GDPR for agents: What you need to know now

Abstract concept Internet Cyber Security network with lock
istock_danil_melekhin_aw
Share this content

Julie Hodgskin, technical material author at the CIPP, runs through the requirements, documents and processes needed to comply with the new GDPR regulation.

The new regime

25 May 2018 is the date for implementation of the European Union’s new General Data Protection Regulation (GDPR). The GDPR builds on the UK’s Data Protection Act 1998 (DPA) and enhances the rights that individuals have under current legislation.

Compliance with the DPA means that a lot of the work that needs to be done has already been completed but, to meet the GDPR, enhancements need to be made to processes, procedures and documentation.

All language used must be clear, easily understood and pitched at the user group. Remember that the goal of the new regulation is to put individuals in control of their personal data. Failure to enable this control could lead to fines of up to 4% of global turnover or €20m, whichever is greater.

Documents and processes

As part of the GDPR requirements, documents and processes have been enhanced to guarantee the protection of personal data. Below are some of them, and the enhancements needed.

Consent

Consent under the new regime builds on the existing rules by stating that consent must be given by a positive action on the part of the individual. Having a pre-ticked opt-in box on a form does not comply with the regulation.

The consent text must be clear and specific, unrelated to other text (such as terms and conditions) and must name any third parties who have access to the data. Records of consent must be kept and information on how to withdraw consent must be easily accessible and understandable.

Subject Access Requests

A Subject Access Request (SAR) is a request by an individual to discover what personal data is held on them by the organisation. The request must be in writing.

These requests will become more frequent as time goes by, so it may be worthwhile creating a form that could be used by the individual to give all the information necessary to identify that person and thereby allow the organisation to comply with the request.

The request must be dealt with within one month of receipt (the present rule is forty days), and although currently an organisation can charge a fee, after the implementation of GDPR, the first copy of personal data must be supplied free of charge.

Privacy notice

The DPA required the privacy notice to display the name of the data controller, why the data is processed and other relevant information relating to the processing of data.

The GDPR goes further and states that the information should be written so that it is concise and easily understood, written with the user in mind, and provided free of charge.

The notice should be tested by volunteers from the target group, rolled out when any amendments are completed and reviewed regularly, with feedback given.

Privacy Impact Assessments

Carrying out Privacy Impact Assessments (PIA), while not mandatory, is recommended to measure the impact on personal data of any projects or plans implemented by the organisation.

The project or plan could be new, or it could be enhancing an existing system. A new computer system, or an upgrade or enhancement of an existing computer system, where personal data is impacted, is one example where a PIA would be used. The PIA is designed to be a flexible process and therefore easily incorporated into an organisation’s existing procedures.

The use of a PIA could be the difference between the safeguarding of personal data and a data breach and potential fine.

Implementation

The Information Commissioner’s Office (ICO) identifies the areas of an organisation’s business that need reviewing in a document titled the ‘12 steps to take now’.

The twelve steps can be broken into three distinct areas: information, management and procedures. By identifying the three areas, the tasks and actions can be distributed so that no single person is overwhelmed by the volume of work to be done. The suggested method of handling the implementation of GDPR is to create a steering committee.

Steering committee

To implement the changes needed, a good place to start would be to form a steering committee. The steering committee would oversee the whole project, identify and allocate tasks, monitor and document progress, helping to ensure that the GDPR requirements are met by the deadline date.

If there are not enough people within the organisation to form a committee, here are some options to consider. The organisation could team up with another that fulfils the same or similar function. For example, all chartered and licensed accountants have to name a person or practice who would take over the work in case of incapacity.

Other associations will have the same requirement, but even if it is not a requirement, an agreement between organisations to work together on projects of this size would always be a good idea.

Teaming up in this way would not only ensure that the workload is reduced and that more ideas and solutions are generated, but there would be familiarity, improvement and standardisation of processes and procedures between the organisations that could benefit both organisations and customers alike.

Another option would be to divide the tasks, information, management and procedures as below, and allocate time to work on the tasks identified.

Information

Organisations will have to audit all personal information that they hold. The audit should cover what information is collected, how it is processed, where it is stored, who it is shared with, how long it is retained and when it is destroyed.

There is a fundamental question that needs be addressed: is the information needed at all? That question is very relevant to sensitive personal data such as racial or ethnic origin, political opinions, religious beliefs or sexual orientation, which might be asked for, but may not be relevant to the service given to the customer or client.

All information on GDPR must be easily accessible, internally and externally, on a webpage, with links to important information and documents as necessary.

Management

Management will need to understand the resourcing implications of firstly, meeting the GDPR requirement, and secondly, maintaining and monitoring compliance. Appointing a senior level manager to oversee and take ownership of the GDPR will indicate that the organisation is committed to the regulation and sees data protection as paramount.

A programme of staff training will need to be implemented. This should happen not only on the initial implementation of the enhanced procedures but regularly on an ongoing basis.

Third party audits and contracts will need to be actioned by management to ensure the protection of any personal data accessed by third parties. Again, having a named manager at senior level authority over the whole process will give it the importance and formality needed. This commitment is very relevant in the event of a data breach, given that there is a legal requirement to report the breach within 72 hours of it becoming known.

Procedures

All procedures will need to be documented and reviewed for compliance with the current DPA, and either enhanced or created for meeting the individual’s rights to data access, data amendments and data deletions. For example, because the timescale for complying with SARs has been reduced to one month, existing procedures must be amended or new ones written to encompass this change.

Conclusion

The deadline is only nine months away - not a lot of time given the amount of work needed to meet the requirement. Taking a calm and ordered approach, though, will go a long way in meeting the goal, beginning with understanding what is in involved. Hopefully, the information above is both a practical and useful initial step on your journey.

About Julie Hodgskin

CIPP

Julie Hodgskin is technical material author at the Chartered Institute of Payroll Professionals.

Replies

Please login or register to join the discussion.

avatar
23rd Aug 2017 14:55

Thanks, Julie. This is really helpful, we are having an ICB meeting tomorrow in Glasgow about this subject, which is a struggle with a such a lack of info.

Thanks (2)
avatar
24th Aug 2017 10:41

For a small one man form of accountants with no staff, this really does look like overkill. The usual reason we keep any personal data is for tax, and that would not normally include any of the more esoteric information such as religion, political views, sexual orientation, etc. Surely the ICO could exempt us from the majority of the requirements?

Thanks (7)
avatar
to patrickcb
24th Aug 2017 11:06

The ICO cannot exempt you from any of the burdens of GDPR other than as laid down therein.
A 'safe' way to look at this is
"Processing of all Presonal Data is Illegal unless I have the individual's consent for that data that is NECESSARY for the specified processing"
Accounting practice processing includes inter alia,
o Setting up the account
o Communication with HMRC for personal tax
o Communicating with HMRC for trade taxes
o Communicating with Bank
o Communicating with other [specified] regulatory bodies
o Backup and archiving data in [specify territory]
o Use of the data for testing new software systems
o Automatic processing of data
...

Thanks (0)
avatar
to dgilmour51
24th Aug 2017 11:22

Presumably such permission could be gathered annually via the letter of engagement? What's the ICAEW's take on all this?

Thanks (0)
avatar
to patrickcb
24th Aug 2017 11:43

Looks like a good way of gathering it - so long as you can also update the metatags on the client record.

from the ICAEW's website:
"The ICO has promised detailed guidance. In the meantime, our advice is to check whether the GDPR applies to you and to regularly check ICO's Data Protection Reform for updates."

Thanks (0)
avatar
24th Aug 2017 10:54

Every item of PI data will effectively need a metatag to indicate how consent to hold the data was given and for which processes and for how long.
I have yet to see s/w providers take this up.

GDPR has been in effect since May 2016. There was only a 'stay of execution' on enforcement until May 2018.
It is not yet clear if transgressions committed during this 2-year grace period are retro-prosecutable.
If you you don't like what the ICO is doing [in my opinion far too little, much too late], you can, until Brexit, complain to the regulator in any EU country.

I think a Project Impact Assessment is effectively mandatory as a consequence of Recital 95 and Art.35§1 though I expect this will have to be rolled through the courts in some country before the exact responsibility is understood.

A calm and ordered approach would have been fine in May 2016 - but it is enforcable in less than 200 working days, at which times all breaches have to be self reported to the ICO and each involved data-subject - at which time the data subjects will be able to sue under tort.

The Dept. of Business, whatever its name is this week, has a lot to answer for in its silence on all this.

Thanks (1)
avatar
to dgilmour51
25th Aug 2017 13:11

You lost me the moment you mentioned metatag.

I am not a computer whizz and am in fact a sole practitioner. Accounting is my gig.

I keep data the client gives me for accounting/tax purposes. If that requires me to spend lots of £'s and have to go back to school to learn IT speak then tough, another likely breach.

Thanks (2)
avatar
By chatman
24th Aug 2017 11:23

I'm going to completely ignore this, and see how it goes.

Thanks (7)
avatar
to chatman
24th Aug 2017 11:46

You are therefore in breach and should report yourself [within 72 hrs of 25May2018]
Not to do so is a breach and you should report yourself [within 72 hrs of 25May2018]
et seq. !!

Thanks (1)
avatar
By chatman
to dgilmour51
24th Aug 2017 12:01

I might have to ignore those bits too then.

Thanks (5)
to chatman
24th Aug 2017 19:54

Nice...:o)

Thanks (1)
avatar
to chatman
25th Aug 2017 11:57

Seems the sensible way to go. As usual, I would hope that the regulators apply some common sense (wishful thinking unfortunately) and only penalise obvious abuse, not when I forgot to metatag something. Life is too short and regulated to the point of absurdity already!

Thanks (2)
avatar
to chatman
27th Aug 2017 13:11

chatman wrote:

I'm going to completely ignore this, and see how it goes.

A bit like that MTD thingy - what was that all about?

Thanks (1)
avatar
24th Aug 2017 11:50

Presumably as it an edict from the EU and with Brexit we can safely put it in the bin where it belongs

Thanks (2)
avatar
to meadowsaw227
24th Aug 2017 12:37

Nope
UK is taking it on pretty much unchanged - they just published their thoughts on the UK wording of a statute in every way equivalent.
It even applies to USA companies that store PI data on EU citizens - revenge for FACTA?!?

Thanks (0)
24th Aug 2017 21:31

Many thanks for this post

I would like to make a comment about the data breaches aspect of GDPR.

To do so, I would like to begin by highlighting two recent cases that link together data protection and open source software risk & compliance very well indeed.

Gloucester City Council case:

https://www.out-law.com/en/articles/2017/june/data-protection-fine-shows...

According to the ICO, Gloucester City Council failed to ensure software it was using was updated to fix a vulnerability in coding known as the 'Heartbleed' bug, which was identified in April 2014 as existing in some versions of encryption software developed by via the open source 'OpenSSL Project'.

Although IT staff at the council flagged the need to update the software, a patch issued for the software was never applied, according to the monetary penalty notice issued by the ICO. The patching was "overlooked" at a time when the council was outsourcing its IT to a third party supplier.

Boomerang Video case:

https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2017/06/...

The article mentions that Boomerang Video Ltd was using WordPress, a popular open source software blogging and website content management system. My understanding is that the Boomerang Video Ltd website was developed by a third party using MySQL/PHP which is open source software. Boomerang Video was unaware that the login page contained a coding error. On 5 December 2014, an attacker exploited this vulnerability by using SQL injection to gain access to usernames and password hashes for the WordPress section of the site.

GDPR & OSS:

GDPR includes a section on 'Data Breach'. It is is defined in the GDPR as 'a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, transmitted, stored or otherwise processed'. A hacker breaking onto an enterprise through an open source software security vulnerability in some enterprise software application and accessing personal data should be of concern to anyone responsible for GDPR compliance.

In a recent survey 96% of the 1,000+ applications examined were found to have open source software in their code, with nearly 70% of these applications having some security vulnerabilities in the open source components used.

I therefore suggest that it is almost impossible for an organisation to say with any confidence that they have data protection well managed and are for example GDPR compliant if they are unable to also clearly state that they have open source software risk & compliance under control.

Thanks (0)
25th Aug 2017 09:04

"GDPR for agents: What you need to know now"

Really!?

Clear as mud. Lots of words but it doesn't really say anything

Someone needs to spell out exactly how this applies to small accountancy practices.

A lot of the information here looks like its been a "cut and paste" job with the relevant sector added accountant/solicitor/IT consultant...

As Chatman has suggested if this is the extent of the advice a lot of small practices will just ignore it.

Thanks (2)
avatar
25th Aug 2017 09:41

Have I missed something, I thought we were leaving the ruddy EU!

Thanks (1)
to Chris Gladwell
25th Aug 2017 10:57

This sort of stuff will happen inside or outside the EU.

Its just that Frage and his ilk can no longer blame the EU for "all bad things".

Thanks (0)
25th Aug 2017 11:04

Presumably its just an update to T&C's which will need to add a "tick here" option before they sign.

And zero enforcement effort "from the top" as usual.

Thanks (1)
avatar
By DMGbus
25th Aug 2017 13:28

Another article published this week on GDPR has an interesting title:

https://www.accountingweb.co.uk/tech/tech-pulse/gdprubbish-misinformatio...

Regarding the text of the article, one paragraph might give comfort to those made unnerved by scaremongers:

" While data protection regulators can and will increase the number and frequency of fines under GDPR, these will be necessary, proportionate, and only ever applied as a last resort. The fines totalling a percentage of a company’s global turnover, be that one billion pounds or not, will be reserved for the largest companies processing the biggest volumes of data and committing the worst data breaches. "

Thanks (1)
avatar
27th Aug 2017 13:06

A helpful article thank you.

Whilst the following recent article will not answer all the questions posted here it will nevertheless help put things into perspective.

https://www.accountingweb.co.uk/tech/tech-pulse/gdprubbish-misinformatio...

Thanks (0)
avatar
01st Sep 2017 10:13

Data protection officers.

MMmm being a one man band, who shall I pick to carry out this task....

Thanks (0)
avatar
28th Sep 2017 11:23

So, to go beyond the question of who keeps what data etc:
do I need to encrypt every email to clients to ensure they are secure?
if so, is this something that goes on in the background if we have the right software, or do my clients need to have a password to open each of my emails?
taking this to a more extreme level, is a letter addressed to a person secure or can it be intercepted? Should we apply a ww2-like cipher for clients to decode?
or as with others, do we just carry on as normal and hope for the best??

Thanks (0)
avatar
By djtax
02nd Oct 2017 09:33

What happens when hit by the following conundrum: Existing client requests all electronic data be deleted (as they are now entitled to do so under GDPR). A few months later HMRC open an enquiry into the client's previous year's Return - for which you have now deleted all records (as per GDPR) ....

Thanks (0)