Preparing for the General Data Protection Regulation (GDPR)
A lot of generic information has been written about the GDPR and the fact that it comes into effect across the EU on Friday 25 May 2018.
According to the Economist newspaper website ‘GDPR is not a matter of fix it and forget it. The new regulations mandate organisation-wide personal data awareness from data protection officers down to database administrators. GDPR will require ongoing governance of data as organisations migrate to new systems or apply their consumer data to new markets and consumer trends. Initial compliance is the first heavy lift. Ongoing governance is the long-term reality.’ Elsewhere Ludwig Siegele, IT Technology Editor of the Economist writes that the GDPR ‘will be one of the most important pieces of legislation brought into force in 2018’.
It’s important to recognise that the legislation applies only to personal data of living EU citizens (living anywhere in the world) and not to data about non-EU citizens, EU corporate entities or other types of non-human EU entity, like trusts.
What about GDPR for accountants? We are busy preparing checklists and updates to typical required terms and conditions in client letters of engagement and these will be available later on this website.
In the meantime, as Step 1 to help in your preparation, you need to analyse the types of personal data that your accounting firm handles, as it is to this type of data that the GDPR rules will apply.
There are probably fifteen categories of people for whom accountants may hold personal data:
1. Business Partners/Directors in the firm who are living natural persons
2. Current clients and their family members who are living natural persons including their Anti- Money Laundering data
3. Employees of clients for whom we may process payroll etc.
4. Former -clients and their former employees for whom we may have processed payroll etc. in the past
5. Prospective clients (on a mailing list for example)
6. Prospects not yet on a mailing list – perhaps on business cards, sitting in the drawer of your desk
7. Introducers of potential clients e.g. local law firm/estate agent
8. Suppliers such as recruitment agencies
9. Outsourced providers of services to your business e.g. payroll, bookkeeping businesses with which we may share client data
10. Associates e.g. through accounting and other Networks like BNI
12. Existing staff
13. Former staff
14. Job applicants
15. Other ‘Contacts’ not already included on the above lists including complainants, correspondents, enquirers.
Once the above list is complete, the next step will be to identify the location(s) where that data is held, whether in paper or electronic format, and how secure that location is.