Share this content

GDPR, privacy notices and right to be forgotten

How to reconcile right to be forgotten and professional need to retain info

Didn't find your answer?

I'm starting to think about the privacy notices I need to draft.

One aspect of these is informing clients of their right to be forgotten and the fact they can ask us as data controller to delete all their personal data (obviously, this will only apply to former / newly-departing clients).

Obviously, I can see the data protection logic of that but I must admit to feeling very reluctant to destroy data from the fairly recent past which may be needed in the event of an enquiry (notwithstanding that the client may have moved onto another agent), or any of the other million reasons why we're sometimes asked to extract old data / correspondence. I may be worrying unnecessarily but I would prefer not to put myself in a position where I can't answer something which I could have done pre GDPR simply because I have destroyed data which I wouldn't have done pre GDPR.

Anyone been through this iteration yet and come up with an answer / compromise / suitable text to include in the notice?

 

Replies (24)

Please login or register to join the discussion.

avatar
By Chris Maslin
01st May 2018 11:44

I'm sure I've seen somewhere that AML legislation trumps GDPR legislation.

Does beg the question can we legally simply ignore a client's request to be forgotten?

I imagine from a practical perspective, the number of people who will ask will be trivial...and where they do a part of it may just be they don't want you spamming them anymore. Having said that, I suppose as long as you do hold some of their data, they're at risk if your systems get hacked. Of course any client will be miffed if your data is illegally accessed, but they'd be doubly miffed if they'd asked you to delete everything before that and you hadn't.

What a fun world we live in, damned if you do, damned if you don't.

Thanks (1)
Replying to Chris Maslin:
avatar
By adam.arca
01st May 2018 12:26

Maslins wrote:

What a fun world we live in, damned if you do, damned if you don't.

Yes, that's exactly what it looks like it's going to be.

As you say, the issue will probably never crop up but, on the other hand, there's always that awkward sod.....

Thanks (0)
paddle steamer
By DJKL
01st May 2018 12:12

The only safe GDPR approach now appears to be paper records stored in a very disorganised form, so finally a regulation for which my last thirty odd years has been great training.

1. Records kept on paper- check
2. Disorganised desk and filing- goes without saying.

Thanks (2)
Replying to DJKL:
avatar
By adam.arca
01st May 2018 12:31

Joking aside, anyone wanting to be fully GDPR compliant without spending a fortune on their computers will indeed be better off going back to quill and ink.

And back in the real world where we all have to use computers and store data there, the vast majority of us are going to be left to one degree or another with our rear end flapping in the wind.

It'll be interesting to see how this all settles down but I get the feeling this is going to be one of those "there but for the grace of God" scenarios.

Thanks (0)
Replying to DJKL:
avatar
By PERMON
01st May 2018 20:47

I'm in Ireland but its the same GDPR for all of us (seems primary legislation is not required). My understanding is that GDPR applies equally to paper records as it does to digital records

Thanks (1)
Replying to PERMON:
Routemaster image
By tom123
02nd May 2018 13:05

Yes, I agree - however I think it has to be in an organised fashion (eg alphabetical) - hence the disorganised desk comment.

Thanks (0)
Replying to tom123:
paddle steamer
By DJKL
02nd May 2018 15:06

I have a wonderful filing system at work, the DJKL Patented Just In Time System.

Paperwork that comes in that has to be dealt with, fair enough, but the other paperwork sits in a heap on my desk to see if anything comes off it, usually nothing does

If after say a month nothing needs done with it then the say bottom 50% of that heap gets dumped into a large cardboard box under my desk, once that large box is full it gets marked with rough dates and dumped in storeroom, once in store for x years I have it shredded.

For years I patiently filed everything and then realised (this likely does not work in a professional practice) that most of the rubbish crossing my desk is just that, rubbish, nobody really cares about half of it so why waste time filing it.

Thanks (1)
Replying to DJKL:
avatar
By PERMON
01st May 2018 20:55

oops sorry - double posted

Thanks (0)
By Marion Hayes
01st May 2018 12:57

According to a webinar I listened to from HMRC you are supposed to follow the GDPR rules unless it is a legal requirement to do otherwise - not just MLR then but also record keeping etc etc.

Thanks (0)
Routemaster image
By tom123
01st May 2018 13:01

Compliance with a legal obligation is one of the bases for data retention.

So, on right to be forgotten, I am not sure I would feel comfortable destroying an (ex) employee records after, say, 2 years.

But - I have no plans to keep data beyond any of the statutory limits.

Thanks (0)
avatar
By justsotax
01st May 2018 13:33

I find it ironic in the world of technology (cloud and all that being the only real way to do business as we get told time and again)...that it seems paper files and the written (or typed) word appear to be the safest option to comply with and keep on top of GDPR.....

What next....well I wonder how long it will be before driverless cars have to have someone running in front of them waving a flag to ensure no pedestrians are run over....the mind boggles....

Thanks (1)
avatar
By adam.arca
01st May 2018 13:47

Many thanks for all comments so far.

I would like to start churning out the privacy notices this week so I can be sending them out with this year's tax info requests.

I'm thinking of saying something like:

"You have a right to be forgotten...blah, blah, blah.

There is currently no definitive guidance on how that should be implemented for accountancy practices where we retain substantial hard copy and digital records containing your personal data but where that retention is required in order for us to assist you in meeting your legal obligations (such as potential tax enquiries).

In the absence of any such guidance, we have no option for the time but to reserve our position concerning the practicalities of what can and what cannot be destroyed and also when that can happen."

Not ideal but I'm trying to give myself some wriggle room on this issue. Any suggestions or improvements would be gratefully received.

Thanks (0)
Replying to adam.arca:
avatar
By Chris Maslin
01st May 2018 14:04

My honest and practical (but probably completely illegal) view is to simply not bother.

I'm _not_ saying don't bother with GDPR altogether. I'm just saying I don't see the point in emailing all clients basically saying:
"Nobody knows what's going on, but we're trying our best."
Yes it shows you've tried as compared to sending nothing...but I guess if I was the client I'd probably be more miffed by receiving such a pointless update than I would be to not receive anything. People have enough crap in their inbox to deal with every day.

Actually, just to add, my summary is:
Things I am taking seriously - reconsidering security, what data is stored where, deleting old data on old systems we no longer use, password strengths, who can access what from where, minimising amount of data we send to/receive from clients via insecure means.

Things I'm not taking seriously - privacy policies, revised letters of engagement, a GDPR compliance manual etc etc.

Thanks (3)
Replying to Chris Maslin:
avatar
By adam.arca
01st May 2018 14:41

Totally understand where you're coming from and, believe me, I'm definitely the sort of bloke who looks for the pragmatic solution rather than faff around with the exact niceties.

That said (and unless I'm really misunderstanding something), I don't think you have any choice with the privacy notices. You HAVE to tell your clients what personal data you hold and you HAVE to obtain their explicit consent to carry on holding / processing said data. This is the bit where there have been all sorts of articles telling us that tick boxes and / or rolling in consent with something else isn't going to be acceptable. Obviously, the last bit applies to the Facebooks and not most accountants but the point about getting consent does still apply, unfortunately.

Thanks (0)
Replying to adam.arca:
avatar
By Chris Maslin
01st May 2018 17:00

I'm of the view that we don't need the specific consent opt in, as I feel we're covered by the "contractual" lawful basis to process their data. Ie they want us to file their tax returns (etc) and to do so, we need to know the various bits of data (UTR, name, dob, income details etc etc).

If hypothetically a client were to say "I don't want you having any of my personal data anymore", then we cannot continue to act for them. Not in any sulky/principle way, we literally cannot do our job.

I think it's a bit different if for example you also send clients (and indeed non clients) newsletters that are a bit salesy, talk about optional extras etc. That kind of thing you should request they opt in to, as it's not a vital requirement for you to complete the task they've asked you to complete. Have to admit I'm not 100% on things like us sending a newsletter after a budget with a summary of things impacting them...I think my view is that is still a core part of our offering so they'll have it by default, but can of course unsubscribe as they could pre GDPR.

Not saying I'm 100% right on all this, but it's my take on it.

Thanks (3)
Replying to Chris Maslin:
Sarah Douglas - HouseTree Business Ltd
By sarah douglas
01st May 2018 18:33

Hi Maslins

Totally agree. This came up in sage sessions, about the emails people were receiving about consent.

One of the 6 lawful bases for keeping data is contracts. As you say if you do not have that information you cannot complete the contract. You do not need consent for this.

However, if the contract is finished and there are no government laws that require you to keep that information (For example a Nursery is required to keep details for seven years on children, MLR.

It is at that point you require consent.

Another example a Chamber of Commerce keeps sending out consent emails, but by joining and ticking you want business information and paying a membership each year this information is contractual, what else is a Chamber of Commerce for. You have a portal to change preferences. so, therefore, they do not need consent.

If you cannot justify keeping the data for a lawful reason then you must get consent.

You could consider putting a policy on your Website or Social Media.

The main point is consent is the weakest reason to keep the data and should look at the other lawful basis.

Look at it like a good clean out. I have completely cleaned out our email system, cloud storage, old files in offices. The office looks better and our systems are now cleaner.

I would like to mention I have had numerous calls for clients with ICO and they have been extremely helpful and reassuring. I recommend it. I think you can email them as well. They have two spreadsheets that help with the mapping for the processor and the controller which are on their website to download. Each one has example sheet. My clients have been finding this very useful and well as the 12 steps plus check tools.

https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf

Thanks (1)
Replying to Chris Maslin:
Neil Armitage
By Neil Armitage
02nd May 2018 17:19

Budget newsletters to existing clients would most likely be classed as legitimate interest. As long as you maintain a suppression list and are strict about adding people to it if they unsubscribe then your risk is tiny.

Thanks (1)
ALISK
By atleastisoundknowledgable...
01st May 2018 18:28

I’m not planning to do anything on particular about the consent issue (we don’t do mailshots etc). All of our data holding is purely to do our job.

I know that BDO send a 6 page ‘engagement letter’ purely to deal with GDPR, which IMHO is overkill.

At this stage, I just planning to amend the ‘data protection’ paragraph in my T&Cs. I’ll send an email to all of our clients saying that due to GDPR we won’t email any info but are now using client portals (VC - installation & training is 24 May arrrgh! Seat of pants?).

Thanks (0)
Replying to atleastisoundknowledgable...:
Sarah Douglas - HouseTree Business Ltd
By sarah douglas
01st May 2018 18:36

If business guidance is part of your service it is perfectly okay for example to send out emails that are relevant to their business like for example the Budget, change of minimum wage, increases in auto-enrolment.

Thanks (0)
avatar
By adam.arca
02nd May 2018 09:29

OK, thanks everyone for the additional comments re giving consent.

I knew that the need to fulfill a contract was a lawful basis for processing but hadn't realised that meant explicit consent wasn't also required. Perhaps I should have gone on that course after all.....

Nevertheless, on a purely practical level, I think I'm going to stick with issuing privacy notices because a) it'll keep one of my more clued-up clients happy as that's what he's expecting, b) it saves having to alter my LoE right now, c) it ties in quite neatly with issuing my tax info requests which is happening this week, and d) I'm seen to be doing something and I think "showing willing" is going to be a big part of defending yourself against potential snotty questions from professional bodies / regulators etc.

Thanks (0)
Replying to adam.arca:
avatar
By Chris Maslin
02nd May 2018 11:05

adam.arca wrote:

c) it ties in quite neatly with issuing my tax info requests which is happening this week, and d) I'm seen to be doing something and I think "showing willing" is going to be a big part of defending yourself against potential snotty questions from professional bodies / regulators etc.

Yup, these two bits I defo do agree with. Hence we're not specifically sending out clients a new privacy notice, but I'm sure at some point when we're emailing them about something they do care about, we'll have a small para perhaps with a link to a webpage about these things.

I think any small firm who's clearly made an effort but didn't quite (metaphorically) tick every GDPR box perfectly will be fine.

The occasional client who takes it extremely seriously may get a bit miffed by some of the i's/t's we don't dot/cross...but similarly I think more of our clients will be miffed at having to use a client portal for some stuff.

Realistically small firms have zero concern from the ICO directly. They'll continue to issue a couple of fines to Talk Talk et al when they have a horrendous mishap. For the rest of us, to my mind it's about taking seriously the spirit of the law, and just reconsidering what might previously have been weak spots in our security/unnecessary data we held.

Thanks (1)
avatar
By Jo Nokes
02nd May 2018 10:31

The ICAEW has just issued some more GDPR guidance, which includes suggested paragraphs to insert into engagement letters. This is so extensive that I can't imagine any of my clients even looking at it, let alone working out what it all means.

Thanks (0)
By jon_griffey
02nd May 2018 12:57

The CIOT/ACCA/AAT/ATT have just released their GDPR templates.

Contains some good stuff.

https://www.att.org.uk/engagement-letters

Thanks (0)
avatar
By paulwakefield1
25th May 2018 20:39

Just for clarification, do you need to send a Privacy notice (I don't have a website - first time I've regretted it) to everybody you have on your contact list at a client if the email address you hold is in the form which constitutes personal data? e.g. [email protected]

My reading is that you do but would be delighted to be shown to be wrong.

Thanks (0)
Share this content