The General Data Protection Regulation (GDPR) will replace the current Data Protection Act on 25 May 2018. With tougher penalties, a wider remit and increased rights for individuals, businesses of all sizes and types – including accountancy practices – need to understand what the regulations mean for them and plan accordingly.
This article – the first in a regular series – provides a brief introduction to GDPR for accountants and tax advisors.
What is GDPR?
GDPR – or the General Data Protection Regulation – replaces the Data Protection Act 1998, which itself followed the 1995 EU Data Protection Directive.
When does it apply to UK businesses?
The regulation came into force on 24 May 2016 but the law will not apply to businesses and organisations until 25 May 2018. Because it’s a regulation rather than a directive, it will apply in the UK automatically after this date, subject to any “derogations” (minor local adjustments) which the UK Government applies. It’s not anticipated that these derogations will change the impact of GDPR on businesses or accountancy practices.
Why is it needed?
Internet and cloud technologies have grown rapidly since the EU Data Protection Directive of 1995, giving companies new ways of using and sharing the personal data that they collect. As well as providing individuals with greater protection in this changed landscape, the EU also want to make data protection law identical across the single market.
Will GDPR be affected by Brexit?
The short answer is an emphatic “No”.
The UK will still be an EU member on 25 May 2018, so GDPR will automatically become part of domestic law and it’s certain to be retained as part of UK law after we leave the EU. Why? Because GDPR applies to all organisations that are resident in the EU, that provide goods or services to individuals in the EU or that process any EU citizen’s personal information.
What are the penalties for non-compliance?
There are fines of up to 4% of annual worldwide turnover or €20 million, whichever is greater.
How will GDPR affect accountancy practices?
GDPR will apply to all organisations of any size that are resident in the EU, carry out business with EU residents or process any EU citizen’s personal information.
For an accountancy practice, here are just a few of the types of data that will be covered by the regulations:
- Data you hold in order to service your clients, for example:
- Data in your practice management systems
- Data in your compliance systems, including personal tax, bookkeeping, payroll and accounting data
- Any working papers that support your compliance work which contain personal data
- Any data you hold for marketing purposes
- Emails and correspondence, both internal and external, since many of these will relate to clients and to their employees and will therefore contain personal data.
GDPR imposes a number of obligations on you in relation to this data. In summary, they are:
- You must have precise knowledge of the data you hold and process, its geography, security usage and composition:
- Is it personal, prohibited, client-related or employee-related?
- How is it captured - is it permitted by law or by the client?
- You must be able to provide information on how the data is used and on the rights of individuals regarding their data
- You must demonstrate that you are managing personal data in a manner compliant with the regulations and be able to supply, on request, the details of the data you hold and how it has been used
- You have to be able to erase every instance of an individual’s data in compliance with the right to be forgotten (including data held in backups)
- You must offer storage or conversion of data in a format that allows portability to other data processors
Over the coming months we’ll be explaining in more detail how these obligations affect tax and accounting professionals and how to prepare your staff and your practice to meet the challenges of GDPR.
Want to keep up to date with GDPR? Why not subscribe to our blog?