There has been a lot written about GDPR, but what do you have to do to make sure you are compliant? Steve Checkley finds out
Just as it happened with Making Tax Digital (MTD), there’s been a blizzard of advice out there on the General Data Protection Regulations (GDPR).
As the 25 May deadline for GDPR approached our customers asked us more and more about what they needed to do. Many thought GDPR was just about marketing. But be aware. It’s way more than that.
To help our clients make sense of the administrative and regulatory challenges posed by GDPR, we saw the need to produce a dedicated GDPR product called, quite sensibly, TaxCalc GDPR Centre.
In this article, we’ll look at some of the key areas of GDPR and how TaxCalc can help your practice become and stay compliant. While not exhaustive, it does provide of flavour of what you need to look out for and put into place in the coming weeks and months.
Putting your data into context
A key requirement under GDPR is to understand how you use and collect personal data in your practice.
As far as using data is concerned, your first thought might be with regard to your clients, but you may also have staff and would almost certainly have suppliers (note that unincorporated suppliers are classified as individuals, not businesses).
With regard to the data you collect, think of it as three dimensional. You have current clients, former clients and prospective clients. You can also have current employees, former employees and prospective employees (CVs, interview notes).
Data control, processing and storage
Let’s look at the routine requirements, actions and services you need to carry out to make your practice run.
- You need clients, so you carry out marketing.
- When you take on a client, you have to record information about them to identify them in your systems and then use this to discharge your anti-money laundering responsibilities.
- You’ll find that you need staff, so you collect CVs.
- Hopefully, these turn into employees and so you begin to build up HR files.
These specific actions are classified under the role of data controller, because the data you collect here is for your benefit.
When preparing sets of accounts, tax returns, keeping books and running payrolls, these are examples where you’re processing your clients’ data. In GDPR vernacular, you’re now the data processor.
Data storage and deletion:
A rule of GDPR, which was the same under the Data Protection Act (DPA), is that you should only hold data for as long as you need it. Those unsuccessful CVs? Perhaps they need binning. Prospective clients didn’t convert? Delete them from the database. You’ll need to consider carefully how you store data and when you need to delete it.
Looking at client engagement in detail
Client rights, notification and policy document:
When engaging clients, GDPR asks you to remind people of their rights under the new regulations. It also makes it easier for them to enforce their rights. The ICO has the power to levy fines if a complaint is made.
So, here are some of things you should consider when meeting a prospect:
- You’re going to need some personal information to set them up on your system. Does the prospect give you their consent for this? How do you capture this consent?
- Do you tell the prospect what you’re going to do with the information they provide you?
- Do you know where their data will end up being stored? What systems are you going to share the data with?
- Is the prospect a child? Children under 13 are deemed too young to agree to anything, so their parent should provide the consent on their behalf.
- Does the prospect know that you’ll dispose of their data if they don’t become a client?
To make life more straightforward, you could set out much of the above in a policy document which the client can read at their leisure.
Data Activity Registers
Importantly, you’re required to keep a Data Activity Register of your usual business processes. A register could include:
- Basic information about your practice (proprietors, address, etc.), who your Data Protection Officer is (if appointed) and any data controllers
- The reason why you have that data and what you do with it.
- Descriptions of the individuals involved (clients, employees, suppliers) and the categories of information you’ve captured (e.g. name, address, UTR, NINO, passport number, business name, VAT number and so on).
- Any recipients of this information.
- How you obtained consent from the client to have this information.
- How long you intend to keep this data on file after the end of the relationship.
- Whether any automatic collection or processing is involved.
- All the places where the data is stored (filing cabinets, practice software, emails, backups) and the protections in place.
If the ICO does come knocking, your registers will have to be handed to them upon request.
How TaxCalc can help
We know our customers and their business processes well, so rather than start from scratch we’ve built TaxCalc GDPR Centre, with prepopulated Data Activity Registers to record all of the above.
To get things started, we’ve also created a process questionnaire to make you think about key issues (e.g. CCTV, obtaining consent, obtaining information about children – important if you process Trust returns) and risk questionnaires to test your practice should one of a number of scenarios occur in your practice. And more besides.
It pays to put the right practices into place. GDPR is not about scaremongering or a needless enforcement of bureaucracy. It’s intended to bring better practices when it comes to data and personal rights.
You can find out more about TaxCalc GDPR Centre by visiting www.taxcalc.com/gdprcentre
- Steve Checkley is Managing Director of TaxCalc
Accounting Practice Online is part of the ICPA, which is an organisation designed to provide support and guidance for accountants in practice. With 35+ practice specific benefits there has never been a better time to join. Take a look at the routes to membership today.