Replies (20)
Please login or register to join the discussion.
This is just highlights how some of the practicalities of GDPR have not been properly thought through.
Another practical issue, is that if someone wants to be forgotten, how do you remove them from a backup file?
Jon - not sure this is any different, the backup is just a snapshot of the live data at that point and so, unless you or the client, has a valid reason not to, you just delete it after 6-7 years?
Jon - not sure this is any different, the backup is just a snapshot of the live data at that point and so, unless you or the client, has a valid reason not to, you just delete it after 6-7 years?
The point being that if for example I take a simple Windows backup of all the files on the system today, then in a month's time receive a right to be forgotten notice, it is impossible to delete the individual client from within a backup file. Either you delete the whole backup file (which by deleting other client's data as well risks losing their data and causing a personal data breach), or you don't in which case you are not complying with the notice.
I completely agree Jon. I am an Apple Mac practice and I take weekly complete back-ups of all machines which go back for years. I also use Apple's Time Machine which makes a backup of my HDD every hour! That is a lot of files to trawl through to delete data on one particular client.
I don't think that GDPR has been thought through in terms of the 'right to be forgotten'. For years we have been encouraged to back up regularly and, with disc storage being so cheap, the days of Grandfather-Father-Son backups are long gone.
Speaking to a client recently (who has been all over GDPR since the start) he believes that the trigger point will be when there is a data breach. When this happens (website or computer is hacked) the victim of the data loss will be asked what data has been taken and was it necessary to hold that data. This sounds like a sensible, and possibly the only way to police GDPR. As long as backups are well-encrypted (which most are) the un-encrypted data from backups will not be in the public space and so won't be an issue. I believe that the idea of removing data from backups will, with hindsight be seen as a GDPR red herring...that is the horse (or perhaps fish) that I am betting on.
Being a Mac user I'm not sure what a simple Windows backup is but if a client sends me a right to be forgotten notice, I am still entitled to retain their personal data for my own tax, PI insurance, AML purposes etc (ie per the terms of my privacy notice) and so by deleting backups and other data more than X years old, I'm OK?
Just to expand, this is not just relevant to accountants and the software they impose on their clients it's also for the clients, after all it's their data, plus many businesses handle it all themselves, with the accountant as monitor.
As with most things "cloud accounting" recently, I found Pandle's (Lee's) approach refreshing, ie they were already on the case before I asked. The impression I get is that this new breed of provider is making the others look staid and "am I bovvered".
The trouble is there are now 30ish systems out there that each treat data in differing ways, ie:
- Some treat the data as the client's (even if I pay the sub) others treat it as mine;
- Some offer the ability to access redundant data for a small fee (eg where client leaves or changes provider) others keep for a period or delete it straight away;
- The content and quality of backups are many and various, I downloaded a full csv backup of a client's 7 year's of FreeAgent data when they stopped using it last year and only recently discovered (with much grief) that the backup has no journal entries. Clear Books used to be the only system I knew that offered a full old fashioned backup, ie a snapshot of the entire data file for download, that could be restored from, but they switched servers and, despite promises, have never reinstated it.
All of these issues, plus the ability, or not, to delete out of date personal data, need to be considered in the terms of each client engagement, ie the client needs to be aware of the risks of the software they, or you, have chosen AND we need to put pressure on the vendors to employ best practice.
PS: When renaming personal data I'd always prefix it with ZZ to let all the dross fall to the bottom of the list
A couple of questions arise ...
1.
"HMRC require data to be kept for 6-7 years".
One sees this often stated - but it it a statutory requirement [if so under what statute], an HMRC Regulation [if so exactly which one]. I have to say I probably knew once, but I've rooted about several times recently on this an have yet to find any definitive reference for the precise requirement.
2.
How do you 'prove' you have deleted data?
As far as 'cloud' goes, you have only
a. a contract
b. an inability to get at deleted data
you do not actually 'know' that it has been deleted!
3.
Backups are a real issue - many times the circumstance is not one of stuff under multi-year retention.
If someone inquires about your services and you drop them an email or a letter or a email, or even retain their telno, and they ask you to remove them from your ken ... do you even know what backups are taken and where?
Your ISP, for example, retains data under statute as does the telco - but email is 'store and forward' - do we KNOW that intermediate buffers are emptied?
I believe there will be 15 years of court cases before we even know what 'GDPR compliance' looks like.
Deleting info over 6 years old wherever it's stored flags another problem. What happens if an ex-client decides to make a claim against a practice for whatever reason, based on something that happened, say 8 years ago, and the practice no longer has the files (hard copy or electronic) to refer to in order to defend itself?
As I say above, my privacy notice says I'm able to keep client data for the purposes of my own tax, PI etc and so this would enable me to keep it past the 7 years as my PI cover runs for way past that.
That's a good point Paul, but doesn't saying you will be keeping data beyond the statutory minimum period for whatever purpose put you in breach of GDPR rules?
The statute of limitation comes into play which is 6 years.
An old client after 8 years can not try and hold you liable if they have not in a first instance started a civil case against you within the 6 year period which would trigger you to get all your data together on said client to prove your innocence.
Also, which cloud providers etc just rip what they want from your data/have a computer read it for their own nefarious purposes? Computer people just don't understand the concept of privacy and work that is confidential.
But we are all "computer people" these days.
I agree though their are some nasty ones that dress in red and all of them live under my bed :)
HMRC can go back 20 years (24 coming for offshore) where deliberate behaviour.
Great fun when all the paperwork has gone.
S*d that! 46 years and still waiting for that to happen, but for others, how about:
Privacy notice extract, "On the assumption clients deliberately fiddle their tax and that they are likely to have offshore stuff, they won't tell us about, we'll be keeping personal data for 24 years"
Yup, your privacy notice extract perfectly fits my tax centred professional world which is why I'm not overly fretting about deleting data. I reckon the old client papers in the garage will probably have been destroyed by mice before the 24 years are up so not much for me to do.
What about sending clients non encrypted data back to them? They send you a memory stick with all their sensitive data relating to their year of trading.
Do you send it back in the post which is not secure?
Pay for a courier to ensure delivery to the rightful owner (bear in mind that courier drivers just require a signature) and pass that extra cost on to your client?
Send it guaranteed next day via Royal Mail (again is it secure)?
Pay an employee to hand deliver it and pass said cost onto client?
I am assuming that after a year or so new legislation will ease these difficulties (I refer to the original reporting to SOCA when clients missed their AR deadline and we had to report them for theft).
A 2nd issue is HMRC and their 20 years, surely as both business and tax advisers we owe a duty of care to our clients to ensure that both they and ourselves can demonstrate that we can both prove that our clients and our own decisions were based on law and that we can prove said decisions.
How do we do this if we are forever destroying vital information and proof?