Free GDPR Checklist
The questions in this free checklist are intended to help you assess how well your data security and usage controls compare to the GDPR requirements and help identify areas for improvement.
GDPR – Implementation Steps – Part 2 of 2
Helping you with your GDPR implementation, here are some final steps every accountancy firm can take to ensure they are GDPR compliant by 25 May 2018.
What to do next
- Update documentation and put procedures in place to ensure you’re compliant and can cope with data requests, the right to be forgotten and data breaches. Data breaches are now reportable to the Data Protection Commissioner’s Office within 72 hours, if the breach is likely to cause a detrimental effect on an individual – whether to reputation or financial loss.
- Consider deleting any information you don’t need to hold to remove the risk.
- Monitor systems and procedures on an on-going basis. GDPR is not a one-off exercise. It needs to become embedded in every firm’s culture and day to day operations.
- Consider how the change in regulation will affect your clients and how you can help them through it.
Clients may look to you for advice and, depending on their business, implementation could require considerable time and monetary investment on their part to ensure that they are compliant. Clients can benefit from your own implementation experiences.
For more practical hints and tips on data protection and to get you started on your preparations for 25 May, please come to one of our series of courses on the ‘General Data Protection Regulation – What Accountants Need to Know’ at the Talbot Hotel, Stillorgan, County Dublin on one of the following dates:
Wednesday 18 April 2018 2pm to 5pm
For more information on our other upcoming courses click here
GDPR – Implementation Steps – Part 1 of 2
Helping you with your GDPR implementation, here are some steps every accountancy firm can take to ensure they are GDPR compliant by 25 May 2018.
What to do now
- Appoint someone internally to take control of understanding the new regulation and how it will affect your practice. Organisations with fewer than 250 employees are not required by law to appoint a data protection officer (DPO), but someone needs to ensure you’re compliant.
- Perform a data audit to understand and formally record:
- the type of data you hold and;
- where it is held.
This requirement is quite far reaching when you think about it – accounting and tax software, audit software, payroll software, practice management systems, network drives, C and D drives and of course, paper accounting, tax, company secretarial and audit files.
The review will need to extend to the many individual devices on which information is stored – e.g. laptops, desktops, tablets, phones and memory sticks. You can’t put processes in place until you know what you’ve got and where it’s located.
- Think about security processes – physical security and IT backup procedures.
Most good IT support firms and software houses will be ready to guide you through the technical bits. You will need to check contracts with third parties who hold data on your behalf, including software providers and cloud-based services (known in the legislation as data processors). It will be important to understand where they hold the data and to ensure that they are GDPR compliant.
For more practical hints and tips on data protection and to get you started on your preparations for 25 May, please come to one of our series of courses on the ‘General Data Protection Regulation – What Accountants Need to Know’ at the Talbot Hotel, Stillorgan, County Dublin on one of the following dates:
Wednesday 18 April 2018 2pm to 5pm
For more information on our other upcoming courses click here
Data Protection – A minefield to be negotiated
The 25 May 2018 deadline for GDPR implementation looms ever closer.
It is vital that all accountants and their clients have at least a basic understanding of the new Data Protection Regulation (GDPR) that will come into effect from 25 May 2018.
Here is another in our continuing series of tips on how bet to implement the new rules.
Right to be forgotten
GDPR introduces a new ‘right to be forgotten’ giving individuals (essentially former clients and employees) the right to request for all their personal data to be deleted.
How does this affect the typical accountancy firm holding data for money laundering identity checks and information held within the firm’s own accounting records?
It has been confirmed that this new right is overridden by statute – i.e. an individual cannot require you to delete information from your due diligence and internal accounting records, when there is an overriding statutory requirement for holding that data.
Although how much personal data you would hold for accounting purposes is questionable. However, if you’re holding information over and above what’s required by law (five years after the client has left the firm, for AML purposes for example) for some other purpose, then you would have to consider the legal basis and the individual’s rights.
For more practical hints and tips on data protection and to get you started on your preparations for 25 May, please come to our course on the ‘General Data Protection Regulation – What Accountants Need to Know’ at the Talbot Hotel, Stillorgan, County Dublin on the following date:
For more information on our other upcoming courses click here
GDPR – Be Practical!
Small accountancy practices, like any other SME will need to ensure they have written policies and procedures in place on time to implement the requirements of the GDPR by 25 May.
Here are some more ideas for some practical implementation steps firms may be able to take.
Privacy notices
Privacy notices are used to inform individuals that you hold their data, how, why, where it’s held and their rights. You can provide this information in various ways e.g.:
- by updating employment contracts;
- updating the terms in letters of engagement;
- updating your website; or
- any other method you feel is appropriate e.g. client newsletters.
Guidelines from the Data Protection Commissioner require privacy notices to be clear, concise, and easily accessible.
Current wording in the above documents is likely to refer to The Data Protection Acts 1988 and 2013 and is unlikely to comply with the new requirements and will require revision.
For more practical hints and tips on data protection and to get you started on your preparations for 25 May, please come to one of our series of courses on the ‘General Data Protection Regulation – What Accountants Need to Know’ at the Talbot Hotel, Stillorgan, County Dublin on one of the following dates:
Wednesday 18 April 2018 2pm to 5pm
For more information on our other upcoming courses click here
