Preparing for the General Data Protection Regulation (GDPR)

Preparing for the General Data Protection Regulation (GDPR)

A lot of generic information has been written about the GDPR and the fact that it comes into effect across the EU on Friday 25 May 2018.

According to the Economist newspaper website ‘GDPR is not a matter of fix it and forget it. The new regulations mandate organisation-wide personal data awareness from data protection officers down to database administrators. GDPR will require ongoing governance of data as organisations migrate to new systems or apply their consumer data to new markets and consumer trends. Initial compliance is the first heavy lift. Ongoing governance is the long-term reality.’ Elsewhere Ludwig Siegele, IT Technology Editor of the Economist writes that the GDPR ‘will be one of the most important pieces of legislation brought into force in 2018’.

It’s important to recognise that the legislation applies only to personal data of living EU citizens (living anywhere in the world) and not to data about non-EU citizens, EU corporate entities or other types of non-human EU entity, like trusts.

What about GDPR for accountants? We are busy preparing checklists and updates to typical required terms and conditions in client letters of engagement and these will be available later on this website.

In the meantime, as Step 1 to help in your preparation, you need to analyse the types of personal data that your accounting firm handles, as it is to this type of data that the GDPR rules will apply.

There are probably fifteen categories of people for whom accountants may hold personal data:

1.          Business Partners/Directors in the firm who are living natural persons

2.          Current clients and their family members who are living natural persons including their Anti- Money Laundering data

3.          Employees of clients for whom we may process payroll etc.

4.          Former -clients and their former employees for whom we may have processed payroll etc. in the past

5.          Prospective clients (on a mailing list for example)

6.          Prospects not yet on a mailing list – perhaps on business cards, sitting in the drawer of your desk

7.          Introducers of potential clients e.g. local law firm/estate agent

8.          Suppliers such as recruitment agencies

9.          Outsourced providers of services to your business e.g. payroll, bookkeeping businesses with which we may share client data

10.        Associates e.g. through accounting and other Networks like BNI

11.        Sub-Contractors

12.        Existing staff

13.        Former staff

14.        Job applicants

15.        Other ‘Contacts’ not already included on the above lists including complainants, correspondents, enquirers.

Once the above list is complete, the next step will be to identify the location(s) where that data is held, whether in paper or electronic format, and how secure that location is.

The ‘Right to Be Forgotten’ and how it affects AML client screening

The ‘Right to Be Forgotten’ and how it affects AML client screening


A landmark EU data protection judgment in 2014 on the ‘right to be forgotten’, has affected the ability to use Google and other well-known search engines to carry out anti-money laundering (AML) due diligence.

On its own, Google is not a sufficient anti-money laundering (AML) risk screening tool, as some search results could be incorrect or out of date. But now considering the 2014 ‘right to be forgotten’ case (see more below), Google may no longer reliably tell you if your customer is a known criminal, who could pose a risk to your business.

If your customer is determined to find a way round due diligence checks, they can easily do so. With websites like where fake ID may be purchased, at least the same amount of resources need focused on ongoing monitoring, and on training staff to recognise ‘red flags’, as you do on initial AML screening.

The ‘right to be forgotten’ case relates to Mario Costeja González, a Spanish citizen who in 2010, lodged a complaint against Catalonia’s leading daily La Vanguardia. In 1998 the paper printed an auction notice relating to the forced repossesion of his home. González argued that since the issue had been completely resolved in the intervening twelve years, the information was now irrelevant and should be removed, both from the paper’s digital archives and from the search results of Google Spain or Google Inc. The ruling by the European Court of Justice (ECJ) followed a referral from the Spanish courts.

The judgement found that even if the physical server of a company processing the data is located outside Europe, EU data protection rules apply to search engine operators if they have a branch or a subsidiary in a Member State. Search engines are deemed to be controllers of ‘personal data’ (data about living human beings).

Following this judgement, individuals have the right, based on certain conditions, to ask search engines to remove links with personal information about them. This applies where the information is inaccurate, inadequate, irrelevant, or excessive for the purposes of the data processing.

In this case, the court found that González’s right to data protection was not trumped by Google’s economic interests, and so the ‘right to be forgotten’ (or, technically, ‘the right to erasure’) was born in its modern form. (It should be noted that the court also stressed that the right to be forgotten is not absolute and must be balanced against other rights like the freedom of expression.)

This has obvious implications for entities conducting adverse media searches as part of their AML customer due diligence process, although the rules don’t apply to politically exposed person (PEP), sanctions and watch lists, where they are maintained by independent providers and authorities.

Most AML legislation relating to customer due diligence, allows entities the defence of have followed proper procedures and lack of reasonable grounds for suspicion. There is no case law yet, but the likelihood is that if an entity found itself under investigation by a regulator for providing services to a money launderer, but could demonstrate that it had conducted thorough due diligence and missed information only because it had been removed from search results under the right to be forgotten, this would be sufficient to avoid prosecution.

To hear more about the latest in AML legislation and procedures and to benefit from our up to date training, come to our next CPD Seminar on Anti-Money Laundering at the Talbot Hotel Stillorgan, County Dublin on Tuesday 28 November 2017.

More details of all our courses are on Ticket Tailor here.