The General Data Protection Regulation (GDPR) replaces the Data Protection Act on 25 May 2018. While this may seem a long way off, most organisations need to start preparing now to make sure they’re ready for implementation. Here’s our guide to how accountancy practices can make a start with their GDPR preparations.
A lot to do before May 2018
The GDPR extends the definition of personal data, provides increased rights for individuals and gives increased powers to regulatory authorities to take action against data controllers and data processors who don’t comply with it.
There are eye-watering upper limits to the fines that the Information Commissioner’s Office (ICO) can impose so you need to be able to demonstrate that data protection is an integral part of your business policies and practices. The GDPR makes privacy by design an express legal requirement, under the term ‘data protection by design and by default’. This means that data protection must be a key consideration when designing systems, rather than an after-thought.
The ICO is gearing up
The ICO is clearly committed to ensuring that organisations are properly prepared and monitored – they’re gearing up for the task by employing 200 additional staff.
“With the coming of the GDPR, we will have more responsibilities and new enforcement powers,” said UK information commissioner Elizabeth Denham. “For example, there will be a mandatory requirement for companies and public bodies to report to us when there is a security breach involving personal information.”
What you need to do
Article 24 sets out that the principle that, in order to comply, organisations must implement “appropriate technical and organisational measures” to ensure that they can demonstrate the processing of personal data is performed in accordance with the GDPR. What is “appropriate” depends on the circumstances – what works for one organisations does not necessarily work for another – but the obligation to demonstrate compliance exists in all cases.
If you start your preparations now, you’ll begin to understand what personal data you process and where it’s being held. You’ll also be able to test whether the procedures you already have in place to protect it are adequate.
As a minimum you need to:
- Allocate responsibility for GDPR within your organisation and raise awareness.
- Fully document the information you hold across the business – where it originated, where it’s stored, how it’s processed and who you share it with.
- Carry out a Privacy Impact Assessment – know your risks.
- Review your privacy notices, engagement letters and contracts.
- Review your procedures to ensure that risks are covered, personal data is secure and you can comply with the rights of individuals.
- Review how you seek, record and manage consents.
- Update your procedures relating to the detection and reporting of breaches.
Get help from Wolters Kluwer
- We’re hosting a series of seminars in September and October. Find out more about venues, locations and content here.
- For our customers, we’ve created a new section on our Support website dedicated to GDPR – if you’re an existing Wolters Kluwer software customer, you can access it here.