Share this content
21

Small practice GDPR

As a small practice, what steps should we be taking to deal with GDPR ?

Didn't find your answer?

We are a small practice, and eager to comply with the new GDPR requirements.

We would be grateful for any advice and guidance, especially from similar smaller practices who are going through the same process

Replies (21)

Please login or register to join the discussion.

Locutus of Borg
By Locutus
20th Mar 2018 12:55

I am largely waiting to see what the consensus is, but a good place to start would be: -

1. Ensure the operating system, anti-virus software, firewall software and other software is kept up to date;

2. Encrypt the data on all drives, particularly those drives that routinely leave the office, such as laptops, memory sticks, etc.

3. Password protect sensitive documents that you are e-mailing, such as payslips / P60s and personal tax returns.

Some people (often those who provide secure gateway solutions) are saying that it will no longer be possible to use insecure e-mail from May 2018. I am not convinced, particularly if you are already password protecting sensitive documents.

4. Read through this https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf

I suppose that I ought to write up a privacy/data protection policy at some stage. That is on the "to-do" list, along with the documenting my anti-money laundering procedures that I was supposed to do last June!

Thanks (4)
avatar
By [email protected]
20th Mar 2018 13:02

There is a lot of information on the web that is very confusing and it can take time to look though it all but the ICO website is a good place to start.
I am currently looking at anti-virus software, data security and writing a GDPR Data Protection Policy which itself throws up the need to have other policies in place like IT security and email use and the need for a privacy policy.
I have found a great template for the GDPR Policy at https://vinciworks.wufoo.eu/forms/z1a2yyig10i636n/ which is free and very comprehensive.

Thanks (4)
avatar
By Manchester_man
20th Mar 2018 13:22

Yes, I to was led to believe that sending payslips / returns etc by email will be considered unsafe, but my own research suggests this is nonsense as long as attachments are password protected.

So much red tape compared to 10 plus years ago.

Thanks (2)
Replying to Manchester_man:
avatar
By facucvivas
22nd Mar 2018 10:09

Manchester_man wrote:

Yes, I to was led to believe that sending payslips / returns etc by email will be considered unsafe, but my own research suggests this is nonsense as long as attachments are password protected.

So much red tape compared to 10 plus years ago.

Sage payroll are withdrawing the email payslips option from their software from 25 May. it will no longer be possible to email payslips from the software

Thanks (0)
Replying to Manchester_man:
avatar
By SXGuy
22nd Mar 2018 10:17

I think the issue with emails is you would need to provide password details for attachments seperate either by mail or in person. Encrypted attachments arnt much good if the email contains the password to unencrypt it.

An easier and better solution would be to use something like boxcryptor. You could share a one drive folder solely with the intended client and you both have keys to decrypt info stored locally on the device that accesses it. The link would not work for anyone else who may intercept the email.

Thanks (0)
By jon_griffey
20th Mar 2018 14:15

The problem seems to be that there is a lot of money to be made scaring people and selling courses (as is the case every time we have a change) and nobody is telling us in practical terms what small practices need to be doing. As small practices have similar profiles when it comes to what data is held and what it is to be used for, there should be some practical guidance from the accountancy bodies with template privacy/data protection policy etc.

Thanks (15)
Replying to jon_griffey:
avatar
By naomi2000
20th Mar 2018 17:15

Link to ICAEW guidance here:

https://www.icaew.com/en/technical/practice-resources/icaew-practice-sup...

I have also asked CIOT if they are publishing anything as they tend to be quite pragmatic in their approach.

Thanks (3)
Replying to naomi2000:
By 0098087
22nd Mar 2018 10:15

Am still waiting new engagement letters from the AAT

Thanks (0)
avatar
By BryanS1958
22nd Mar 2018 10:15

It would be nice to have a simple one page summary for the sole practitioner. I'm sure it can be done. As usual the ICAEW does nothing to support its sole practitioner members! Slightly off topic, but I have just been sent an email by ICAEW with links to a 'Firm wide risk assessment', a SIX page 'AML Compliance Review Checklist' and an hour long mind numbingly boring webinar that was in gobbledeegook and contained hardly anything of relevance to a small practitioner. I'm expected to read through all this, but it is very difficult to sort the wheat from the chaff and work out what I need to do to comply with the minimum of inconvenience, disruption and cost for my practice. At the end of the day this just means that sole practitioners will do do nothing because too confused. The ICAEW needs to understand the needs of sole practitioners, it doesn't.

Thanks (6)
Replying to BryanS1958:
Teignmouth
By Paul Scholes
23rd Mar 2018 15:07

That's how I feel about VAT, I'm still waiting for a simple one page summary to explain what it's all about.

This stuff is nowhere as confusing and complex as VAT, the ICO's website is a great place to get what you need and gives an opportunity to add some non-spreadsheet type advice to what we provide clients.

Yes, there are still some grey areas but the info is there to have a stab at a policy, especially as 95% of what most accountants do for the client is agreed with them by contract or required by law and regs and so supports the need to hold and mess about with their name and details.

Or, if it's all too much, keep an eye on other firms' websites and copy/paste on 24 May.

Thanks (0)
avatar
By SXGuy
22nd Mar 2018 10:22

At best all we can do are

Tailor engagement letters to state what you do with info and what you don't, ability to retrieve all info held under SAR
Inform that they can request all info be destroyed where practical

Keep everything digitally, encrypted.

Send nothing that isn't encrypted which could breach gdpr

Not sure there's much else you can do.

Thanks (0)
avatar
By johnjenkins
22nd Mar 2018 10:40

Or perhaps it's just common sense.
You could contact Mark for his views.

Thanks (0)
Mark Lee 2017
By Mark Lee
22nd Mar 2018 10:55

Thanks John.
Before offering some quick thoughts a quick word in defence of ICAEW.

The Institute isn't perfect but tries much harder to address the needs of smaller practitioners than many complainants suggest.

ICAEW has provided plenty of GDPR guidance by way of simple docs and webinars. It's not ICAEW's fault that the law was passed or that ICO has yet to respond to many practical questions.

I doubt anyone could produce a one pager of any value. I created a two page doc that simply lists out the (simple) docs you probably need to create (or copy) to evidence your compliance with GDPR.

It's freely available here: http://bookmarklee.co.uk/gdpr-documents-list/

Thanks (1)
Mark Lee 2017
By Mark Lee
22nd Mar 2018 10:55

Thanks John.
Before offering some quick thoughts a quick word in defence of ICAEW.

The Institute isn't perfect but tries much harder to address the needs of smaller practitioners than many complainants suggest.

ICAEW has provided plenty of GDPR guidance by way of simple docs and webinars. It's not ICAEW's fault that the law was passed or that ICO has yet to respond to many practical questions.

I doubt anyone could produce a one pager of any value. I created a two page doc that simply lists out the (simple) docs you probably need to create (or copy) to evidence your compliance with GDPR.

It's freely available here: http://bookmarklee.co.uk/gdpr-documents-list/

Thanks (0)
Replying to bookmarklee:
avatar
By johnjenkins
22nd Mar 2018 12:01

Ha Ha, I meant Mark Zuckerberg. Hey what the heck, you'll do.

Thanks (1)
Replying to bookmarklee:
avatar
By madhumorjaria
22nd May 2018 16:23
Thanks (0)
avatar
By nekillim
22nd Mar 2018 11:16

All good sensible precautions to secure your data.
GDPR reminds me of the of the so-called 'Millenium Bug' where planes would fall out of the sky, and toasters would not work anymore!
What happened, nothing, but it made a lot of money for 'experts'!!!!

Thanks (0)
Replying to nekillim:
avatar
By Wanderer
22nd Mar 2018 11:27

nekillim wrote:

What happened, nothing, but it made a lot of money for 'experts'!!!!

Surely nothing happened because all the experts gave us such good advice & worked so hard to stop anything happening ...... Surely?
Thanks (0)
avatar
By AdShawBPR
22nd Mar 2018 11:33

It's like the guy on the train being asked why he kept [***] up bits of paper and throwing them out of the window.
"To keep the elephants away" he replied.
"But there no elephants in London" said the confused traveller.
" You see, it works!"

Thanks (0)
avatar
By Brads.Kings
22nd Mar 2018 12:01

The problem for sole practitioners is that GDPR involves digging down to how exactly everything works. Everytime you dig down, you encounter new questions. My smartphone has company contacts and 170 listed Apps. I may be a bit techie, but I don't regard myself as extreme in the regard.

My App permissions Contacts shows 12 of the 78 apps allowed.
My SMS shows 11 of the 29 apps allowed.
My Storage shows 44 of 108 apps allowed.

Reviewing every app to see what permissions are allowed and making that consistent with the firms intended privacy and security statement on the website is frankly beyond most people (me included). We are not legal or IT experts

Do I understand how WhatsApp uses the contact permissions and whether it breaches my GDPR responsibilities? Well WhatsApp is owned by Facebook. Can I trust how they use 'my data'.

Thanks Facebook

Thanks (0)
avatar
By North East Accountant
23rd Mar 2018 11:14

The Government have no clue (and don't care) whatsoever about the never ending burden that they keep piling onto small business.

The current Data Protection Bill 2018 going through Parliament is 256 pages and all businesses have to comply with it.

Why don't ICO (and ICAEW for accountants) produce an out of the box toolkit that we can all just implement rather than 5 million small businesses all having to reinvent the wheel.

And if JC gets in at next election you will seriously have to question whether the non stop hassle of being in business is actually worth it.

Thanks (0)
Share this content

Related posts