The General Data Protection Regulation (GDPR) replaces the Data Protection Act on 25 May 2018. While this may seem a long way off, most organisations need to start preparing now to make sure they’re ready for implementation. Here’s our guide to how accountancy practices can make a start with their GDPR preparations.
What is it about?
Effective from 25 May 2018,the GDPR extends the definition of personal data, provides increased rights for individuals and gives increased powers to regulatory authorities to take action against data controllers and data processors who don’t comply with it.
There are eye-watering upper limits to the fines that the Information Commissioner’s Office (ICO) can impose so you need to be able to demonstrate that data protection is an integral part of your business policies and practices. The GDPR makes privacy by design an express legal requirement, under the term ‘data protection by design and by default’. This means that data protection must be a key consideration when designing systems, rather than an after-thought.
The ICO response
The ICO is clearly committed to ensuring that organisations are properly prepared and monitored – they’re gearing up for the task by employing 200 additional staff.
“With the coming of the GDPR, we will have more responsibilities and new enforcement powers,” said UK information commissioner Elizabeth Denham. “For example, there will be a mandatory requirement for companies and public bodies to report to us when there is a security breach involving personal information.”
Action to take
Article 24 sets out that the principle that, in order to comply, organisations must implement “appropriate technical and organisational measures” to ensure that they can demonstrate the processing of personal data is performed in accordance with the GDPR. What is “appropriate” depends on the circumstances – what works for one organisations does not necessarily work for another – but the obligation to demonstrate compliance exists in all cases.
If you start your preparations now, you’ll begin to understand what personal data you process and where it’s being held. You’ll also be able to test whether the procedures you already have in place to protect it are adequate.
As a minimum you need to:
- Allocate responsibility for GDPR within your organisation and raise awareness.
- Fully document the information you hold across the business – where it originated, where it’s stored, how it’s processed and who you share it with.
- Carry out a Privacy Impact Assessment – know your risks.
- Review your privacy notices, engagement letters and contracts.
- Review your procedures to ensure that risks are covered, personal data is secure and you can comply with the rights of individuals.
- Review how you seek, record and manage consents.
- Update your procedures relating to the detection and reporting of breaches.
GDPR will have a direct affect on businesses of all sizes and the sooner you start looking at the implications the better prepared you will be next May. Whilst we’re not data experts we also have to comply with the new regulations and have many clients and contacts who can help you with getting to grips with the requirements. For initial assistance contact your local Burgis & Bullock office on 0845 177 5500, or use our on-line contact form.