There are probably too many blogs and press releases about the GDPR (The General Data Protection Regulation) these days. Here’s how we think the new regulations, coming into force on May 25th 2018, will affect small accountancy practices.
What is data?
It’s worth mentioning straight away, that this regulation covers personal data (not company data) i.e. data which can be used to identify a living EU citizen, who may live anywhere in the world!
It affects all businesses, regardless of size, but will have a greater impact on businesses dealing with consumers/clients. Business-to-business organisations do still have to be compliant, but by their nature will not hold as much personal data. So, the information we’re talking about is, for example, your employee data, personal tax clients, payroll details of clients etc.
There is a lot being made about the enhanced requirements to obtain consent. However, consent is only one of six legal bases for processing data. The others include where processing is “necessary for the performance of a contract” and “necessary for compliance with a legal obligation” – for example, the contract you have entered into with your client to provide accountancy services and your legal obligation to perform due diligence checks to comply with money laundering regulations.
The consumer’s expectations about the information you hold and why you hold it is also relevant. You are not holding your employees’ bank details because they’ve consented – you’re holding them to fulfil your legal obligation as their employer to pay them.
There was a query from an insolvency practitioner as to whether he would need to obtain consent from and/or issue privacy notices to the employees of the bankrupt companies he acted for. The answer was, in theory, yes, but, given that he is holding that information as part of the winding up process to inform the Department of Social Protection and pay outstanding wages, the employees would reasonably expect the practitioner to require and hold this information.
However, in all these cases you must consider the legal basis for holding information and if you are subsequently required, or decide, to use the information for another purpose, marketing for example, you should review the legal basis and obtain consent if required.
For more practical hints and tips on data protection and to get you started on your preparations for 25 May, please come to one of our series of courses on the ‘General Data Protection Regulation – What Accountants Need to Know’ at the Talbot Hotel, Stillorgan, County Dublin on one of the following dates:
For more information on our other upcoming courses click here