My colleague Liz Hollingsworth’s blog on GDPR in October of last year advocated the need for accountants to adopt a practical approach to compliance.
Since then we’ve have had lots of discussions with practitioners regarding GDPR compliance – in particular in respect of data privacy – and we’re still concerned at the amount of confusion and concern there is about the potential need for procedures that might cause normal business practices to pretty much grind to a halt!
Here are five of the most common questions we’ve received, with suggested answers …
1) I’ve heard that I’ll no longer be able to pick up a business card at a networking event and be able to keep it. Is this true?
This is a myth! The legislation is not designed to hinder normal business activity. If someone gives you their business card at a networking event, their expectation is for you to contact them. Don’t forget that personal information can be held where there is a ‘legitimate interest’ without consent needing to be sought.
2) If I don’t seek consent to hold personal information in relation to business contacts now, am I prohibited from approaching them in the future if I arrange a one-off seminar to take place at my office?
A lot of the guidance uses terms such as ‘judgement’ and ‘individuals’ expectations’. If business contacts have attended seminars in the past, they are likely to expect to be invited in the future. Surely the worst that can happen is that they contact you and ask for their details to be removed from your systems – in which case you will comply!
3) My practice does payroll processing. We have historically emailed payslips to clients’ employees. It will be very burdensome to use a data portal or encryption software to provide this information in the future. How should we proceed?
Data encryption software and portals will certainly become more common but there is no systematic requirement for it – GDPR only requires an organisation to use appropriate measures to keep personal data secure. If you and your clients/employees feel it is appropriate to use email then continue to do so, but it would be sensible to put simple measures in place such as password protecting any documents containing personal data (e.g. payslips and payroll summaries) if you are not doing so already.
4) Clients regularly ring up or email us to ask for their UTR number or their last three years’ profits. Is it true that I will no longer be able to simply email this information back?
As for the question above, if your clients are happy for the information to be emailed, then continue to do so. However, consider including it in a password protected attachment.
5) Bank managers are getting grumpy about the lack of information in micro entity and abridged accounts and are asking for supplementary information by email. Presumably I can’t just email this sort of information across anymore?
There is no clear guidance on this. GDPR does not mandate encryption of data when transmitted electronically. However, once again, it would be sensible to take simple precautions, such as password protecting documents, when emailing data. This supplementary information might also technically be beyond the scope of GDPR if it doesn’t contain personal information relating to ‘living individuals.’
There’s no doubt that GDPR will have an impact on many firms and careful consideration will need to be given to relevant policies and procedures. Furthermore, it’s ‘on the radar’ for regulatory bodies, even though they’ve been fairly slow in providing specific guidance.
But there can be a risk of overreaction and blind panic. Common sense must surely prevail!
Peter Herbert, Insight Training, March 2018