Documente Academic
Documente Profesional
Documente Cultură
ACCOUNTANTS IN
PRACTICE
4 What is GDPR?
6 Client related issues
11 Staff related issues
12 Marketing related issues
14 Other practical issues
This guide to GDPR was produced for the ICPA by Armstrong Media (07970 426789).
For details contact The ICPA, Imperial House, 1a Standen Avenue, Hornchurch, Essex RM12 6AA.
Call: 0800 074 2896 Email: info@icpa.org.uk Web: www.icpa.org.uk
2
Trying to shine a
GDPR ICPA guide
No silver bullet
So as you can see from just these
few statements, at this moment
T
in time there is no silver bullet
that will work for every practice;
there is no one single checklist
he reasoning behind the exact impact of the GDPR isn’t that covers every eventuality
ICPA asking Mark Lee and yet known. For example, we lack because each and every practice
Armstrong Media to practical examples of what is different; and each and every
produce this booklet in March, on agencies such as the Information practice works and uses data in
the eve of the launch of the Commissioner’s Office are likely myriad ways.
GDPR on 25 May 2018, was to to find acceptable or What is important, in March
bring a level of honesty to the objectionable, and some of the 2018, is that you start working
debate which, thus far, has been wording of the GDPR legislation towards compliance and that you
the reserve of organisations with is open to interpretation.” – Sage start thinking about your systems,
something to sell, or purporting • “Members may like to be aware the data you hold, why you hold
to have all the answers. In fact, that ‘Engagement letters for tax it and for how long putting into
they have very few, and we’ve practitioners’ are currently being place systems and documents
seen scaremongering almost on worked on jointly by AAT, ACCA, that record what you do, why and
the scale of the ‘millennium bug’. ATT, CIOT and STEP. A number how you do it and under what
Yes, GDPR is coming on 25 of changes are required including authority.
May 2018 but here and now legislative changes such as the EU As time passes, more and more
there are still so many gaps in our General Data Protection information will be available and
knowledge that I feel it Regulation (GDPR). The working the ICPA will do everything we
appropriate to replicate a few party of these professional bodies can to help our members but for
quotes that I feel are important to is working towards issue of the now make a start on your GDPR
take on board : updated guidance and template journey with this booklet.
• “Sadly there are no quick and letters in early summer 2018.” –
simple ways to ensure that you Joint Working Party statement
are compliant with GDPR” – from AAT, ACCA, ATT, CIOT
Mark Lee and STEP (1/02/2018) Tony Margaritelli,
• “At the time of writing the • “You won’t need consent for Chair, ICPA
3
O
ICPA guide to… GDPR
Part one:
individuals. Within the GDPR
there are large changes for the
public as well as businesses and
bodies that handle personal
What is GDPR?
information. The Information
Commissioner’s Office will enforce
GDPR in the UK.
Individuals, organisations and
companies that are either
‘controllers’ or ‘processors’ of
personal data will be covered by
the GDPR. “If you are currently
subject to the Data Protection Act,
it is likely that you will also be orientation, and more. financial loss, confidentiality
subject to the GDPR,” the ICO In the past 12 months, there breaches, damage to reputation
says on its website. have been many massive data and more. The ICO has to be told
Both personal data and breaches, including millions of about a breach 72 hours after an
sensitive personal data are Yahoo, LinkedIn, and MySpace organisation finds out about it and
covered by GDPR. Personal data, account details. Under GDPR, the the people it impacts also need to
a complex category of “destruction, loss, alteration, be told.
information, broadly means a unauthorised disclosure of, or For companies that have more
piece of information that can be access to” people’s data has to be than 250 employees, there’s now
used to identify a person. This can reported to a country's data a need to have documentation of
be a name, address, IP address, protection regulator – in the case why people’s information is being
email address, and so on. Sensitive of the UK, the ICO – where it collected and processed,
personal data encompasses could have a detrimental impact descriptions of the information
genetic data, information about on those who it is about. This can that is held, how long it’s being
religious and political views, sexual include, but isn't limited to, kept for and descriptions of
4
GDPR ICPA guide
Be prepared
To help prepare for the start of
GDPR, the ICO has created a 12-
technical security measures in step guide – you can find it at
place. “As well as this the https://tinyurl.com/j492h8x. The
As well putting new obligations
on the companies and
GDPR bolsters a guide includes steps such as
of data”
individuals a lot more power to updating procedures around
access the information that's held subject access requests, and what
about them. At present a Subject should happen in the event of a
Access Request (SAR) allows data breach.
businesses and public bodies to supplementary information. As well as this guidance, the
charge £10 to be given what’s As well as this the GDPR ICO has created a telephone
held about them. bolsters a person's rights around helpline to help small businesses
Under the GDPR this is being automated processing of data. The prepare for GDPR (call 0303 123
scrapped and requests for ICO says individuals “have the 1113 and select option 4). The
personal information can be made right not to be subject to a service provides answers about
free-of-charge. When someone decision” if it is automatic and it how small companies can
asks a business for their data, they produces a significant effect on a implement GDPR procedures and
must stump up the information person. The new regulation also started in November 2017.
within one month. Everyone will gives individuals the power to get • The ICO’s website has a vast
have the right to get confirmation their personal data erased in some array of resources to numerous to
that an organisation has circumstances. This includes list here, with a dedicated section
information about them, access to where it is no longer necessary for on GDPR (https://ico.org.uk).
this information and any other the purpose it was collected, if • Copy supplied by Armstrong Media
5
Part two:
ICPA guide to… GDPR
Client-related issues
A s accountants we are
already conscious of the
need to keep client data
confidential. GDPR requires more
helpful to ‘brainstorm’ this issue
with them. After all, they will need
to aware of the new obligations,
too. If you have access to a
• Data retention periods –
minimum statutory levels, or you
may want to set a longer period
for safety
than this. We must also keep it whiteboard you can use this to
secure, retain it only for as long as build up a full picture (literally) of Personal data held
necessary and only where we all the sources of data, what You typically hold your clients’
have authority to do so. And we happens to it and where it is names, physical and email
are obliged to evidence that we retained, etc. You evidently have addresses, mobile and other
have the necessary procedures in your clients’ consent to process phone numbers and any other
place to ensure we are and remain and use their personal data to online connection details, as well
compliant with the law. provide your services to them. as data to complete their accounts
As regards clients, your systems BUT this does not automatically and tax returns, accounts and
probably hold personal data as extend to any marketing or returns, and any notes you make
regards current clients, former updates you send to all clients. and retain regarding them and/or
clients and prospective clients. their business and family life, etc.
In each case, ‘personal data’ Your systems probably also
Breakdown your data locations
Tony’s Tip #1
includes the information you hold hold their IP address, cookie
as regards individuals currently by the software and function identifiers and device identifiers.
involved with, employed by or part that the software controls. Most
of client businesses, and similar practices will have data held as
such data you hold regarding ex- processors on behalf of their For each function record the
Tony’s Tip #2
clients and prospective clients. clients such as payroll; book- data that you hold e.g. for
One of the major new keeping and accountancy; tax payroll:
obligations introduced by GDPR is returns; and company secretarial • Name
to retain evidence as to HOW you services. You will most likely be • Address
comply with the legislation. It is holding data for all of these • NIC Number
not sufficient to either state categories for both current and • Date of Birth
simply that you are compliant or former clients. • Salary rate/scale/annual salary
even to ensure that you are Practices will have data held • Pension provider
compliant. as a controller for themselves, • Staff identifier
namely: • Next of kin
Where are you now? • Own payroll – current and
The starting point is to, effectively, former employees Engagement letters
audit your systems and records. • Money laundering compliance You will need to update your pro-
You need to be clear and to keep a – current and former clients forma letters – to reference GDPR
record as to how you obtain the • Marketing rather than the Data Protection
client data you hold, where it is For each of these functions Act (which should have been
held, who has access to it, who record: referenced in your letters in the
you share it with, how long you • Data provider – usually the past!). Beyond that, you will need
retain it, how you keep it up-to- client to include reference to the
date and how secure it is (in all the • Location of data following that are explained later
various places it can be accessed). • Staff access levels – who has in this guide:
If you have staff you may find it access? • your privacy policy and where
6
GDPR ICPA guide
this can be read. Your systems held is pretty exhaustive and you
• your data retention policy You will also need to establish and need to work from the list and
(namely, how long you retain record the systems you use to note how you make sure the
personal data generally and keep track of any new such data is secure. If held in the
especially as regards ex-clients). personal client data you obtain cloud contact them and obtain
• your approach to sending after 25 May 2018. The places details of security provisions. If
updates and news to clients and you hold clients’ personal data you hold data on your system
whether all clients are required to may include the following, which detail backup procedures and
consent to this. Under GDPR, you will all need to be considered in how you secure the data and the
cannot assume their consent. terms of security and when it backups. It could be as simple as
Explicit consent needs to be comes to deleting data: lock up in a draw.
obtained from each client. • Email system (names, email
GDPR related guidance for addresses and the contents of Third parties
engagement letters is still awaited emails with those people). List all of the third-party service
from most accountancy bodies – • Tax return software. providers that hold or process
who are themselves awaiting • Bookkeeping software. client data for you. They will
further guidance from the ICO. • Microsoft or similar programmes typically be your ‘data processors’
(word processing, spreadsheet and and your firm remains responsible
databases especially). for the data concerned.
We still await detailed guidance
Tony’s Tip #3
• Payroll software. You will then need to ask the
from the major institutes on this • Practice management system. data processors to confirm their
but feel free to mention the • Practice accounting system security arrangements and
items Mark details within your (especially regarding invoicing and compliance with GDPR. If you use
letters in the meantime. debtors). More on page 8
7
ICPA guide to… GDPR
a spreadsheet for your list you will checked the assertions they had
be able to keep it up-to-date received from the company that
showing who has confirmed their built their website. The web
compliance and any testing you do company had assured the video
to ensure that their assertions can company that personal credit card
be relied upon. data wasn’t stored – but it was,
We anticipate that most of the and it was accessed when the
major data processors will website was hacked.
volunteer this information to UK If clients can pay you by credit
users over the coming months but card through your website you will
you should not rely on this need to clarify whether or not you
happening. (via the website) retain the related
personal data as part of your data
Evidence audit. You must record and retain
As you are required to be able to your conclusions as to security
evidence your compliance with and compliance.
GDPR you should retain a record
of your ‘audit’ and of your Children
conversations with third parties, If you obtain and retain personal
and of your conclusions so that data about clients’ children you
you can produce these if required. will be subject to additional
You will want to be able to restrictions and obligations, which
prove that you were aware of are outside the scope of this
your obligations and that you have document.
put in place proportionate
measures to comply with the law Lawful processing of client data
– especially pending the issuance There is some good news about
of further guidance from the the personal data you hold in
Information Commissioner’s respect of your clients in the
Office (ICO). context of GDPR. This is that you
will typically have clients’ express
Where should you retain the consent and authority to ‘process’
record of your audit and ongoing their data for the purposes of the Transmission of client data
compliance? services they have agreed you Some accountants have stopped
On a spreadsheet or document should provide. sending private data by email.
stored on your server, in a This does not mean that you Instead, they use secure portals
Dropbox folder in the cloud, in automatically have your clients’ accessed via their website. If you
Evernote, MS Onenote or any consent to send marketing do this you will still need to check
other secure online facility. materials to them. Nor does it and confirm the integrity and
automatically cover the data you security of the systems you use in
Really personal data retain as regards ex-clients and this connection.
There have been cases of small prospective clients. You will also need to do this if
businesses being penalised by the Guidance is still awaited from ICO you send private data to clients (or
ICO even before GDPR comes as regards the exemption that might third parties) by email or you use
into force. Typically, this happens allow you to process data for the third party storage systems such
where personal credit card, staff employed by or linked with as AWS, Dropbox or Google
pension or medical data has been your business clients, your ex-clients Drive.
hacked and then misused. and prospective clients under the Guidance is still awaited from ICO
‘legitimate interests’ exemption. For as regards the extent to which you
Example: In one case, a small now, it will probably suffice to have will be required to encrypt personal
video production company was a summary record of what data you data before sending it via email and
fined £60,000 because they could hold, where, how secure it is and when using third party systems to
not evidence that they had how long you retain it for. store such data.
8
GDPR ICPA guide
9
ICPA guide to… GDPR
10
GDPR ICPA guide
Part three:
reports’). See https://ico.org.uk/
T
employ? And so on.
Prospective staff
here are two key practical containing a simple list of topics It has long been common practice
issues to consider if you have you should address with your staff to hold onto candidate details
staff. The first is to ensure under the following headings: even if there is no current vacancy
that they have sufficient training • Keeping personal information they can fill.
to understand the law related to secure. Going forward, your firm will
GDPR. The second is for you to be • Meeting the reasonable need to set and then comply with
aware that the personal data you expectations of customers and an agreed policy as regards how
hold regarding your staff and ex- employees. long you retain such details.
staff is also protected by GDPR. • Disclosure of customer personal It may well be easiest to simply
information over the telephone. agree that everyone in the firm
Staff training • Handling requests from should destroy all such personal
The ICO has published a useful individuals for their personal data once the vacancy in question
training checklist for SMEs information (‘subject access has been filled.
11
Part four:
ICPA guide to… GDPR
12
Part five:
ICPA guide to… GDPR
14
GDPR ICPA guide
15