Data from children
For those practices that hold children’s personal data, special care is needed, as GDPR requires parental consent for processing children’s personal data. Controllers should obtain the consent of a parent or guardian when processing the personal data of a child under the age of 16 and they also must make “reasonable efforts” to verify that a parent or guardian has provided the appropriate consent.
With GDPR, additional mandatory clauses in supplier contracts are needed and terms are much more detailed. All existing contracts will need to be reviewed, prioritised and amended to ensure all elements are present and any contracts in place on the 25th May 2018 will need to meet the GDPR requirements. A possible solution would be to send an addendum to existing suppliers and for new suppliers, review template contracts to ensure GDPR requirements are included.
What does the law require with regard to data retention?
GDPR builds on and adds further detail to existing Data Protection Principles and the law requires firms:
- Process personal data lawfully, fairly and in a transparent manner
- Collect personal data only for specified, explicit and legitimate purposes
- Ensure personal data is adequate, relevant and limited to what is necessary
- Ensure that personal data is accurate and up to date
- Do not store personal data for longer than necessary
- Ensure appropriate security for personal data
- To appoint a data protection officer for certain types of organisation
- Ensure policies/procedures are proportionate to controller’s business and risks
- Maintain appropriate records to demonstrate compliance
GDPR and Making Tax Digital – a natural marriage
What have GDPR and Making Tax Digital got in common? From the accountant’s perspective, it is all about the collection of data in a digital format and how to resolve the complexities of converting huge volumes of records into a format considered acceptable by HMRC.
To thrive in this digital world, we firmly believe that new approaches and new tools are required. That’s why we have developed ‘Collect’, which forms part of the accountant’s own branded App and sits on the client’s Smartphone or tablet. It’s designed for those clients who are non-VAT registered and employ no staff and may find digital record keeping with standard bookkeeping cloud packages a daunting experience. Collect enables them to enter data using the App and is as easy to use as the social media Apps like Facebook.
Data is collected in real time and it is then up to the accountant to review the figures, approve them and with one click, submit them to HMRC. This is the efficient, GDPR compliant, efficient way to manage clients’ MTD affairs.
There is a compelling opportunity for all firms, large and small, to reboot their data protection and privacy processes and turn to digital technology to prepare for GDPR and MTD. An inclusive, compliant App platform that reflects the importance the firm places on privacy, will deepen digital trust, make clients feel more secure when they give their personal data to the firm and help enhance the practice’s reputation.