Wolters Kluwer blog

Read all

The latest news and opinion from Wolters Kluwer experts for tax, accounting, business, legal, HR, health & safety and care professionals.

Start your GDPR preparations now!

Posted by Paul Brace on 02-Aug-2017 09:13:32

The General Data Protection Regulation (GDPR) replaces the Data Protection Act on 25 May 2018.  While this may seem a long way off, most organisations need to start preparing now to make sure they’re ready for implementation.  Here’s our guide to how accountancy practices can make a start with their GDPR preparations.

GDPR_cables_sml.jpgA lot to do before May 2018

The GDPR extends the definition of personal data, provides increased rights for individuals and gives increased powers to regulatory authorities to take action against data controllers and data processors who don’t comply with it.

There are eye-watering upper limits to the fines that the Information Commissioner’s Office (ICO) can impose so you need to be able to demonstrate that data protection is an integral part of your business policies and practices.  The GDPR makes privacy by design an express legal requirement, under the term ‘data protection by design and by default’.  This means that data protection must be a key consideration when designing systems, rather than an after-thought.

The ICO is gearing up

The ICO is clearly committed to ensuring that organisations are properly prepared and monitored – they’re gearing up for the task by employing 200 additional staff.

“With the coming of the GDPR, we will have more responsibilities and new enforcement powers,” said UK information commissioner Elizabeth Denham.  “For example, there will be a mandatory requirement for companies and public bodies to report to us when there is a security breach involving personal information.”

What you need to do

Article 24 sets out that the principle that, in order to comply, organisations must implement “appropriate technical and organisational measures” to ensure that they can demonstrate the processing of personal data is performed in accordance with the GDPR.  What is “appropriate” depends on the circumstances – what works for one organisations does not necessarily work for another – but the obligation to demonstrate compliance exists in all cases.

If you start your preparations now, you’ll begin to understand what personal data you process and where it’s being held.  You’ll also be able to test whether the procedures you already have in place to protect it are adequate.

As a minimum you need to:

  1. Allocate responsibility for GDPR within your organisation and raise awareness.
  2. Fully document the information you hold across the business – where it originated, where it’s stored, how it’s processed and who you share it with.
  3. Carry out a Privacy Impact Assessment – know your risks.
  4. Review your privacy notices, engagement letters and contracts.
  5. Review your procedures to ensure that risks are covered, personal data is secure and you can comply with the rights of individuals.
  6. Review how you seek, record and manage consents.
  7. Update your procedures relating to the detection and reporting of breaches.

Get help from Wolters Kluwer

 

Topics: All posts | GDPR

Liked this article? Why not leave us a comment?
(Comments close after 180 days)