GDPR – a more practical approach!
There are lots of blogs and press releases about GDPR (The General Data Protection Regulation) at the moment. Here’s our take on how the new regulations, coming into force on 25th May 2018, will affect small accountancy practices.
What is data?
It’s worth mentioning straight away, that this regulation covers personal data – data which can be used to identify a living EU citizen – and, without getting into debates about Brexit, this comes in first so it does affect us! It affects all businesses, regardless of size, but will have a greater impact on businesses dealing with consumers. Business-to-business organisations do still have to be compliant, but by their nature will not hold as much personal data. So, the information we’re talking about is, for example, your own employee data, personal tax clients, payroll details of your clients.
There is a lot being made about the heightened requirements to obtain consent. However, consent is only one of six legal bases for processing data. The others include where processing is “necessary for the performance of a contract” and “necessary for compliance with a legal obligation” – for example, the contract you have entered into with your client to provide accountancy services and your legal obligation to perform due diligence checks to comply with money laundering regulations.
The consumer’s expectations about the information you hold and why you hold it is also relevant. You are not holding your employees’ bank details because they’ve consented – you’re holding them to fulfil your legal obligation as their employer to pay them.
I came across a query from an insolvency practitioner as to whether he would need to obtain consent from and/or issue privacy notices to the employees of the bankrupt companies he acted for. The answer was, in theory, yes, but, given that he is holding that information as part of the winding up process to inform HMRC and pay outstanding wages, the employees would reasonably expect the practitioner to require and hold this information.
However, in all these cases you must consider the legal basis for holding information and if you are subsequently required, or decide, to use the information for another purpose, marketing for example, you should review the legal basis and obtain consent if required.
Privacy notices are used to inform individuals that you hold their data, how, why, where it’s held and their rights. You can provide this information by updating employment contracts and letters of engagement, updating your website or any other method you feel is appropriate. There are guidelines which require it to be clear, concise and easily accessible.
Current wording in the above documents is likely to refer to The Data Protection Act 1998 and is unlikely to comply with the new requirements. However, the ICAEW will issue revised example wording for engagement letters etc. once the ICO has published their guidance.
Right to be forgotten
This is another hot topic that is causing a lot of debate. GDPR introduces a new “right to be forgotten” giving the individual the right to request for all their personal data to be deleted. How does this affect the holding of data for money laundering checks and information held within your own accounting records? The ICAEW have confirmed that this new right is overridden by statute – i.e. an individual cannot require you to delete information from your due diligence and internal accounting records. Although how much personal data you would hold for accounting purposes is questionable and, of course, if you’re holding information over and above what’s required by law for another purpose then you would have to consider the legal basis and the individual’s rights.
What to do now
1. Firstly, appoint someone internally to take control of understanding the new regulation and how it will affect your practice. Organisations with fewer than 250 employees are not required by law to appoint a data protection officer, but someone needs to ensure you’re compliant.
2. Perform a data audit to understand
a) the type of data you hold and;
b) where it is held – this is quite far reaching when you think about it – accounting and tax software, audit software, payroll software, practice management systems, network drives, C drives and of course, paper files.
Consideration will need to be given as to how many individual devices information is held on – laptops, desktops, tablets, phones and memory sticks. Until you know what you’ve got and where it is you can’t put processes in place.
3. Think about security processes – physical security, backup procedures, IT security – most good IT support firms and software houses will be ready to guide you through the techy bits. You will need to check contracts with third parties who hold data on your behalf, including software providers and cloud based services (also known as the data processors). It will be important to understand where they hold the data and to ensure that they are GDPR compliant.
4. Update documentation and put procedures in place to ensure you’re compliant and can cope with data requests, the right to be forgotten and data breaches. Data breaches are now reportable to the Information Commissioner’s Office within 72 hours if the breach is likely to cause a detrimental effect on an individual – whether to reputation or financial loss.
5. Consider deleting any information you don’t need to hold to remove the risk.
6. Monitor systems and procedures on an on-going basis. It’s not a one-off exercise unfortunately.
7. Consider how the change in regulation will affect your clients and how you can help them through it. They may well look to you for advice and, depending on their business, implementation could require considerable time and monetary investment on their part to ensure that they are compliant.
Liz Hollingsworth, Insight Training, October 2017