In this extract from a new and informative guide ‘Preparing Your Practice For GDPR’ brought to you by MyFirmsApp, the the worldwide number one provider of intelligent Apps to professional firms in 11 countries, we look at what GDPR means to your practice and the close links between GDPR and Making Tax Digital.
What GDPR means to your practice
What is GDPR?
The EU General Data Protection Regulation (GDPR) comes into force on May 25th 2018 and replaces the 1995 Data Protection Directive. It is directly applicable in all EU member states and will apply in the UK despite Brexit. It will affect all businesses that process (i.e. collect, record, use or disclose) data relating to an identified or identifiable natural person (“personal data”) and is an attempt to harmonise data protection laws. While many key principles and concepts remain the same, there are several new prescriptive requirements and those found to be non compliant, could face fines of up to 20m euros or 4% of annual turnover.
What type of personal data does a practice typically hold?
The new requirement for transparency means firms need to be open about how they process personal data. Privacy notices must be shared with all individuals you process personal data about and in essence, should include informing those individuals what information you hold on them, how you use it and who you share it with. The most prominent new requirement is that privacy notices must detail the legal bases of processing (e.g. consent, necessary for performance of a contract, legitimate interests). For most firms, this will mean that existing privacy notices will need to be reviewed and updated and the information in them must be concise, transparent, intelligible and easily accessible.
Here are some examples of personal data typically held by accountants:
HR data (current/former staff, applicants, dependants):
- Contact details (e.g. address, phone number)
- Financial information (e.g. salary, tax codes)
- Recruitment information (e.g. CV, application form)
- Admin data (e.g. absence records, hours worked)
- Whereabouts (e.g. electronic card access systems)
- Data re use of assets (e.g. computers, telephones)
- Performance data (e.g. appraisals and disciplinaries)
- Benefits data (e.g. health insurance, pension)
- Contact details (names, email addresses etc)
- Records of customer interactions
- Payment details
- Online identifiers, IP addresses, cookie IDs
- Profile data (preferences, interests, browsing history)
Business data (suppliers, agents, contractors):
- Contact details (names, email addresses etc.
- Records of customer/supplier interactions
- B2B CRM data
Data from children
For those practices that hold children’s personal data, special care is needed, as GDPR requires parental consent for processing children’s personal data. Controllers should obtain the consent of a parent or guardian when processing the personal data of a child under the age of 16 and they also must make “reasonable efforts” to verify that a parent or guardian has provided the appropriate consent.
With GDPR, additional mandatory clauses in supplier contracts are needed and terms are much more detailed. All existing contracts will need to be reviewed, prioritised and amended to ensure all elements are present and any contracts in place on the 25th May 2018 will need to meet the GDPR requirements. A possible solution would be to send an addendum to existing suppliers and for new suppliers, review template contracts to ensure GDPR requirements are included.
What does the law require with regard to data retention?
GDPR builds on and adds further detail to existing Data Protection Principles and the law requires firms:
- Process personal data lawfully, fairly and in a transparent manner
- Collect personal data only for specified, explicit and legitimate purposes
- Ensure personal data is adequate, relevant and limited to what is necessary
- Ensure that personal data is accurate and up to date
- Do not store personal data for longer than necessary
- Ensure appropriate security for personal data
- To appoint a data protection officer for certain types of organisation
- Ensure policies/procedures are proportionate to controller’s business and risks
- Maintain appropriate records to demonstrate compliance
GDPR and Making Tax Digital – a natural marriage
What have GDPR and Making Tax Digital got in common? From the accountant’s perspective, it is all about the collection of data in a digital format and how to resolve the complexities of converting huge volumes of records into a format considered acceptable by HMRC.
To thrive in this digital world, we firmly believe that new approaches and new tools are required. That’s why we have developed ‘Collect’, which forms part of the accountant’s own branded App and sits on the client’s Smartphone or tablet. It’s designed for those clients who are non-VAT registered and employ no staff and may find digital record keeping with standard bookkeeping cloud packages a daunting experience. Collect enables them to enter data using the App and is as easy to use as the social media Apps like Facebook.
Data is collected in real time and it is then up to the accountant to review the figures, approve them and with one click, submit them to HMRC. This is the efficient, GDPR compliant, efficient way to manage clients’ MTD affairs.
There is a compelling opportunity for all firms, large and small, to reboot their data protection and privacy processes and turn to digital technology to prepare for GDPR and MTD. An inclusive, compliant App platform that reflects the importance the firm places on privacy, will deepen digital trust, make clients feel more secure when they give their personal data to the firm and help enhance the practice’s reputation.