The General Data Protection Regulation comes into force from May 2018 thereby overtaking the Data Protection Act of 1998. The 1998 Act governing the rules were thought to be inadequate to regulate in current business environment & the massive amount of personal data available today. The new regime would have major impact on accounting practices & it does apply to all sizes of businesses if you handle personal data.

The GDPR regime differs with the previous one in terms of massive increase in fines & places the responsibilities of data security on the user. The main points emphasised are:-

  • Documentation
  • Consent
  • Security
  • Processing
  • Privacy
  • Reporting

Documentation – The new regulations place statutory obligations on you, whether you’re a data processor or data collector. You need to show that you have an adequate level of protection & proper documentation for that. In case you don’t have a documented security policy, you would need to draft one based on your internal processes & IT architecture so as to be able to justify that you have proper platform in place to protect the client’s data.

Consent – The terms of engagement letter would need to change so as to show explicit consent has been given by the client for data handling by third parties, if you use any sub-contractor or third party for your process. You must be able to demonstrate that consent was given & not inferred from silence or ticking on the boxes.

Security – Run checks on your IT systems to ensure data is stored in a secure environment. Also see if you might need to have an information systems audit done.

Processing – Check if you have internal control policies to ensure safe processing of data & identify the need to carry out specific tasks & document them. You also need to ensure specific procedure for gathering young person’s data.

Privacy – You shall need to have specific procedure to enable you to delete client data if requested to do by the client. Also you have to have a process to allow client to make a copy of data relevant to themselves.

Reporting – you shall need to report any breach of privacy of client’s data in a timely manner.

At present most of the regulatory accounting bodies are trying to put in place guidelines for their members on how to handle the regulations & hopefully accountants will have something in their hands after busy season is done.