Eight things we learned about GDPR at Accountex 2018

Accountex 2018 happened to fall in the same week as the GDPR deadline, 25 May, so it was safe to say that it was a hot topic at this year’s two-day conference at Excel, London.

Accountancy Age attended a number of sessions on GDPR, with speakers including Richard George from The Learn Centre, Brendon Wood from Autoentry, Richard McLean from KeyPay, and a panel including speakers from Sage, Milsted Langdon LLP, and GDPR365.

Here’s our key takeaways from the sessions.

1. There are a million and one considerations

Most discussions around GDPR tend to be around how overly complicated it is. The Accountex sessions did confirm that there is a lot to think about, but when it comes down to it, being on top of GDPR is about asking and answering a lot of questions.

What is a data breach, what access do employees and outsourcers have to data, will you employ a Data Protection Officer, what is your data process going to be, and how will you actually manage your employee and client data to be compliant? How do clients wish to be contacted and for what reasons, how will consent be obtained, and how will you provide a client with a report of their data if they ask?

The complexity really just comes in the detail involved and can be solved by planning and organisation.

2. Businesses still aren’t ready (even now)

In the first GDPR session we attended the co-founder of KeyPay cited that 5% of businesses said they wouldn’t be ready for the GDPR deadline.

This is probably down to the fact that in the same survey 40% of businesses said they don’t view GDPR as a priority.

3. What does a data breach actually entail?

A data breach can be anything which includes the loss, corruption, or destruction of data.

The Information Commissioner’s Office (ICO) formally defines it as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service.”

4. We have a lot of rights over our personal data

In the KeyPay session, attention was drawn to the ‘Big Three’ personal data rights.

The right to be informed, the right to be forgotten (e.g. if you leave a company), and the right to be able to access our data that companies hold on us.

In a later session, Richard George from The Learn Centre revealed even more rights when it comes to personal data.

These include the right to rectification, the right to erasure, the right to restrict processing, the right to object, the right not to be subject to automatic decision-making (in terms of their data), and the right to data portability.

5. The consequences of a data breach are severe

GDPR is policed by the ICO, which takes a reactive approach to data breaches.

An organisation responsible for a data breach must report it to the ICO within 72 hours. Failure to notify the ICO could result in a fine of up to €10 million or 2% of the company’s global turnover. It’s better to err on the side of caution when deciding whether or not to report a breach.

George said: “It is far better to tell the ICO about something they don’t care about than not tell them about something they do.”

What is absolutely key is that you tell the person whose data has been breached first, before even contacting the ICO. Even if it’s a conversation you really don’t want to have!

6. What consent actually means

Consent is actively and freely agreeing to someone else sharing your data.

Companies must therefore ensure that consent is:

• Freely given
• Opt-in: the person must actively tick a box; pre-ticked boxes are not acceptable
• Specific – the person knows exactly what they are agreeing to
• Informed – ensure there is enough information about what will be done with the data
• Unambiguous – be clear in your messaging

7. Children’s data must be considered

When definitely or potentially gathering data from children, companies should verify the age of who they are contacting.

As well as a tick box for the child to agree, there should be a means of parents giving consent.

Language that a child or young person would understand should be used.

8. PECR is for marketing

PECR, the Privacy and Electronic Communications Regulations (PECR), sits alongside the Data Protection Act and GDPR. It gives people privacy rights relating to any electronic communications.

This includes all kinds of digital or electronic marketing forms like calls, emails, instant messages, and texts, as well as cookies. Communications services must be secure.

George summed GDPR up pretty well as three key questions: “What is my process? What is the risk on the individual? How am I mitigating it?” Simple really.