GDPR update and its impact on accountancy practices

Richard Kemp, Kemp IT Law29 March 2017

PresentationtoTheAlternativeAccountancyStrategicITConference

Elizabeth Denham speech to ICAEW, 17.01.17

u “On a basic level, your jobs involve handling personal data. Payroll info, employee details, people’s expenditures. It’s your responsibility to keep that information secure and ensure that individuals’ rights are respected, with the risk of enforcement action and damaging publicity for your company if you get that wrong.”

u “The GDPR doesn’t change that. If anything, it places more onus on you to handle information correctly. For the businesses you work with, that includes keeping data secure by protecting it from cyber attack, a growing area of risk.”

u “I know that for most businesses, you’re not just the people who do the accounts. You’re a source of advice, good practice, assurance and protection from risk. You’re in a good position to explain to your clients and organisations how the issues I’m going to talk about today are a competitive advantage if they get them right.”

Quick GDPR update

u Brexitu “The big question is what happens when the UK leaves the EU. It’s possible that,

Parliament will debate amending the GDPR.. we will be banging our drum for continued protection and rights for consumers and clear laws for organisations. HMG will also need to answer questions about whether the UK will keep the UK’s data protection law at an equivalent standard to the EU, to allow unrestricted data flows with EU countries. We need strong data protection laws to achieve all that.”

u Privacy Shieldu “The EU-US Privacy Shield is subject to a review in summer 2017 … the advice for

businesses is that Privacy Shield is a legitimate basis for transferring personal data to the US. The ICO welcomed the additional safeguards it provided compared to the previous safe harbour arrangement.”

u Article 29 WP currently preparing GDPR guidanceu More guidance, consultations at national level

u March 2017 ICO Consultation/Draft Guidance on Consentu March 2017 RoI DPC Consultation on Consent, Profiling, Personal Data Breach

Notifications and Certification

Sources of duties and obligations

u general law – negligence, DPA/GDPR, etcu professional conduct

u ICAEW Code of Ethics, section 130.1(b): “The principle of professional competence and due care imposes the obligations on all professional accountants … to act diligently in accordance with applicable technical and professional standards when providing professional services.”

u ACCA Global Quality Assurance Standards, paragraph 2.7: “Maintain systems to allow easy access to information stored electronically and implement controls to ensure the security and integrity of this data is safeguarded.”

u engagement arrangementsu client engagement letters, etc

u contractual flow-down of regulatory obligations where client is in a regulated sector (e.g. financial services, healthcare)u These may specifically impact e.g. information security, data protection, etc

Top concerns around the GDPR

42%

37%

34%

32%

32%

29%

26%

25%

21%

1. new penalties

2. consent requirements

3. territorial scope

4. new personal data categories

5. new profiling restrictions

6. data breach notification

7. new duties for data processors

8. right to be forgotten

9. accountability requirements

ICO’s action list to prepare for GDPR

State of preparedness – Nov 2016, Trust E

ICO’s 12 steps to prepare for the GDPR

1. & 11 awarenessu senior management

u DPO/CISO/IT Director, etc

u project plan up to May 2018

2. document what PD you holdu where it comes from

u who it’s shared with

u do you need an information audit?

3. review and update privacy noticesu engagement letters

u privacy, security policies (staff handbook)

u website & other notices

4. check procedures to meet individuals’ rightsu right to be informed

u deletion and rectification of PD

u see also step 3

5. subject access requestsu ‘remote access to a secure self-service system’

u within one month

6. legal basis for processing personal datau consent

u ‘necessary’ for complying with a legal obligation

ICO’s 12 steps to prepare for the GDPR

7. consentu ‘freely given, specific, informed and unambiguous’u evidencedu must be easily withdrawable

8. childrenu verify ageu show parental/guardian consent

9. data breachesu breach of security u leading to loss, alteration, unauthorised disclosure of/access to PDu assess risk case by caseu notify within 72 hours of awareness

ICO’s 12 steps to prepare for the GDPR

10. Privacy Impact Assessments/by Designu for projects for e.g. new IT, data sharing, databases, services, etc.

u carrying out & documenting the PIA processu identify need and describe data flows

u identify privacy risks and assess solutions

u agreed and record outcomes

u integrate outcomes into project plan

u consult stakeholders throughout process

12. Internationalu who is your regulator?

u where is data held (e.g. Cloud)?

u model clauses, privacy shield, etc

ICO’s 12 steps to prepare for the GDPR

Top tips & takeaways

u importance of training and awareness - greatest risk is still the basics:u thumb drives

u laptop left in taxi

u loss of hard copy documents

u documents faxed to wrong number

u emphasis on data & system securityu business continuity and recovery

u data storage & deletion

u firms’ cloud strategies

u note importance of due diligence, reliance on ISO, etc standards

u senior management buy-in u understand how the GDPR broadens and deepens obligations

u ‘put data protection accountability at the centre of your business processes’

u project planning in run up to May 2018u strategy – policy – process statements

u update:u documentation – policies, procedures, etc

u client engagement arrangements

u assess data assets

u develop a proportionate firm PIA policyu policy + template

u Implement for new IT systems, etc and products/services

Top tips & takeaways