Do you know these 10 Key facts about GDPR for Accountants?
Compliance with the EU General Data Protection Regulation (GDPR) from 25 May 2018 requires significant changes to how accountancy firms handle client data to complete jobs, such as tax returns and processing financial records, as well as data used for marketing purposes.
Meeting GDPR compliance isn’t a “click and forget”, once-a-year activity. You need to entwine the protection of personal data into the fabric of your firm.
1. Accountancy firms will need to comply with GDPR by 25 May 2018.
2. GDPR compliance is your firm’s responsibility as “data controller and data processor”.
3. You will need to understand your supply chain, for example, if you hold data in cloud-based backup software, you’ll need to know exactly where that data is held and replicated.
4. Certain personal data breaches must be reported to the Information Commissioner’s Office (ICO) within 72 hours.
5. Privacy Impact Assessments become compulsory under certain circumstances. This will mean your firm reviewing how Personal Data about your clients is requested, sent to you and how it’s stored. Specific attention needs to be paid on your tax return process as some of this data is perceived as sensitive.
6. Your clients’ consent to providing their data must be freely given, specific, informed, and unambiguous. Make sure you provide clear Terms and Engagement around how their data will be processed.
7. Offering generic opt-ins to contact such as ‘passing data on to third parties for marketing purposes’ will not count as being fully informed. Best practice is to provide a tick box option for opt-ins at the end of any correspondence with your clients.
8. Clients may have the ‘right to be forgotten’ – i.e. to have their personal data permanently erased. Where your firm is legally required to keep the data, such as storing a Personal Tax Return for 7 years, your firm may not have to comply with this request.
9. Your clients have the right to opt out of certain types of automated processing (what do you mean by processes do you mean email marketing) and email marketing.
10. Businesses in possession of the data must also notify other known holders of the data that consent has been withdrawn and data should be erased.
Want to learn more about GDPR for accountants?
For more information and how to assess gaps in your practice's processes, read the full blog.
You can also watch our free on-demand GDPR webinar with Ian Cooper for trusted answers on the new GDPR regulations – specific to the accountancy industry.