Member Since: 7th Mar 2014
9th Oct 2017
The EU General Data Protection Regulation will apply to your business and your client's businesses.
If you'd like a quick chat about the impact, please get in touch.
28th Sep 2017
There are two levels of fine. €20m or 4% of international turnover or €10m or 2% of turnover. So if your turnover is £100000 the maximum fine would be £4000. In addition data subjects could sue for damages. These can be dire t znd now indirect damages. However don't focus on that. Too many consultants market on the fines. It is actually really good law. Did I really say that! Actually yes. It is a really positive step forward for individuals and businesses. You just have to work differently.
28th Sep 2017
28th Sep 2017
Not sure I agree with some of the information contained in this article. To be fair to the author, I think it was written with a different context and audience in mind. With a different hat on it reads very well, but I don't think it is great for a professional services audience.
Let's be clear. GDPR relates to personal data i.e. where a data subject (a living person) can be identified. I agree that accountants do hold sensitive information, but mainly company information which may not contain personal information. However, if you run the payroll for a client, you will indeed hold personal information. Some of this may be sensitive which does hold the higher level of fine. (BTW the fines are €20M not £20M, but what's £3M between friends.)
The author has done a very good job of making the reader think. Reading this you should be asking a number of questions about the data you have. A data audit is the first step. Then just approach the data in the same way you approach other risks to your business. The difference with GDPR however is that you also need to assess the risks to the data subject, not just the business risk.
One final point is the role business play.
Data you have collected is 'your' data and you are responsible for it. You are the data controller. Technically not true either. In fact, the data is owned by the data subject, but we can discuss that later.
Data that you have provided by a client is not your data. You may only process it in the way that the Controller (your client) has instructed you to. You should review all of your contracts - upstream and downstream. In this case you are the Data Processor. You now can be fined by the ICO if it is not processed correctly. To go back to the payroll example, you need to check that you have lawful grounds to process the information. I think in payroll you do but do check the contract. Or do you hold the names and addresses of shareholders? Why? Even storing personal data is processing it.
OK - now turn it round and start to look at the services that other businesses do for you. Your role and responsibilities will be different.
Lastly look at it from your own personal perspective. This is when it all starts to make complete sense. You own the information about you. Noone else. They have responsibilities to you. You have new rights and protections. It is a huge step forward to protecting you and as a business thinking about it in that way will help you prepare. I can plan the rest!!