GDPR comes into effect next May, and businesses face a race against time to achieve compliance in time, warns Paula Tighe
It is crucial accountants give themselves enough time to fully understand the new regulations, and begin working on a plan to change procedures and processes where necessary.
Although the UK has voted to leave the EU, GDPR will still apply to any business who obtains, uses or processes data within the EU, so it is important that you start preparing early to avoid falling foul of regulations.
Why is this important? Well, breached organisations will find the fines they face increasing dramatically. Penalties will reach an upper limit of €20 million or 4% of annual global turnover – whichever is higher. For many businesses, the threat of insolvency or even closure as a result of GDPR penalties will soon be very real.
Raise awareness and register it: One of the most important steps is to begin recording the entire compliance process, as this will help protect your business during the initial months of GDPR. This ‘Data Register’ should include what personal data you currently hold and the reasons for processing it, including where it came from and who you share it with – this will help you adhere to the key accountability principles.
Remember, GDPR compliance does not aim to obstruct or prevent you from doing things, instead it aims to improve standards by encouraging businesses to review their existing methods and procedures, making them more efficient where possible. Take a closer look at your existing digital and hard copy format privacy notices and policies – are they concise, written in clear language, easy to understand and easily found?
Once you are happy with the content of all your important policies and notices, ensure that these are correctly and clearly communicated to data subjects, including advice on how they can complain to the Information Commissioner’s Office.
Rights of the individual: Post-GDPR, individuals will have more control over their personal data, so you must ensure your procedures detail how you will provide data, how you would delete it, and how you will correct mistakes – you must be able to prove you have a process to meet an individual’s request to have their information erased.
Perhaps one of the key drivers for the changes, is the right for an individual to prevent their data being used for direct marketing purposes, as is the right to challenge and prevent automated decision-making and profiling.
Regardless of complaints or investigations, introducing transparent procedures will help mitigate any problems you face with the regulator. If your organisation correctly handles personal data under the current Data Protection Act, the change to GDPR should be no problem.
If you receive a subject access request for individuals to see what data you currently have of theirs, you must comply within a month or face punishment. If you think the request has no merit, you can refuse, but you must tell them why and how they can complain to the regulator.
Never assume consent: Handling consent for the capture and use of personal data for more than just contact, is a tricky area. Individuals must give clear consent for their data to be used and be able to revoke consent at any time – if you want to use their data differently, you must obtain a new consent.
How you attempt to obtain or confirm consent, will help mitigate any future problems at the hands of the regulator.
Keep reviewing and keep recording: Where data processing could pose a significant risk to individuals because of the technology being used, or the scale of the processing, you should undertake a Privacy Impact Assessment (PIA).
These assessments will help you and the regulator decide the likely effects on the individual if their data is lost or stolen and should form part of your ongoing processes. Ensure you have a robust process for making the assessments and then record it, along with the outcome.
Make someone responsible and keep it up: For accountancy firms who handle personal data on a regular basis, it could be worth considering appointing a dedicated Data Protection Officer, who can make sure you are GDPR compliant at all times. You must also consider written records, which are also covered by the regulations – ensure all your staff are trained on the correct handling of personal data. However, starting the compliance process now and recording the transition process is the best way to protect your company from any serious punishment for not being completely compliant upon the arrival of GDPR.
Those companies who disregard the changes and make no effort to adhere to the rulings will not fare as well as those who do.
- Paula Tighe is a Information Governance Director at law firm Wright Hassall and leads the trusted advisor information governance service
Accounting Practice Online is part of the ICPA, which is an organisation designed to provide support and guidance for accountants in practice. With 35+ practice specific benefits there has never been a better time to join. Take a look at the routes to membership today.