ICAEW has issued guidance and a quick checklist for accountants to ensure they comply with the General Data Protection Regulations, due to come into force on 25 May
Although the law does not require that all GDPR is in compliance before the effective date for the regulations, it is important to have at least started the compliance process. Failure to comply brings with it substantial fines, and all businesses must adhere to the rules.
It’s not too late to get started with GDPR, but you do need to get started soon. Remember not everything has to be completed by 25 May 2018, but you must have made a start.
The GDPR is an overhaul of existing EU legislation on data protection, not new rules. It is an update, not a wholesale revision, to meet the changes in technology and data use over the last 20 years.
It will apply to all European Economic Area (EEA) countries and any individual or organisations trading with them, including all accountants and accountancy firms.
As it comes into force this year before the UK leaves the EU, UK individuals and organisations must ensure compliance with the new regime. Furthermore, the Data Protection Bill will incorporate all of the GDPR as well introducing some new provisions. This is so the UK will be GDPR compliant post Brexit.
Jane Berney, ICAEW business law manager, said: ‘It may seem daunting but there are a few key steps firms need to take to begin the process to get GDPR ready.
‘The Information Commissioner’s Office is not expecting every organisation to have all policies and procedures in place on 25 May, but it will expect every organisation to have made a start and to have a plan on how it will be GDPR ready and when.
‘Remember, this is not a one-off event. GDPR compliance requires that all policies, training and procedures are reviewed and updated on a regular basis.’
1. Appoint someone senior to oversee the process. It is not just a matter for the IT department, so it essential that a senior member of staff such as a director, partner or senior manager takes responsibility for overseeing the process.
2. Review existing information and cyber security and update as necessary. This does not have to be an expensive revamp, it can just be a refresh tailored in line with the complexity of your organisation and IT set-up.
3. Map your data. Before you assess what has to be done, you need to know what data you have as this will inform you what to do next.
4. Review contracts with clients, suppliers and employees to ensure GDPR compliance. You will need to understand your status and responsibilities about both client data and firm data. At the very least, contracts will need to be updated to reflect the requirements of the GDPR.
5. Draft data protection policies and procedures. The GDPR introduces the principle of ‘accountability’ – this means all organisations must not only ensure they are compliant with GDPR but prove this too.
6. Train staff. Not all staff will need to understand the GDPR in its entirety, but all staff should at least be aware that data protection is an issue for everyone.
ICAEW GDPR checklist issued 8 May 2018
Report by Sara White