Six steps accountants can take to prepare for GDPR

Dec 01, 2017
Come May 2018, all businesses within the EU will be required to implement the General Data Protection Regulation. Peter Bolger maps out what you can do to make sure your firm is compliant.

Chartered Accountants Ireland has consistently been to the forefront in ensuring the profession it represents remains relevant to business needs in Ireland and abroad. From May 2018, Chartered Accountants in the EU will be required to incorporate new changes, set out in the General Data Protection Regulation (GDPR) and supplemented by the Data Protection Bill 2017 (which is still unpublished), in their businesses. 

While the GDPR becomes directly applicable on 25 May 2018, one should be aware that it is already a final form law, having been passed by the EU legislators in 2016. The intention of GDPR finally becoming directly applicable in the EU is that it will lead to greater harmonising of data protection rights and obligations throughout the area. 

This lead-in period facilitates awareness about changes GDPR introduces to privacy law and allows businesses to review and update their current policies and practices on processing of personal data so that these are compliant with GDPR, in so far as is possible, by next May. Contrary to much of the hype surrounding the regulation, one should remember it is not a once off event or test for compliance. The GDPR marks the beginning of an enhanced approach by lawmakers to individuals’ privacy rights where those individuals are situated in the EU. From 25 May 2018 onwards, businesses will be required to demonstrate ongoing compliance with these rights. This article focuses on some practical measures accountants in Ireland can take over the next six months to prepare their businesses for changes in data protection law. 

Application of GDPR

GDPR applies to organisations established in the EU that process personal data, either as a data controller or data processor. In practical terms, this applies to every organisation operating in the EU because of the wide meaning of “processing”. Processing essentially means anything that is done to, or with, personal data (including simply collecting, storing or deleting that data). The meaning of “personal data” is broader under GDPR than it is in Ireland under the Data Protection Acts 1988 and 2003 (DPA). GDPR adds identifying types of data to the definition of “personal data”: 
“an identifier, such as a name, identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.” 

The wider definition of personal data under GDPR reflects the significant impact of technological changes on individuals’ everyday lives. In fact, this is a primary principle underpinning GDPR; to make data protection rules fit for purpose, taking account of the vast technological developments over the last two decades. These changes in technology also extend to how organisations collect and store personal data.

How to the prepare for GDPR

Begin data mapping

Accountants, whether practising in accountancy firms or acting as Chief Financial Officers in organisations of other disciplines, may be best placed as the ‘go-to’ person to commence a dialogue on coordinating the organisation’s data mapping. Data mapping is a practical prerequisite for any organisation to plan its GDPR compliance strategy. It involves identifying, understanding and mapping out the data flows into and out of the organisation. To be effective, the process requires information to be collated from all departments in an organisation. This is likely to necessitate the input of senior management and IT. As the data map evolves, you should be able to identify the flow of data, gaps in required contracts and consents for processing data under the GDPR, required impact assessments, risks in security measures and whether the organisation should appoint a Data Protection Officer (DPO).

Review existing contracts and policies

Accountancy firms should review their existing contracts with their customers and suppliers to identify whether the accountancy firm is the data controller or data processor of any personal data it processes under different contracts. The test of data controller or data processor will be determined by the factual matrix and not the terms the parties ascribe to the relationship in a contract. This involves identifying the different categories of data held by your business, the purpose for which you process it, the categories of data subjects, who you share the data with and on whose authority. 

If an incorrect entity is designated data controller or data processor, it is recommended that the contracts are amended prior to May 2018 to ensure they reflect the provisions under GDPR. In many cases, accountants will be the data processors of their customer’s personal data but there may be circumstances where they will be joint data controllers. If this is the case, it is recommended further advice is sought. 

Get new consents that meet GDPR standards

The principle of consent is fundamental to GDPR. GDPR increases data controllers’ and data processors’ obligations to obtain an individual’s consent to process personal data as part of their business activities. GDPR provides, that where consent is relied on for a reason to process personal data, the consent must be “freely given, specific, informed and unambiguous”. 

If your business currently relies on consent for processing personal data, double-check if the consent practices comply with the GDPR. Where possible, it is recommended that organisations rely on a different basis to consent, such as compliance with legal obligations or legitimate interests, for processing personal data. However, this exercise cannot be artificial. For example, if your business sends direct marketing material to clients, you will need fresh consent from each client to do this under GDPR. It is unlikely that direct marketing will be considered a legitimate business of an accountant’s practice. It will be important that consents are kept entirely separate from other terms and conditions related to your organisation’s offerings. It is equally important that you are able to demonstrate that the consent was freely given, clear, informed and required an affirmative action by an individual. It is likely that consent will require an audit trail to ensure that organisations’ consent processes can be independently evaluated. 

Carry out Data Protection Impact Assessments

GDPR makes privacy by design an express legal requirement. Accountancy firms typically have access to their client’s personal data during financial audits. The nature of audits, which may include special categories of personal data, akin to sensitive personal data under the current DPA, means it is highly likely accountants will have to carry out Data Protection Impact Assessments (DPIA). 

A DPIA is a process for building and demonstrating ongoing compliance with GDPR principles and only mandatory when the processing of personal data is “likely to result in a high risk to the rights and freedoms of natural persons”. Depending on the circumstances, a DPIA may concern an organisation’s single processing operation, or a single DPIA may be used to assess multiple processing operations that are similar. This latter scenario may arise where the same technology is used to collect the same sort of data for similar purposes. 

The Article 29 Working Party, the advisory body on GDPR, represented by the data protection regulator of each Member State, has issued guidance stating the rights and freedoms in question are not limited to privacy and may involve freedoms of speech, thought, movement, prohibition of discrimination and rights to liberty, conscience and religion. One or more of these rights may trigger an obligation to carry out a DPIA for a processing activity. 

It is important to be aware that even in circumstances where your organisation is a data controller, and GDPR obligation to carry out a DPIA has not been met, the organisation is still required to continuously assess the risks created by its processing activities and be alive to situations where the obligation to conduct a DPIA is ignited. 

Assess your organisation’s personal data security measures

Data security has a prominent role in GDPR. Organisations in Ireland will be required to report personal data breaches to the Data Protection Commissioner. However, this obligation does not arise in all circumstances where there will be a breach. The notification obligation is triggered where the breach is likely to result in a risk to the rights and freedoms of individuals. As discussed above, the rights in issue are wider than data protection and privacy rights. GDPR also places obligations on data controllers to directly communicate breaches to affected individuals unless doing so would involve a disproportionate effort. The Article 29 Working Party has stated in its guidance that this risk exists where the breach may lead to physical, material or non-material damage to the individual whose data has been breached. This could be financial loss, identity theft, fraud and reputational damage.

To mitigate against breach notification, GDPR also encourages data controllers to conduct a risk analysis of the security measures they implement to assure adequate personal data security. At a minimum, the GDPR requires these measures to include:
  • The pseudonymisation and encryption of personal data;
  • Ensuring the resilience of systems and services processing data
  • Restoration of access to personal data in the event of a breach; and
  • Frequent testing of the effectiveness of the security measures.
In addition to being best practice, putting in place the security measures listed above is likely to remove the standard obligation to inform affected individuals. An organisation’s failure to comply with its data security obligations may result in a fine of up to €10,000,000 or 2% of its total worldwide annual turnover. It is much more cost effective for data controllers to review and upgrade their security measures, implement relevant industry best practices and develop and maintain data breach plans. 

Decide whether to appoint a Data Protection Officer

  • Under the GDPR, an organisation is only required to appoint a DPO where:
    It is a public body;
  • It carries out large scale regular and systematic monitoring of individuals as part of its core activities; or
  • It carries out ‘large scale’ processing of special categories of or data relating to criminal convictions and offences. ‘Large scale’ is said to include large-scale processing operations which aim to process a considerable amount of personal data at regional, national or supranational level and which could affect many data subjects, and which are likely to result in a high risk.
Most accountancy firms will not be required to appoint a DPO but may choose to do so. The appointment of the person to the role of a DPO should be undertaken with great care. GDPR does not list specific qualifications or credentials that a DPO should possess, but it does state that a DPO should be a person of high integrity, professionalism and have “expert knowledge of data protection law and practice” to be able to carry out his or her duties. The Article 29 Working Party has issued the following guidance for organisations on appointing a DPO:

  •  In determining if a DPO is required, keep a copy of their analysis in their records as this assessment falls within the scope of its wider accountability obligations;
  • Preferably, the DPO should be located within the EU;
  • There can only be one DPO, but he or she can be supported by a team; and
  • Senior managers including HR, marketing and IT individuals are barred from serving as the DPO.
GDPR preparation will be a large undertaking for most businesses, but if they take the time to implement some practical data privacy measures before May 2018, ongoing compliance processes won’t be so daunting.

Peter Bolger is the Head of Intellectual Property, Technology and Privacy at LK Shields.