GDPR came into force on 25th May, however there still seems to be confusion on what is GDPR? We go through the GDPR FAQs which we are receiving from our clients. We end this blog with guidance on how we have adopted GDPR.
What is GDPR?
GDPR is the new General Data Protection Regulation which came into force on 25th May 2018. In the UK it replaces the Data Protection Act 1998.
When the Data Protection Act was introduced in 1998, digital data was very limited and PCs weren’t as popular as they are today. GDPR is a 21st century solution to personal data processing.
What information does GDPR apply to?
GDPR applies to any personal data on an EU citizen. So as well as the obvious name, address, date of birth, GDPR now includes IP addresses, location data and cookie identifiers.
For example our email address email@example.com IS NOT personal data as it is a generic email address. However firstname.lastname@example.org IS personal data. Even though it is a company email address it is possible to identify a person as it clearly relates to a person named Michael working for Patterson Hall Accountants.
Who does GDPR apply to?
GDPR applies to all organisations processing data on EU citizens. Therefore even organisations based outside of the EU must be GDPR compliant if they offer goods or services to EU citizens.
What about Brexit and GDPR?
This is EU legislation so what happens after Brexit isn’t clear. For the time being the UK is in the EU and with the transition period predicted to last 2 years we will remain under EU legislation for a few years yet.
Post Brexit any organisation which offers goods or services to EU citizens (of the 27 remaining countries), must be GDPR compliant anyway. It is less clear for those organisations which operate 100% in the UK post Brexit but the assumption is that GDPR (or a similar version) will be adopted into UK law.
Does GDPR only apply to digital processing?
GDPR is not just about digital processing. Old fashioned paper documents are still covered by GDPR if they are part of a ‘relevant filing system’. A filing cabinet of paper records or an address book of contact details must be considered under GDPR.
The penalties are huge for non-compliance. They can be up to 4% of global turnover or €20 Million. These are the maximum fines which can be imposed and these are for the most serious cases of non-compliance.
GDPR guidance – things to consider?
Personal data considerations:
- What Personal Data does your organisation hold?
- Where is it kept?
- How do you use it?
- How long do you keep it for?
- Do you share this data?
- Do you need it?
- How secure is the personal data?
- Are their firewalls, anti-virus software, email security all in place?
- How are documents shared?
- Transporting documents – USB pens secured? Data on laptops secured?
GDPR – What we’ve done
As a firm of Chartered Accountants we must comply with GDPR. Below are just a few of the things we have introduced to make us GDPR compliant. These obviously all won’t apply to your organisation however they may help provoke ideas for you to consider.
Engagement letters – All of our clients will be issued with new engagement letters which are GDPR compliant. The engagement letter is the contract between ourselves and the client which ensures that we have consent or a legal requirement to carry out those services.
Cookies policy – Our website uses Google Analytics and for this reason we have updated our cookies policy to be GDPR compliant. Our website also includes a Cookies popup policy.
Cloud security – When setting up the business one of our biggest concerns was the security of client data. For this reason we opted for a hosted desktop solution instead of owning our own server. We aren’t I.T experts so our preference was to outsource this completely. We opted for HDUK as they had the highest of security procedures.
Client Portal – Our website now has a client portal which we use to exchange and approve documents. This is another way of ensuring that our client data is secured even whilst in transit.
USB flash pens – We only hold data on USB flash pens whilst transferring data from clients premises to our own or vice versa. To minimise unauthorised access the data is deleted after it has been transferred. All data held on USB flash pens is held in an encrypted folder which requires a password to access.
Laptops – Like most organisations we use laptops whilst out at clients. To reduce the risk of unauthorised access no data is ever stored on a laptop.
Payroll software – We prepare the payroll for numerous clients which includes emailing payslips to our clients’ employees. These payslips are now all encrypted and are password protected.
Marketing emails – We don’t yet do any marketing emails. But as it is a popular topic and we expect that within the next few months we will commence a news / tax tips email service. As part of offering accountancy services we already have email addresses for clients but do we have consent to opt them in to our email service? This is debatable as the email was given freely for a different service. For this reason when our email service commences we will not automatically enrol anyone but instead offer them the opportunity to opt-in. This is another step ensuring our GDPR compliance.
GDPR – Conclusion
The ICO is the UK’s independent authority responsible for upholding GDPR and other data protection legislation. They have stressed that they do not expect every organisation to have all their GDPR policies in place in May 2018. But they do expect organisations to have at least made a start.
Therefore don’t worry if your organisation is not yet fully GDPR compliant. But also don’t be complacent and ignore GDPR altogether.
The above is just a summary of GDPR. For further guidance visit the ICO website.
DISCLAIMER – Please note that the content contained in this article is for general information only and is not a substitute for professional advice – read our full disclaimer