In a little over two weeks, GDPR will take effect across the EU. It applies to any organisation, regardless of its size, inside or outside Europe, which holds or uses the personal data of EU citizens.
In previous blog articles and downloadable guides, we’ve gone into some detail about how your accountancy practice can meet its obligations under GDPR. This close to 25 May – the date of implementation – we’re taking a step back to look at the core principles that underpin GDPR.
Understanding the principles behind GDPR helps to put the new regulations into context, guiding an interpretation of how they should be implemented.
Accountancy practices, their SME clients and other affected organisations need to make sure that all their data processing activities are consistent with these seven principles, set out in Article 5 of the GDPR:
- Lawfulness, fairness and transparency
When data is collected, it must be clear why it’s being collected and how it’s going to be used. Organisations that collect data must be able to provide details of their data processing activities when asked by data subjects.
- Purpose limitation
Organizations must have a specific and legitimate reason for collecting and processing personal information; they mustn’t undertake further processing which is incompatible with those stated reasons.
- Data minimisation
Organisations must store the minimum amount of data required to achieve their processing purposes.
- Accurate and up-to-date
Personal data must be accurate, fit for purpose and, if necessary, kept up to date. Inaccurate information must be deleted or corrected without delay.
- Storage limitation
Personal information should only be kept for as long as necessary for the purposes for which it was collected (it can be kept longer for scientific, statistical or historical research or for archiving purposes in the public interest). This principle discourages organisations from making copies of data.
- Confidentiality and security
Those who collect and process personal data are responsible for keeping it safe from internal threats such as unauthorised use, accidental loss and damage and external threats such as malware, theft and other cybercrime.
- Accountability and liability
Organisations are 100% answerable for the way they collect, store and process personal data. They must be sure that every part of their GDPR compliance is open to audit and they need to be able to demonstrate that they have taken all necessary steps, appropriate to the risks that their data subjects face.
Understanding these seven core principles is a good first step towards compliance, but clearly it’s not the whole story. GDPR compliance isn’t just a matter of doing the right thing – it’s also about documenting what you’ve done and being able to show evidence if required.
For many organisations, the simplest and most reliable way to achieve this is through a dedicated GDPR compliance and governance system. We’ve partnered with a leading online solutions provider to provide exactly that for accountancy practices and their clients.
This cloud-based software brings together everything you need for GDPR in one place. Simple checklists and workflows generated by the software steer you through each aspect of compliance. The system helps you log, report and manage data breaches and it allows you to update all your privacy notices from a single location.
Get in touch today to find out more.