GDPR Day, May 25, is approaching fast. For most of us, conversations are under way, but have action been plans put in to place? Are staff are being trained? Is there a data protection lead in place?
The processes seem arduous, but this is for good reason. The new regulation is an update to the 1998 Act that was created out of the EU Data Protection Directive in 1995. So why change it now?
The world was a different place 20 years ago. Amazon launched in July 1995 and, in September of the same year, eBay was launched. The first time you could send a text message with predictive text was in 1993. And most computers had 8MB ram – with an additional 4MB ram costing $400. Since 1995 we’ve seen the launch of Facebook (February 2004) and Twitter (March 2006) among many other platforms we have merrily been handing personal data to.
Cusp of giant disruption
Interaction with our personal data, where it was hosted, and our buying habits were on the cusp of giant disruption. We didn’t think about where our data was, who was using it or even if it was being bought and sold as a commodity.
Comparing our world with now, it’s easy to see why the previous laws are outdated and the reason GDPR is coming into force – to replace and strengthen the Data Protection Act.
There are several requirements for GDPR, but these can be grouped into three principal areas:
Train staff to ensure they understand the regulations and make the practice compliant – it is the responsibility of everyone who deals with personal data. To put it another way if a client phones and asks where their personal data is held, would everyone know?
Assign a data protection lead to ensure someone has GDPR front of mind and has the authority to make changes and advise the managers to implement change, as well as provide ongoing training. Everyone in a practice also needs to understand how to respond if a ‘data breach’ occurs.
Auditing existing processes determines how data is used, handled and shared within the practice and clients.
Ensure passwords and documents are securely stored (including those on laptops and smart devices) and client engagement letters have been updated.
Accountancy practices should also look at policies to correctly identify callers and ensure there a process to prevent incorrectly sharing information with the wrong clients.
Making an action plan with deadlines is a must. This should include the creation of data processing records, a data protection policy, a security audit and seeking re-consent where necessary.
You must document what personal data you hold, where it came from, who you share it with and what you do with it. After the audit is complete, it will help resolve any short comings to ensure GDPR compliance.
Once policies are defined they need to be documented, shared with staff and become the new ‘business as usual’. It’s good practice to keep your clients aware of the progress you have made.
There is a plethora of resources available to help with compliance. The Information Commissioner’s Office (ICO) provides good general business advice including templates to document where all personal data is stored. For accountancy practice specific information, there are plenty of specific guides and resources with the IRIS GDPR hub.
Food for thought
Finally, while there are many practices (and businesses) that worry about GDPR being onerous, it’s worth comparing with food hygiene standards. All food establishments no matter their size, must comply with hygiene standards.
No one would eat at a café playing fast and loose with hygiene and the same could be said for practices that don’t protect their clients’ data.
The new data protection regulation is now just around the corner, deciding when to act is not an option. Deciding what to action this week is a priority. We don’t want anyone getting food poisoning, do we?
GDPR in 10 questions…
- As a decision maker are you aware the law is changing with GDPR?
- Can your company and employees apply the principles of personal data?
- Does your company have the correct procedures to ensure you deliver the rights of individuals under GDPR?
- Is your company holding sensitive data in your systems?
- Does your company have processes to provide all data you hold on a client if requested?
- Can your company demonstrate you have the necessary basis to hold the client data in your systems?
- Do you have the right procedures in place to detect, report and investigate persona data?
- Have you implemented appropriate technical and organisational measures to carry out data protection principles?
- Have you designated a data protection lead in your organisation?
- Outsourcing activities – is your supplier agreement aligned to GDPR?