Replies (5)
Please login or register to join the discussion.
Not sure I agree with some of the information contained in this article. To be fair to the author, I think it was written with a different context and audience in mind. With a different hat on it reads very well, but I don't think it is great for a professional services audience.
Let's be clear. GDPR relates to personal data i.e. where a data subject (a living person) can be identified. I agree that accountants do hold sensitive information, but mainly company information which may not contain personal information. However, if you run the payroll for a client, you will indeed hold personal information. Some of this may be sensitive which does hold the higher level of fine. (BTW the fines are €20M not £20M, but what's £3M between friends.)
The author has done a very good job of making the reader think. Reading this you should be asking a number of questions about the data you have. A data audit is the first step. Then just approach the data in the same way you approach other risks to your business. The difference with GDPR however is that you also need to assess the risks to the data subject, not just the business risk.
One final point is the role business play.
Data you have collected is 'your' data and you are responsible for it. You are the data controller. Technically not true either. In fact, the data is owned by the data subject, but we can discuss that later.
Data that you have provided by a client is not your data. You may only process it in the way that the Controller (your client) has instructed you to. You should review all of your contracts - upstream and downstream. In this case you are the Data Processor. You now can be fined by the ICO if it is not processed correctly. To go back to the payroll example, you need to check that you have lawful grounds to process the information. I think in payroll you do but do check the contract. Or do you hold the names and addresses of shareholders? Why? Even storing personal data is processing it.
OK - now turn it round and start to look at the services that other businesses do for you. Your role and responsibilities will be different.
Lastly look at it from your own personal perspective. This is when it all starts to make complete sense. You own the information about you. Noone else. They have responsibilities to you. You have new rights and protections. It is a huge step forward to protecting you and as a business thinking about it in that way will help you prepare. I can plan the rest!!
Are the fines correct at £20m or 4% of annual turnover whichever is the greater ?
In my case £20m will be more than 100% of 20 years turnover so I may as well file for bankruptcy now !
There are two levels of fine. €20m or 4% of international turnover or €10m or 2% of turnover. So if your turnover is £100000 the maximum fine would be £4000. In addition data subjects could sue for damages. These can be dire t znd now indirect damages. However don't focus on that. Too many consultants market on the fines. It is actually really good law. Did I really say that! Actually yes. It is a really positive step forward for individuals and businesses. You just have to work differently.
The article states that the fine is €20m or 4% of turnover whichever is the greater.
Thus, if 4% of turnover is less than €20m then the fine must be €20m as that is the greater figure.