How can accountants prepare to comply with GDPR?

How can accountants prepare to comply with GDPR?

With the regulation set to take effect from 25 May this year, what do accountants need to do to ensure that they’re fully prepared and in compliance with GDPR?

GDPR is fast approaching with the regulation set to take effect from 25 May this year. Aiming to harmonise data privacy laws across Europe and strengthen the protection of data, the regulation imposes new requirements on companies that process and hold personal data.

If controllers and processors of data fail to comply with the new regulation, they face heavy penalties up to a maximum of 4% of annual global turnover or €20m, whichever is greater. So what do accountants need to do to ensure that they’re fully prepared and in compliance with GDPR?

Data Protection Act

An important point for practices and businesses to note is that many of the principles contained in the current Data Protection Act (DPA) will still apply under GDPR. Therefore, those who are already in compliance with the act will not have to start from scratch, but can retain many of their current processes once GDPR has taken effect. Yet, GDPR does introduce new standards, so even accountants who are fully compliant with the DPA will need to make some changes.

Data audit

The first step for many accountants will be to conduct an audit of information held and existing data processes, including how information is received, treated and transferred. This should include an assessment of how data is shared between departments or transferred out of the business. Once the audit has been completed, it should highlight the “at risk” areas that require attention.

Consent and privacy

Individuals should be clear on what they are opting in to receive and how their data is being used. Requests for consent should be easy to understand and individuals should find it easy to withdraw their consent at any stage. Consent requests should use unticked opt-in boxes – positive opt-in rather than an opt-out box is required under the regulation. Once consent has been granted, businesses and practices should regularly review the process and maintain documented evidence of the reviews and their outcome.

Privacy notices should be clear and published on a business’ website. They should inform individuals that their data is being collected, why it is processed and with whom the data is shared. Privacy notices should also be included in forms and letters sent to individuals.

Access to data

The regulation enables individuals to access their personal data and request a copy of the information held, free of charge. However, businesses are able to charge a “reasonable fee” if the requests are “manifestly unfounded or excessive” – in particular if the request is repetitive. The fee should be set based on the administrative cost of providing the data.

Businesses and practices must comply with an information request within one calendar month, extendable by two months for complex requests. Businesses may prefer to put a process in place by which all requests are met within 28 days, ensuring that they complete all requests within the calendar month window.

Requests to correct or update information should also be responded to within one month and businesses should have record management processes in place to carry out such requests.

Evidence of accountability

Businesses and practices must demonstrate how they comply with GDPR, including their approach to data protection and how compliance policies are implemented and monitored. These policies should be regularly reviewed for effectiveness.

All staff members handling personal data should be trained on their responsibilities and businesses should regularly communicate important messages by articles, circulars, posters or in team meetings.

Contracts with data processors should include clauses in line with requirements set out under GDPR. Data controllers are liable for a processor’s compliance with the regulation.

Security and IT

Businesses and practices need to implement security measures appropriate for the level of risk to personal data held. IT systems should be safe and secure, with adequate time and resources spent ensuring that systems can process data without risk to security.

Breaches in data must be reported to individuals in certain cases. Breach reporting procedures should therefore be put in place, with any breach that is likely to put rights and freedoms of individuals at risk required to be reported to the Information Commissioner’s Office.

Next steps

Once the initial audit has been carried out, businesses and practices will be able to put procedures in place to ensure that all GDPR compliance obligations have been met. Those who are yet to evaluate existing processes should begin to review and plan as a matter of urgency to ensure that personal data is handled in line with the requirements. With little over two months until the regulation becomes effective, businesses and practices should prioritise GDPR compliance, ensuring that training, governance and IT security are all in place ahead of 25 May.

Register for our GDPR webinar to hear our experts discuss how accountants can prepare for and comply with GDPR.

Whitepaper

The Future of Finance is in the CFO's Hands

Business The Future of Finance is in the CFO's Hands

2m
Save a Week a Month Consolidating Accounts

Accounting Software Save a Week a Month Consolidating Accounts

3m
Mitigating Risk Through Internal Control

Legal Mitigating Risk Through Internal Control

4m
Could tax season have run more efficiently?

Corporate Tax Could tax season have run more efficiently?

4m

Related Articles

The GDPR is just beginning

Legal The GDPR is just beginning

11m Ellen Temperton, Lewis Silkin
GDPR and Morrisons: the perils of vicarious liability

Legal GDPR and Morrisons: the perils of vicarious liability

12m Oury Clark
Eight things we learned about GDPR at Accountex 2018

Legal Eight things we learned about GDPR at Accountex 2018

1y Lucy Skoulding, Reporter
Last minute GDPR preparation for accountants

Legal Last minute GDPR preparation for accountants

1y SJD Accountancy | Sponsored
Webinar: How should accountants prepare for GDPR?

Legal Webinar: How should accountants prepare for GDPR?

1y Emma Smith, Managing Editor
Why should accountants take notice of GDPR?

Legal Why should accountants take notice of GDPR?

1y Emma Smith, Managing Editor
Demystifying GDPR for accountants

Accounting Standards Demystifying GDPR for accountants

2y Ellen Temperton, Lewis Silkin