GDPR: A guide for accountants in practice
The reasoning behind the ICPA asking Mark Lee and Armstrong Media to produce this booklet in March, on the eve of the launch of the GDPR on 25 May 2018, was to bring a level of honesty to the debate which, thus far, has been the reserve of organisations with something to sell, or purporting to have all the answers. In fact, they have very few, and we’ve seen scaremongering almost on the scale of the ‘millennium bug’.
Yes, GDPR is coming on 25 May 2018 but here and now there are still so many gaps in our knowledge that I feel it appropriate to replicate a few quotes that I feel are important to take on board:
- “Sadly there are no quick and simple ways to ensure that you are compliant with GDPR” –
- “At the time of writing the exact impact of the GDPR isn’t yet known. For example, we lack practical examples of what agencies such as the Information Commissioner’s Office are likely to find acceptable or objectionable, and some of the wording of the GDPR legislation is open to interpretation.” – Sage
- “Members may like to be aware that ‘Engagement letters for tax practitioners’ are currently being worked on jointly by AAT, ACCA, ATT, CIOT and STEP. A number of changes are required including legislative changes such as the EU General Data Protection Regulation (GDPR). The working party of these professional bodies is working towards issue of the updated guidance and template letters in early summer 2018.” – Joint Working Party statement from AAT, ACCA, ATT, CIOT and STEP (1/02/2018)
- “You won’t need consent forpostal marketing” – ICO
- “It’s also true that companies are fearful of the maximum £17 million, or 4% of turnover, allowed under the new law. But it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements, or that maximum fines will become the norm” – The Information Commissioner
- “Last year (2016/2017) we concluded 17,300 cases. I can tell you that 16 of them resulted in fines for the organisations concerned… and we have yet to invoke our maximum powers” – The Information Commissioner
No silver bullet
So as you can see from just these few statements, at this moment in time there is no silver bullet that will work for every practice; there is no one single checklist that covers every eventuality because each and every practice is different; and each and every practice works and uses data in myriad ways.
What is important, in March 2018, is that you start working towards compliance and that you start thinking about your systems, the data you hold, why you hold it and for how long putting into place systems and documents that record what you do, why and how you do it and under what authority.
As time passes, more and more information will be available and the ICPA will do everything we can to help our members but for now make a start on your GDPR journey with this booklet.