The General Data Protection Regulation (or GDPR) is new data protection legislation that comes into effect on 25 May 2018. The headline grabbing change is that the maximum fine for non-compliance is 4% of turnover or €20 million (approximately £17m) whichever is the greater. This is a huge increase in the current maximum fine of £500k. Alongside this, GDPR introduces a raft of new obligations.
As professionals dealing with important client information, client confidentiality will no doubt be taken very seriously. But is this enough? Many of the provisions of GDPR may come as a surprise. In this article, we will explore some of the ways in which GDPR will impact upon your accountancy practice. Remember that you will not just hold personal data about individual clients. At very least you will additionally hold personal data about your employees and personal data about individuals who work for your corporate clients.
- 1. Are you able to demonstrate compliance with GDPR?
- GDPR does not simply require you to comply. It requires you to demonstrate that you have complied. This might include working out what personal data you hold (it is surprising just how many businesses do not even know this), putting in place policies in relation to handling personal data in your key areas of your business and training staff. Indeed, if you are a large firm (250+ employees), you will need to keep formal records about how you handle personal data.
- 2. Do you have systems in place to ensure that personal data is portable (say to another firm), is not kept any longer than is necessary and is not excessive?
- 3. Do you know whether you have the appropriate consents or other grounds to enable you to send marketing information?
- 4. Do you use a cloud based CRM or practice management system? If so, did you know that:
- a. You must carry out due diligence on your supplier to make sure that your supplier gives sufficient guarantees around protecting personal data;
- b. Your contract with the supplier must contain a number of mandatory clauses around data protection; and
- c. You need to check where your supplier’s servers are located as you can only allow personal data to be transferred outside the EU if certain conditions are met?
- 5. Are you a data processor? For example, if you provide payroll services on behalf of a client, you will be a data processor because you will be handling personal data about your client’s employees. If so, did you know that:
- a. Again, you will need to ensure that your contract with your client contains the mandatory clauses;
- b. You must implement appropriate technical and organisational measures to ensure personal data is kept secure (for example this is likely to extend to ensuring that employee pay details being emailed between you and your client are encrypted in some way); and
- c. If acting for a UK subsidiary, you need to check whether the conditions have been met to allow you to transfer personal data, for example names, addresses and pay of your client’s employees, to a parent company outside the EU.
Even if you are complying with current data protection legislation, it is highly unlikely that you can fully comply with GDPR without taking further action. As well as the obvious financial risk, failure to demonstrate compliance with legal requirements, such as GDPR, can affect your professional credibility. 25 May 2018 is not far away and, accordingly, accountants should be taking steps now to ensure that they will be compliant with GDPR by this date.