Data protection law in the UK is set for a radical overhaul in 2018 and accountancy firms should be preparing now for the changes and the compliance challenges that this will bring.
Smartphones, social media and other new digital technologies have transformed how data is collected and current legislation is out of date. The EU General Data Protection Regulation (GDPR) is an attempt to harmonise data protection laws across Europe. The UK's recently announced Data Protection Bill (which will replace the current Data Protection Act) will transpose the GDPR into UK law and will be applicable despite Brexit.
The new enhanced regime, which will be in force from 25 May 2018, has been described by the Information Commissioner as "a game-changer for everyone" since it will affect all businesses that process (i.e. collect, record, use or disclose) data relating to an identified or identifiable natural person ("personal data").
Accountancy firms operating within the EU will not escape the need for compliance with the GDPR regime since they will frequently process personal data as part of their core business activities (e.g. when compiling individuals' tax returns, conducting audits or providing services such as employer solutions), hold personal data on their employees (including sensitive personal data such as ethnicity and criminal convictions data when DBS checks are carried out) and possibly use personal data for marketing purposes.
Insolvency Practitioners (IPs) and bankruptcy trustees are also not exempt from the regime. IPs may receive personal data held by the insolvent company such as employee records, customer lists, lists of debtors and creditors, as well as personal data relating to the directors of the insolvent company. Bankruptcy trustees will receive personal data about the bankrupt such as bank account information. IPs and bankruptcy trustees are data controllers of the personal data which they receive by virtue of their appointment, and they must ensure that they comply with the GDPR when dealing with personal data in this capacity, including when disposing of the assets.
With maximum fines of up to the higher of €20m or 4% of annual turnover, accountancy firms cannot afford to be complacent. So what should firms be doing now to prepare for the new legislation, to minimise the risk of incurring significant fines and potential reputational damage if they are held to be non-compliant? This article gives practical insight on how accountancy firms can best prepare themselves over the coming months.
GDPR Compliance Programme
The GDPR has introduced a new principle of accountability, which will require firms to comply with the law and have appropriate records to demonstrate compliance. Therefore accountancy firms should incorporate a compliance programme to put in place a suite of policies, procedures and audit controls to monitor and ensure compliance. A successful programme is likely to require HR, IT, Business Development, senior executives and input from all other areas of the business to work together to raise awareness of the new regime and its impact on day-to-day business, and to assist with risk assessments and record keeping.
How data is captured and used is more prescribed in the GDPR and therefore, accountancy firms should undertake a detailed review of their personal data processing activities. In particular:
Firms should assess the legal basis for processing personal data (e.g. consent, legitimate interest, compliance with law or to perform a contract) and keep a record of the basis.
Firms relying on consent from individuals to process their personal data will need to meet the new, higher standard requiring consent to be informed, specific, freely given, unambiguous and revocable. Pre-ticked boxes, silence or inactivity will not meet the new standard. Accordingly, firms should review client care letters and marketing materials and, where appropriate, ensure consent is renewed.
The new requirement for transparency means firms need to be open about how they process personal data. Privacy notices must be shared with all individuals you process personal data about and in essence, should include informing those individuals what information you hold on them, how you use it and who you share it with. Under the GDPR, privacy notices are required to provide a greater level of information and will be far more specific and granular. The most prominent new requirement is that privacy notices must detail the legal bases of processing (e.g. consent, necessary for performance of a contract, legitimate interests). For most firms, this will mean that existing privacy notices will need to be updated.
Individuals will have a new right to require firms to erase their personal data – the so-called "right to be forgotten". This may arise if, for example, the data is no longer necessary for the purpose it was collected for or if the individual withdraws his/her consent. Firms may be able to reject an erasure request if, for example, the data is needed to establish, exercise or defend a legal claim, or where the firm is required by law (including a regulatory obligation) to retain the data. Firms should consider in advance the circumstances in which they would reject a request to erase data, as well as working out how to give effect to any request. Practically this will also require firms to review their retention practices generally as data should not be kept longer than is necessary.
Client data and HR
Many accountancy firms will store personal data on clients and employees.
Client databases – many firms have databases which may store personal data on former, existing or potential clients for marketing purposes. Firms need to consider how client consent was given for processing purposes and, as noted above, recognise that pre-ticked boxes or silence will no longer constitute consent. Firms may wish to prepare new standard templates to obtain consent for marketing purposes, which clearly explain how the data will be used and for how long it will be stored.
HR databases – these will store personal data on employees (former, current and prospective) and their pensions. Firms should consider what the most appropriate legal basis for processing personal data on employees is and should also carry out period reviews to remove data no longer required on former and prospective employees.
Data security and breach
Under the new law, any data breach which is likely to result in a risk to the rights and freedoms of individuals must be reported within 72 hours to the ICO. In these circumstances, such individuals will additionally have to be notified without undue delay.
Firms should review their existing IT security measures. Do they meet the highest security settings of "data protection by design and default" which the GDPR requires for personal data? Is there an appropriate data breach response procedure to manage a major data breach? Is this procedure tested regularly? Do employees know who to report breaches to?
Firms should identify what people within the firm know about data protection measures and the new enhanced regime. Do they know: what constitutes personal data and sensitive personal data? What personal data they hold? How data moves around the firm? How data is processed? How long data is retained for? Regular internal training on the GDPR should be given to all staff so that they understand the new legislation and the implications for the firm if it is non-compliant.
Outsourcing to third parties
There may be occasions where accountancy firms need to send documents to third parties for review. When defending allegations of negligence by a former client, the firm may need to forward documents to its solicitors for advice on the merits of the claim. The firm may wish to use an external document review agency to review large volumes of data and documents (including personal data) to identify only those documents which are relevant to a transaction. The firm may instruct translators in an international transaction to translate foreign language documents into English. What should accountancy firms do to ensure they are GDPR compliant in these situations?
Firms will need to carefully review relationships with third parties and consider what additional provisions may need to be included in these contracts to help ensure compliance with the GDPR. It should ask questions such as: how does the third party process personal data? How long does it store it for? What data security does the third party have in place? Do they have cyber and data breach insurance? In short, firms need to satisfy themselves that any third party handling outsourced data is also complying with the GDPR regime.
With just over 7 months until the new data protection legislation comes into force, firms need to be actively preparing to ensure they are GDPR compliant. For many firms it will be a matter of identifying what measures are already in place, identifying what steps are needed to comply with the regime, and then filling any gaps.
But firms should not be complacent: clients will expect accountancy firms to comply with the new regime; the fines could be crippling; and there is a serious risk of reputational damage for those firms which fall foul of the legislation.