Every month McManus Williams Limited answers some of your business and accountancy related questions.
If you’re in business and you haven’t yet heard of GDPR, the new EU directive on data protection, then keep reading… The legislation takes effect from the 25th May 2018 and before you all shout, “Ah! But we’re leaving the EU!” you should know that the UK Government will be enshrining the principles of GDPR within its own Data Protection Bill post-Brexit. In the meantime we are of course still in the EU. So what is it? The EU is looking to beef up protection for individuals regarding data privacy and data breaches. It requires organisations to adequately protect their client’s data and ensure that they can quickly respond to client’s request for details held or to their request to be ‘forgotten’. In summary it requires that personal data should be: • processed lawfully, fairly and transparently and for a specified, explicit purpose • adequate, relevant and it’s use limited to what the specified purpose • accurate; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay • kept in a form which permits identification of data subjects for no longer than is necessary • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. What do we mean by personal data? GDPR defines this as being any information held on an individual that could be tied to that person (identified) byway of an ‘identifier’. That identifier might be something as simple as a person’s name, address or national insurance number, but could include less obvious references such as online handles, IP addresses and so on. The following action plan may be suitable for your organisation to ensure it complies with the new standards: • Read up on GDPR and take action now, do not wait until May! • Appoint a Data Protection Officer (DPO) to organise your GDPR response • Review and update existing security standards and processes • Understand how data is handled within your business, including how it is requested, collected, stored and processed • Review how you are seeking, obtaining and recording consent in line with GDPR • Identify your firm’s data processors and data controllers • Understand the supply chain of your software suppliers • Update the way your firm reacts to a data breach, including how it is reported internally and externally • New technology can support the process, and existing technologies may need to be updated in order to fall in line with GDPR – particularly if data is stored in the US • Raise awareness within your firm of what GDPR means for the business, what is changing and when. Staff should be properly trained on what they need to do. More detailed guidance and checklists can be found on The Information Commissioner’s Office’s (ICO) website. (https://ico.org.uk/)