GDPR and sole practitioners

Covering oneself

Didn't find your answer?

There seems to be a lot of waffle on this subject, though guidance is still expected. I'm a sole practitioner, and this is what I intend to do.

Normally in February, I write out to all clients advising them of my forthcoming holidays and to bring them up to date with such things as MTD. This year, I am going to enclose a letter requesting their consent to hold data digitally and to advise them that I am the data controller for the practice. Avoiding the pre-ticked-box issue, I will ask them to return it, signed and dated. The letter will confirm that data will only be shared with HMRC, CoHouse and my software provider, that no other info will be shared except with express approval (ie mortgage lenders) and that anti-virus protection is in place.

Is there anything I am missing or doing wrong?

 

Replies (34)

Please login or register to join the discussion.

avatar
By thomas34
07th Feb 2018 11:55

That seems an excellent summary of the situation for sole practitioners. You've done well to form a policy in the presence of jack **** from the law makers.

Thanks (0)
RLI
By lionofludesch
07th Feb 2018 12:00

Probably the first step is to categorise what you do for the client.

Preparing accounts and assorted tax returns is what you're contracted to do.

But what about unsolicited information about the Budget ? Or saying your round bookkeeping won't fit in the square MRDfV box ? Is that contract ? It's not specifically in the engagement letter.

Maybe it's just a case of new engagement letters all round.

Thanks (0)
avatar
By SkyBlue22
07th Feb 2018 12:48

What are thoughts about what you are going to do if they don't return the signed form?

Thanks (0)
Replying to SkyBlue22:
RLI
By lionofludesch
07th Feb 2018 12:54

Whose ? Mine ?

Same as if they don't return anything else I ask them to sign. Send them a bill and tell them I can't work for them until they sign it.

Thanks (0)
Replying to SkyBlue22:
avatar
By silverghost
07th Feb 2018 13:04

Keep copies in the office, to complete when they come in with their records (possibly in January...) as a condition of doing any more work.

Thanks (2)
avatar
By Brads.Kings
08th Feb 2018 12:10

I share your desire for simplicity.

Do you use email? It has become so pervasive and so quick to use email, but if email containing personal data fails GDPR, how can one use email effectively? Will we end up emailing to just say look at your portal?

The weakness of the portal approach is the browser is likely to remember the password, so is it really much safer?

Do you run payrolls? Payslips with passwords seem to be the cheap solution, but raises questions, ie who chooses the password, how is it communicated, how is it stored, when forgotten how is it communicated?

GDPR is forcing sole practitioners to adopt systems like bigger businesses, increasing costs while delivering less value.

Thanks (4)
Replying to Brads.Kings:
avatar
By Wanderer
08th Feb 2018 16:48

Brads.Kings wrote:

The weakness of the portal approach is the browser is likely to remember the password, so is it really much safer?

Also many systems just use e-mail for password resets.
Thanks (0)
Replying to Wanderer:
ALISK
By atleastisoundknowledgable...
09th Feb 2018 00:17

Wanderer wrote:

Brads.Kings wrote:

The weakness of the portal approach is the browser is likely to remember the password, so is it really much safer?

Also many systems just use e-mail for password resets.

D’oh

Thanks (0)
Replying to Brads.Kings:
By SteveHa
09th Feb 2018 09:37

Isn't the email address itself personal data which can't be encrypted and so email can't be sent.

Similarly, a posted document will have to have the recipients name and address on the outside and viewable by anyone, so post can't be used.

Thanks (3)
Replying to SteveHa:
RLI
By lionofludesch
09th Feb 2018 09:47

Anything can be used if the parties agree.

Thanks (0)
Replying to Brads.Kings:
Mark Lee headshot 2023
By Mark Lee
09th Feb 2018 13:01

I find it hard to believe that unencrypted email will fail GDPR. For now I'm ignoring the purveyors of encryption systems as I can't believe it will be necessary.

Thanks (2)
avatar
By SXGuy
09th Feb 2018 10:12

What about encryption of client data stored by us?

I use Microsoft one drive to store all my data, and use boxcryptor to encrypt everything. As little as possible is stored on my computer, it's all stored in the cloud and encrypted. I access it via boxcryptor which adds an additional drive letter like a virtual drive. And finally to access any of it a pin must be used to unlock boxcryptor.

So in the event of the computer failing or being stolen, there's no chance of a data breach.

With regards to emails in theory you only need the client to install boxcryptor and give access rights to any file or folder.

They have their own decryption key.

Sadly though it wouldn't work for everyone of my clients. Some believe or not don't even have an email address.

Can't avoid paper data entirely

Thanks (1)
Mark Lee headshot 2023
By Mark Lee
09th Feb 2018 15:47

Hi Silverghost

It's a good start. Not sure it's quite enough, even for a sole practitioner who never sends out any marketing materials to clients.

You could ensure that your letter includes everything you would be required to disclose in your privacy policy - this will save you from having to publish such a notice on your website.

ICAEW are running a series of GDPR webinars and these are available on catch up too (not sure if this is for members only). I heard the first one and was very impressed by the practical focus and quality Q&As.
https://lnkd.in/fXw3NwP

They are doing what they can while we await formal guidance from ICO as to how GDPR will be applied in practice by smaller businesses.

I am NOT an expert but I have produced a list of the key documents we will all need to prepare to evidence that we are taking the law seriously - even if we are simply sole practitioners with no staff and no marketing email lists. It needn't be that onerous.

If you want a copy of the list just let me know on this webform >>>
http://bookmarklee.co.uk/gdpr-documents-list/

Thanks (2)
Replying to bookmarklee:
avatar
By legerman
09th Feb 2018 13:20

bookmarklee wrote:

If you want a copy of the list just let me know on this webform >>>
http://bookmarklee.co.uk/gdpr-documents-list/

Just tried to request it but you need to enlarge the captur box. It's only showing me half the pictures and not telling me whaty I should be clicking on.

Thanks (0)
Replying to legerman:
Mark Lee headshot 2023
By Mark Lee
09th Feb 2018 15:48

Sorry you had a problem legerman. Not sure why you'd be having a problem when so many others have submitted it fine - at least no one else has said there's a problem. Maybe try another browser? Apologies for the inconvenience.

Thanks (0)
Replying to bookmarklee:
avatar
By legerman
11th Feb 2018 20:42

bookmarklee wrote:

Sorry you had a problem legerman...... Maybe try another browser? Apologies for the inconvenience.

oh how strange. Chrome is my default browser, and the captur popped up (which I couldn't complete). Just tried Firefox and no captur. Hopefully you now have my details.

Thanks (1)
Replying to bookmarklee:
avatar
By spcm
12th Feb 2018 10:38

I've also had a problem with the captur - only half the page appearing and it is because the page is taking a considerable amount of time to load - hasn't so far! I'm using Firefox and can't get anything.

Thanks (0)
Replying to spcm:
Mark Lee headshot 2023
By Mark Lee
12th Feb 2018 17:31

Apologies again for the hassle - caused by the damned google captcha thingy which I think I've now turned off.

Weird that a only a small proportion of people got caught by it. Still, hopefully fixed now.

Thanks (0)
Replying to bookmarklee:
avatar
By silverghost
14th Feb 2018 07:45

Thanks Mark,

that should help to cover all the issues in one letter. Hopefully this has been of use to other SPs.

Thanks (1)
Mark Lee headshot 2023
By Mark Lee
10th Feb 2018 14:06

duplicate

Thanks (0)
Teignmouth
By Paul Scholes
11th Feb 2018 14:44

Having spent a few hours on it I’ve found the ICO’s guidance excellent, including discovery that quite a bit of what we are now expected to write down and notify was actually required by the 98 Act anyway.

I’ve spent as much time thinking about what my clients need to consider as I have my own practice and revisiting the ico’s - should I be registered with the ico? - bit I’m pretty sure that some of my clients, who should be registered, aren’t.

One bit of good advise on the site is to go through a draft or initial notification first, to test the water with clients. Even though I think I have a good idea of what my privacy notice will cover, doing a test drive may unearth questions and issues I hadn’t thought of.

Similarly, with simplicity to the “subject” in mind, I think it’s a good idea to tailor different notifications to client types, which mimics how many do their terms of engagement. In other words, trying to do one notice that covers all clients would be too complex.

Rather than generate a static document for approval, I’m planning to use Google forms. Even though most of us will rely on the “contract” lawful basis to justify our need to keep and process client data, there are likely to be some consent requirements and Forms is perfect for asking for yes/no answers and to give clients the ability to respond to questions.

With regard to encryption of emails, I’ve not seen anything yet that makes this a requirement, although I’m pretty sure that one or two of my clients will want me to do so if I can, and, after a Google search, I had free easy encryption setup in less than 5 minutes, so these days it’s not rocket science.

Thanks (2)
avatar
By EnglishRose
12th Feb 2018 09:33

My only issue with that is you may get some know-all who makes a big issue over not signing it with a deliberate refusal or people who do not bother to send it back.
As you may have a right to process their data for those purposes without consent under the legitimate interests provision the big issue for some companies is whether to stir up a hornet's nest by writing to everyone or just leg sleeping dogs lie under legitimate interests. As you write to everyone once a year anyway however writing to them about this too at the same time seems to make sense.

Perhaps add you are registered with the ICO and your number although there is no legal obligation to say so.

Thanks (0)
Replying to EnglishRose:
Teignmouth
By Paul Scholes
12th Feb 2018 10:48

There are changes to the information you have to provide in privacy notices and, unless someone knows otherwise, you are required to do this pre 25 May, so not sure you can leave t and cover it with year end stuff after that date.

With regard to clients kicking up a fuss or refusing to return it, that's no different to anything else, eg terms of engagement, so is down to the quality of your relationship with the clients. In my case, life's too short and so anyone likely to act in that way, is no longer a client.

Thanks (3)
avatar
By Arm266
20th Feb 2018 16:39

I, too, am a sole practitioner mainly doing annual tax returns, and propose to follow the same route, except that I will incorporate this authority in my annual Letter of Engagement. However, I have been advised that data must be kept up to date - can anyone advise whether the annual receipt of the Letter of Engagement/tax documentation is sufficiently 'up to date', particularly in respect of the client moving address; I often find that my client has moved between my completing their tax returns. My clients are mainly below the £10k turnover threshold and will, therefore, continue to do some sort of annual return.

Thanks (0)
avatar
By Arm266
20th Feb 2018 17:17

In your list of bodies with whom data will be shared, perhaps you should include 'statutory bodies with whom data must be shared'. I am particularly thinking of the National Criminal Intelligence Service [NCIS], since you will be prevented from obtaining their consent at the time, should you be required to make a report to them.

Thanks (0)
Replying to Arm266:
avatar
By Matrix
20th Feb 2018 22:34

This is an interesting point. But if the lawful basis for processing the data is a legal obligation and you have already obtained (general written) consent for all legal obligations such as filing tax returns then I assume the NCA report can be filed.

Thanks (0)
Replying to Arm266:
Teignmouth
By Paul Scholes
21st Feb 2018 09:40

Looking at my own T&Cs this has always been covered (ie from the 98 Act) in that data will be kept confidential unless it's required to be disclosed/shared by law with government agencies etc etc.

Thanks (1)
Teignmouth
By Paul Scholes
21st Feb 2018 09:54

I've just had an email from one of my clients who works in IT security and he made the point (obvious when you know) that regardless of the fact that we might protect emails and files and store most data online, a huge amount of data is cached and even stored in not so temporary libraries on your machine.

He suggests therefore that we use disk encryption on all machines which means that even if the machine is lost, the hard drive will give up no information.

On my Macs this just means switching on FileVault in Preferences and it also comes as part of Windows in Bit Locker.

Thanks (0)
avatar
By Arbitrary
25th Feb 2018 10:36

All the writings here assume that consent is required for any personal data processing. That is not clear to me.
My understanding is that consent is not required if you are carrying out contracted work for the client. In that case there is not going to be any need for such unless you are doing other things.
I read in the ICO guide that if processing personal data is necessary for a contract you have with an individual that constitutes a lawful basis for processing and separate consent is not therefore required. There are lawful bases other than consent such as legal obligation, vital interests, public tasks and something called legitimate interests the latter of which I do not understand.
My conclusion is that the legislation is mainly aimed at direct marketing and data gathering by those organisations which do this for a living.
Have I misunderstood something here? Are my agreements for work with a client not a contract for some reason?

Thanks (1)
avatar
By Agutter Accounts
25th Feb 2018 17:53

Since starting as a sole practitioner I have always sent new clients a clear and precise quotation for my services. And as part of that I have an Confidentiality Clause that states clearly that I will only disclose information to third parties with either with the express consent of the client or the law requires me to do so.

And I have anti-virus software in place.

I suggest that is a clear and simple statement of what any reasonable client has the right to expect anyway.

Thanks (0)
avatar
By Melody
02nd Mar 2018 07:32

A lot of very useful advice has already been given by other contributors.

I would suggest going to the ICO website, in particular https://ico.org.uk/for-organisations/guide-to-the-general-data-protectio... This is quite clear and not too difficult.

Look at the possible lawful bases for processing the data you have. There may be several that you could use in any circumstance but you must decide IN ADVANCE and make sure your customers are informed. Also look up individual rights, which depend partly on which lawful basis you use.

Consent is the weakest lawful basis in that it gives your clients most rights, for instance consent can be withdrawn at any time.

If you use contract as your lawful basis you can do any processing which is NECESSARY to perform your side of the contract (or do any pre-contract work the client has requested, such as preparing a quote) without asking for consent, and consent for this cannot be withdrawn, although unnecessary work (such as subsequent marketing) may need separate consent.

Legitimate Interests (which include your own interests, the interests of third parties, individual or commercial interests or even broader societal interests) is the most flexible lawful basis but requires more analysis to justify. This can allow marketing without prior consent (although the individual has a right to object), but you need to be careful to ensure you fulfil the conditions required for this - there are three main tests to satisfy and you have to balance the individual's interests against the legitimate interests you are claiming.

Legal obligation (not including contractual obligation) is another lawful basis, e.g. for anti-ML compliance.

You must choose the most appropriate lawful basis in advance and cannot change your mind later. For example, if a client has signed a consent form and later withdraws consent, it is then too late to say "actually I don't need your consent as we have a contract".

Then write your privacy policy, making it as simple as you can and make sure your clients have it. There are examples of good and bad practice on the website.

So your requests for signed consent will help to keep you within the law and also seem to include most of your privacy policy, but they are not the only way to keep you within the law and consent may not be most effective choice for you.

If you still have any queries, phone the ICO helpline for small businesses and charities on 0303 123 1113 (select option 4). They are quite helpful.

Thanks (1)
avatar
By Wanderer
02nd Mar 2018 07:46

Can't help but think that GDPR is yet another of those cases whereby we, in the UK, will go the the nth degree worrying & implementing it, incurring increased costs & will be subject to draconian enforcement by the UK regulators.

Meanwhile many of our counterparts in the rest of the EU will have a far more 'relaxed' view to implementation & enforcement.

Thanks (1)
avatar
By Gordon Sheppard
20th Mar 2018 12:54

There has been a lot said about consent in this thread. What does everyone else think about the storage of data and when it should no longer be required to be stored?

Thanks (0)
avatar
By [email protected]
23rd May 2018 20:20

Sounds like a great idea - can you share the letter?

Thanks (0)