GDPR – One month to go

Today marks the start of the final month before the General Data Protection Regulation (GDPR) comes into force, with the Association of Accounting technicians (AAT) providing five tips on what businesses should do if they have not taken any action to date.

Although the GDPR is not far away there is still time to get processes in place to be compliant with the new data regulations.

Penalties for non-compliance with the GDPR are up to €20m (£17.4m) or 4% of global annual turnover, whichever is higher. However, the UK’s Information Commissioner, Elizabeth Denham, has previously stated that the government will show leniency to businesses that have demonstrated attempts to implement the GDPR even if they are not fully complaint.

AAT has outlined five things businesses could benefit from doing in the next month:

1) Know what data you currently hold

The GDPR deals with the way organisations process, share and retain data. Therefore, the first step has to be a full review of all personal data you currently have on file.

Under the new regulations, any clients can request that the data you hold on them is deleted – this is the term ‘right to be forgotten’. As a result it is best that all personal data is filed somewhere where it can be easily retrieved and erased, if needs be. Equally, they are able to ask about the extent of their personal data that you have, even if they do not want it erased.

Even if a client does not get in touch, under GDPR you are only allowed to retain data while there is a specific need to do so. So if you have a client who no longer uses your services, for example, that may be the cue to delete personal information you may hold on them.

2) Put procedures in place to deal with a breach

All firms who use email as a form of sharing personal data with external parties have to consider what they would do in a situation of a breach (e.g., sending an e-mail to the wrong person). Processes are required to respond to any breach of data which generally includes reporting the breach to the ICO within 72 hours and holding a system that records all breaches that occur.

3) Check your online security methods

Existing data protection rules require appropriate technology and training to be in place to protect shared information.

The ICO recommends encryption on all PCs and electronic devices, which will include encrypting any e-mails that you issue which may include personal data. Note that encryption is only a suggestion, it’s not a requirement.

4) Appoint a senior staff member to look after data protection

Every firm needs to ensure that someone holding a senior position has overall responsibility for the business’ data protection compliance.

Public authorities, or companies whose core activities consist of large scale processing of special categories of data, or who regularly monitor individuals, have a requirement to formally appoint a data protection officer. While this should not be the case for most small accounting firms, you are able to voluntarily appoint a data protection officer should you wish to do so.

5) Educate your staff

All employees need to be aware of the GDPR so that there is an awareness of where personal data is filed, where future saving of data should be made, and how long it should remain held for. This will also ease the process if a client asks for their personal data as you can be more confident that staff members are not keeping data in incorrect places.

Accountancy Daily