Time for accountants to prepare for GDPR
It can feel like there’s always something new for accountants to get to grips with – from taxes to technology, and everything in between. And now another big piece of […]
It can feel like there’s always something new for accountants to get to grips with – from taxes to technology, and everything in between. And now another big piece of legislation is looming on the horizon: data protection. Oh yes, every auditor’s favourite two words will be front and centre in the coming months as the EU General Data Protection Regulation (EUGDPR) comes into force on 25 May 2018.
What is EUGDPR?
The EUGDPR is an attempt to harmonise data protection laws across Europe. And for those wondering whether this will still be relevant after Brexit: the new UK Data Protection Bill (which will replace the current Data Protection Act) will transpose the GDPR into UK law and will still be applicable despite Brexit: there’s no escaping it!
The new regime has been described by the Information Commissioner as “a game-changer for everyone” since it will affect all businesses that process (i.e. collect, record, use or disclose) data relating to an identified or identifiable natural person (“personal data”).
Accountancy firms operating within the EU will need to comply with the GDPR regime as they will frequently process personal data. Insolvency Practitioners (IPs) and bankruptcy trustees are also not exempt from the regime: as data controllers of the personal data they receive by virtue of their appointment, they must ensure that they comply with the GDPR when dealing with personal data, including when disposing of the assets.
With maximum fines of up to the higher of €20m or 4% of annual turnover, there is no room for complacency.
How should accountants prepare for EUGDPR?
Firms will need to comply with, and have appropriate records to demonstrate compliance with the new legislation, so internal audit and compliance programmes should be established quickly. This is likely to require HR, IT, Business Development, senior executives and input from all other areas of the business to work together.
Data Processing
Accountancy firms will need to undertake a detailed review of their personal data processing activities. In particular:
- an assessment of the legal basis for processing personal data;
- revising their methods of procuring consent from individuals to process their personal data;
- introducing appropriate transparency/privacy measures in dealing with personal data;
- enabling individuals to see and erase their personal data that firms hold – the so-called “right to be forgotten”.
HR databases
These will store personal data on employees (former, current and prospective) and their pensions. Firms should consider what the most appropriate legal basis for processing personal data on employees is and should also carry out periodic reviews to remove data no longer required on former and prospective employees.
Data security and breach
Under the new law, any data breach which may result in a risk to the rights and freedoms of individuals must be reported within 72 hours to the ICO, and the individuals themselves must also be notified without undue delay. IT security measures will need to meet the highest security settings of “data protection by design and default”, which the GDPR requires for personal data.
Training
Firms should identify which of their people know about data protection measures and the new enhanced regime. Regular internal training on the GDPR should be given to all staff so that they understand the new legislation and the implications for the firm if it is non-compliant.
Outsourcing to third parties
Firms will need to carefully review relationships with third parties with whom they may share data, and consider new contractual provisions to help ensure compliance with the GDPR. In short, firms need to satisfy themselves that any third party handling outsourced data is also complying with the GDPR regime.
That’s a lot of information to take in, but savvy accountants should now be reading up on the new law, and asking the right questions of their senior managers. You never know, you could find yourself with an exciting new project to lead!
