PQ magazine is for part qualified accountants.
Read the latest web issue here – if you like what you see sign up today
Are you ready for GDPR?
Brian Palmer explains significant changes to the data protection laws that will come into effect in 2018 and will impact on your firm
May 2017 marked one year to go until new data protection rules come into force – all UK businesses will need to ensure that they are compliant with General Data Protection Regulations (GDPR) by 25 May 2018. GDPR has been brought in by the European Union to give individuals greater control of their data, because business now collects more personal information about individuals than ever before. Despite Brexit, the regulations are being adopted by the UK, so businesses here will still need to act and be ready.
The new GDPR rules split businesses into two different groups: data controllers and data processors. Data controllers are individuals or organisations who determine how and why personal information is processed; accountants fall into this category. Data processors are third parties who have access to data held by data controllers.
Under GDPR, data processers will also legally be required to keep records of personal data and what processing activities have been done with them. This is a new requirement that differs from current data protection law, and many businesses will need to be made aware of it.
The implementation of GDPR may seem far away, but it’s a good idea for your business to act now to ensure compliance. An important step many accountants should take is to identify the personal data they hold on clients, from contact details to bank account information. Maintenance of customer data will be much more rigorous under GDPR, and all this information will need to be safe-guarded. Once all relevant data is identified, risk assessments should be carried out, such as a data protection health check to identify any potential risks of non-compliance or vulnerabilities in data storage systems.
Another change due to GDPR is that client data will need to be processed lawfully. If consent is used to process data, it must be specific, informed, freely given, and unambiguous. When consent from clients is obtained, accountants must show how this has been gained and document it accordingly.
Clients will also have the right to ‘be forgotten’ and have their data erased; for example, if a contract ends. If this happens, a reasonable procedure must be in place to ensure their data is deleted. It will also be the responsibility of data controllers and other companies in possession of data to notify other controllers and processors of the data that consent has been withdrawn and the data should be erased from their records too. In that situation, it will be important to remember that data should also be deleted from backups and cloud storage, so it will be essential that businesses have a record of where and how data is stored, and know how to delete it completely.
As most data is now stored on computer, cyber protection methods should be checked and encryption software installed on all PCs and electronic devices used for an organisation’s work, in accordance with ICO guidelines.
If the organisation has moved to cloud accounting, the service used will need to be GDPR compliant. As well as being sure to protect computer-based information, it should also be remembered that physical personal data, such as the contents of filing cabinets, will need to be protected under GDPR as much as online information.
It is essential that your organisation is ready when GDPR is implemented. Businesses who don’t comply face proposed fines of €20 million, or 4% of their turnover – an amount that not many businesses can afford to lose.
• Brian Palmer, tax policy expert, the Association of Accounting Technicians
Subscribe to RSS