GDPR is due to take effect 25 May 2018. So what is the regulation, what changes will it bring about and why should accountants take notice?
Billed as the “most important change in data privacy regulation in 20 years”, GDPR is due to take effect 25 May 2018. So what is the regulation, what changes will it bring about and why should accountants take notice?
What is GDPR?
Approved by the EU parliament in April 2016, GDPR is an EU regulation that replaces the Data Protection Regulation 95/46/EC. It aims to harmonise data privacy laws across Europe, strengthening the protection of data.
Where, to whom, and to what does GDPR apply?
GDPR applies to all companies in the EU (regardless of size) that process and hold personal data. Furthermore, it no longer matters if the processing of data takes place outside of the EU – controllers or processors outside of the EU are still subject to the regulation if they offer goods or services to EU data subjects, or collect data on EU individuals.
Definitions of controller and processor
A controller is defined by the Information Commissioner’s Office as an individual or organisation that “determines the purposes and means of the processing of personal data”.
A processor is defined as an individual or organisation that processes personal data on behalf of a controller.
Personal and sensitive data
GDPR applies to both personal data and sensitive personal data. Personal data includes any information from which a person can be identified, either directly or indirectly. This includes a name, email address, bank details, photo, medical information or computer IP address. Sensitive personal data concerns “special categories” of data, including genetic and biometric data used to identify an individual.
One of the key changes introduced by GDPR relates to the issue of consent. Companies must provide clear requests for consent in a format that is easily understood and accessible. Individuals must find it as easy to withdraw their content as it was to give their consent.
GDPR imposes heavier penalties on companies that fail to comply with the regulation.
Breach of data
If a breach of data occurs, in cases where the breach is likely to “result in a risk for the rights and freedoms of individuals”, notification must be given within 72 hours of the breach having been discovered. GDPR requires data processors to notify customers and controllers of a data breach “without undue delay”.
Individuals will have the right to request from a data controller information on whether personal data is being processed, where it is being processed and for what purpose. Individuals will also have the right to receive a copy of the personal data in electronic format, provided by the controller.
Individuals will have the right to be forgotten, through which they will be able to request that the controller deletes their data.
Data Protection Officers
Organisations that are public authorities, or undertake large scale systematic monitoring of individuals or large scale processing of sensitive personal data (or data on criminal convictions and offences) will be required to appoint a data protection officer (DPO).
A DPO will be responsible for advising an organisation and employees on GDPR compliance obligations; monitoring GDPR compliance, including training employees and conducting internal audits; and being the key contact for individuals whose data is processed as well as supervisory authorities.
Organisations should ensure that the DPO reports to the highest management level within an organisation, that they are able to operate independently and that they have sufficient resources to carry out their GDPR duties.
What are the implications for accountants?
Accountants handle a vast amount of data – both client and employee – on a daily basis. Firms will need to ensure that their systems are robust enough to meet GDPR requirements and that the data is protected in line with GDPR provisions. To determine whether operations comply with GDPR, firms may need to carry out an audit on current procedures in order to identify if and where they fall short of GDPR standards.
By failing to comply, accountants leave themselves open to significant penalties. Organisations in breach of the regulation could be fined a standard penalty of €10m or 2% of annual global turnover, up to a maximum of 4% of annual global turnover, or €20m, whichever is greater.
As accountants position themselves as strategic advisers to clients, GDPR is an opportunity for firms to demonstrate to clients that they can securely hold and process information in line with data requirements, and that protection of client data is a priority for the practice. As a result, clients are likely to see their accountants as trusted professionals to whom they can entrust business and personal data, and with whom they can partner to drive their business forward.