The date for the GDPR implementation is getting closer. This article is designed to help accountants understand the new data protection regulations coming into effect on 25 May 2018. An overview of the new regulations can be found here.
The GDPR is an EU regulation and builds on data privacy and security principles that organisations should already be abiding by. A review of these and changes for the GDPR should be undertaken and most accountants should be able to handle any changes internally.
Like the Data Protection Act (DPA), the GDPR has a suite of sanctions to help organisations focus on compliance – warnings, reprimands, corrective orders and fines. While these will not always hit accountants in the pocket – reputations could suffer. The GDPR has significantly increased the ability for the supervising authority (the Information Commissioner’s Office in the UK) to levy significant fines for non-compliance which, at their highest, could amount to €20,000,000 or 4% of the global turnover of the offending company, which ever number is higher. Whilst you are unlikely to be hit with fines anywhere near this amount in the event of a breach, it does flag the increased teeth given to the ICO under the GDPR. Regulatory bodies (ICAEW and ACCA) will also expect firms to have planned for and implemented the GDPR principles in their practices.
The GDPR applies to ‘controllers’ and ‘processors’. The definitions are similar to the DPA – i.e. the controller says how and why personal data is processed and the processor acts on the controller’s behalf. If a business is subject to the DPA, it will also be subject to the GDPR.
There are specific legal obligations for both controllers and processors in the GDPR. This requires businesses to maintain records of personal data and processing activities. There is significantly more legal liability if you are responsible for a breach.
If you are a controller, the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR, for example, Cloud and other IT providers. All Accountants are controllers in one way or another.
If you are a processor, you need to ensure that your contracts with your controllers are not exposing you to the joint and separate liability you both have. All Accountants that offer payroll services, for example, are also processors, processing the personal data on behalf of their clients, who are the data controllers.
The GDPR applies to processing carried out by organisations processing personal data of any data subject situated within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
The GDPR applies to ‘personal data’. The GDPR’s definition is more detailed than in the DPA and makes it clear that information such as an online identifier – e.g. an IP address – can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.
The GDPR applies to both automated personal data and to manual filing systems where personal data is accessible according to specific criteria. This is wider than the DPA’s definition and could include chronologically ordered sets of manual records containing personal data.
For most accountants keeping HR records, client lists, or supplier contact details for example, the change to the definition should make little practical difference. You can assume that if you hold information that falls within the scope of the DPA, it will also fall within the scope of the GDPR. Accountants will need to pay specific care with privacy statements and permissions to hold data because that data is highly sensitive (NI numbers, dates of birth etc.)
The GDPR requires you to show how you comply with the GDPR principles – for example, by documenting the decisions you take about a processing activity or encrypting all personal data.
Article 5(1) of the GDPR requires that personal data shall be:
(a) Processed lawfully, fairly and in a transparent manner in relation to the data subject;
(b) Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall … not be considered to be incompatible with the initial purposes;
(c) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
(d) Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
(e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes … subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject;
(f) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Article 5(2) requires that:
‘The controller shall be responsible for, and be able to demonstrate, compliance with the principles’
For processing to be lawful under the GDPR, you need to identify a legal basis before you can process personal data. These are often referred to as the ‘conditions for processing’ under the DPA.
It is important that businesses determine their legal basis for processing personal data and document this. Lawfulness of processing conditions are:
- Consent of the data subject,
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract,
- Processing is necessary for compliance with a legal obligation,
- Processing is necessary to protect the vital interests of a data subject or another person,
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller,
- Processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
If consent is the legal basis chosen, then that consent needs to be freely given, specific, informed and an unambiguous indication of the individual’s wishes. Consent under the GDPR requires some form of clear affirmative action. Silence, pre-ticked boxes or inactivity does not constitute consent. Individuals have a right to withdraw consent at any time. Where you already rely on consent that was sought under the DPA you will not be required to obtain fresh consent from individuals if the standard of that consent meets the new requirements under the GDPR. Consent must be verifiable. This means that some form of record must be kept of how and when consent was given.
Where processing is necessary for the purposes of your business’s or a third party’s legitimate interests then you can rely on the lawfulness of processing conditions outlined above.
Rights for individuals
The GDPR provides the following rights for individuals:
- The right to be informed;
- The right of access; the right to rectification;
- The right to erasure; the right to restrict processing;
- The right to data portability;
- The right to object and;
- Rights in relation to automated decision making and profiling.
In summary, this means the right to be informed encompasses your obligation to provide ‘fair processing information’, typically through a privacy notice. It emphasises the need for transparency over how you use personal data.
Under the GDPR, individuals will have the right to obtain: confirmation that their data is being processed, access to their personal data, other supplementary information – this largely corresponds to the information that should be provided in a privacy notice.
Subject access requests under the GDPR mean information must be provided without delay and at the latest within one month of receipt.
Complex or numerous requests can be extended by a further two months. If this is the case, you must inform the individual within one month of the receipt of the request and explain why the extension is necessary.
Inaccurate data held
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. If you have disclosed the personal data in question to third parties, you must inform them of the rectification where possible. You must also inform the individuals about the third parties to whom the data has been disclosed where appropriate.
The GDPR introduces a duty on all organisations to report certain types of data breach to the relevant supervisory authority, and in some cases, for example, where personal data is not encrypted, to the individuals affected. A notifiable breach must be reported to the relevant supervisory authority within 72 hours of becoming aware of it. The GDPR recognises that it will often be impossible to investigate a breach fully within that time-period and allows you to provide information in phases. If the breach is sufficiently serious to warrant notification to the public, the organisation responsible must do so without undue delay. Failing to notify a breach when required to do so can result in a significant fine up to €10,000,000 or 2% of turnover.
Transfer of data
The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations, in order to ensure that the level of protection of individuals afforded by the GDPR is not undermined.
Accountability and Governance
Organisations are expected to put into place comprehensive but proportionate governance measures. Best practice tools such as privacy impact assessments and privacy by design are now legally required in certain circumstances. The measures you put in place should minimise the risk of breaches and uphold the protection of personal data. In practice, this is likely to mean more policies and procedures for accountants, although many will already have good governance measures in place.
Demonstrating you comply with the GDPR
The following checklist should help accountants prepare for the GDPR.
- Ensure all partners and employees are aware of the GDPR and have been trained on the new regulations. Click here to see a free 2020 video which should help.
- Consider using a specialist to help. Click here for more information.
- Review all data held (manual and electronic) and ask ‘why is it held?’, ‘do we have consent to keep it?’, ‘do we still need it?’ and ‘is it secure?’;
- Delete ‘non- consented’ or old data files whether electronic or manual;
- Perform a risk review of data held on servers, mobile devices, cloud and lap tops to ensure it is secure. E.g. Password protected and encrypted;
- Ensure no personal data is sent by email to clients unless encrypted and / or sent by secure portal. Consider other measures (such as an email delay) to ensure data goes to where intended;
- Review all existing data privacy notices to ensure all suppliers, clients, employees and third parties give consent and know how you use their data;
- Ensure privacy notices are clearly published on your terms of business and website and any other material used in communicating with existing or potential clients;
- Install a system to ensure the rights for individuals are met and that you have procedures in place to handle subject access requests;
- Document your procedures and your firm’s policy for compliance with the GDPR, distribute this to all employees and consider making the policy part of your terms of employment;
- Perform an annual check of your procedures as part of the whole firm review.
Disclaimer: Please note that this blog only contains general information and insights about legal matters. The information is not advice, and should not be treated as such.
2020 Group provides innovative training and marketing solutions for progressive accountants worldwide. Visit their website - www.the2020group.com to find out about the range of services they can offer.