How can accountants prepare to comply with GDPR?
With the regulation set to take effect from 25 May this year, what do accountants need to do to ensure that they’re fully prepared and in compliance with GDPR?
GDPR is fast approaching with the regulation set to take effect from 25 May this year. Aiming to harmonise data privacy laws across Europe and strengthen the protection of data, the regulation imposes new requirements on companies that process and hold personal data.
If controllers and processors of data fail to comply with the new regulation, they face heavy penalties up to a maximum of 4% of annual global turnover or €20m, whichever is greater. So what do accountants need to do to ensure that they’re fully prepared and in compliance with GDPR?
Data Protection Act
An important point for practices and businesses to note is that many of the principles contained in the current Data Protection Act (DPA) will still apply under GDPR. Therefore, those who are already in compliance with the act will not have to start from scratch, but can retain many of their current processes once GDPR has taken effect. Yet, GDPR does introduce new standards, so even accountants who are fully compliant with the DPA will need to make some changes.
Data audit
The first step for many accountants will be to conduct an audit of information held and existing data processes, including how information is received, treated and transferred. This should include an assessment of how data is shared between departments or transferred out of the business. Once the audit has been completed, it should highlight the “at risk” areas that require attention.
Consent and privacy
Individuals should be clear on what they are opting in to receive and how their data is being used. Requests for consent should be easy to understand and individuals should find it easy to withdraw their consent at any stage. Consent requests should use unticked opt-in boxes – positive opt-in rather than an opt-out box is required under the regulation. Once consent has been granted, businesses and practices should regularly review the process and maintain documented evidence of the reviews and their outcome.
Privacy notices should be clear and published on a business’ website. They should inform individuals that their data is being collected, why it is processed and with whom the data is shared. Privacy notices should also be included in forms and letters sent to individuals.
Access to data
The regulation enables individuals to access their personal data and request a copy of the information held, free of charge. However, businesses are able to charge a “reasonable fee” if the requests are “manifestly unfounded or excessive” – in particular if the request is repetitive. The fee should be set based on the administrative cost of providing the data.
Businesses and practices must comply with an information request within one calendar month, extendable by two months for complex requests. Businesses may prefer to put a process in place by which all requests are met within 28 days, ensuring that they complete all requests within the calendar month window.
Requests to correct or update information should also be responded to within one month and businesses should have record management processes in place to carry out such requests.
Evidence of accountability
Businesses and practices must demonstrate how they comply with GDPR, including their approach to data protection and how compliance policies are implemented and monitored. These policies should be regularly reviewed for effectiveness.
All staff members handling personal data should be trained on their responsibilities and businesses should regularly communicate important messages by articles, circulars, posters or in team meetings.
Resources & Whitepapers
Accounting Software The power of customisation in accounting systems
Contracts with data processors should include clauses in line with requirements set out under GDPR. Data controllers are liable for a processor’s compliance with the regulation.
Security and IT
Businesses and practices need to implement security measures appropriate for the level of risk to personal data held. IT systems should be safe and secure, with adequate time and resources spent ensuring that systems can process data without risk to security.
Breaches in data must be reported to individuals in certain cases. Breach reporting procedures should therefore be put in place, with any breach that is likely to put rights and freedoms of individuals at risk required to be reported to the Information Commissioner’s Office.
Next steps
Once the initial audit has been carried out, businesses and practices will be able to put procedures in place to ensure that all GDPR compliance obligations have been met. Those who are yet to evaluate existing processes should begin to review and plan as a matter of urgency to ensure that personal data is handled in line with the requirements. With little over two months until the regulation becomes effective, businesses and practices should prioritise GDPR compliance, ensuring that training, governance and IT security are all in place ahead of 25 May.