assessment.
The GDPR applies to both ‘controllers’ and ‘processors’ of personal data. Processors will be specifically required to maintain records of personal data and processing activities and will have increased legal liability for any breaches (including reporting certain breaches) under the new laws. Meanwhile, controllers will be under additional obligations to ensure that their contracts with processors are in compliance with the GDPR.
Further information on the new rules can be found on the Information Commissioner’s Office (ICO) website.
Protecting your clients
With fines of up to €20m or up to 4% of total annual worldwide turnover, it is advisable to take action now to ensure you are prepared for the implementation of the GDPR.
As a first step, you should ensure that records relating to the personal data are up-to-date. These records should include where the data came from and who it has been shared with. Privacy notices and consent procedures should also be reviewed and, where necessary, make sure that these are amended in time for the implementation of the GDPR.
Farida Rahman-Wright, professional standards manager at AAT, advises: ‘Accountants and bookkeepers should carry out a risk assessment on current systems, such as a data protection health check, to identify any potential risks of non-compliance or vulnerabilities. They should also consider installing encryption software on all PCs and devices in accordance with ICO guidelines.’
The new regulation also gives clients the ‘right to erasure’, meaning that individuals have the right to ask that data about them is deleted. However, Rahman-Wright warns that ‘data erasure can be difficult due to backups, multiple systems and cloud storage’.
‘If customers request that their data is deleted, a reliable process must be in place, while if data is deleted accidentally it must be reported. Companies in possession of the data must also notify other holders of the data that consent has been withdrawn and data should be erased.’
Of course, as well as reviewing your own procedures, the new regulations will also affect many of your clients’ businesses. Practice Track will be producing a new factsheet explaining how the GDPR changes affect your clients, as well as providing practical tips to help them comply with the new legislation. To register your interest, please email firstname.lastname@example.org.