Eight steps to mastering GDPR

Jeremy Twomey writes:

Meeting General Data Protection Regulation (GDPR) compliance requirements has become a top priority for Irish businesses over recent months and accountancy practices are no different. Recognising that GDPR implementation presents both specific challenges and opportunities for accountants in practice, the Practice Consulting team has also been busy both offering advice and providing practical guidance in this area for our members.

This guidance can be found at 

https://www.charteredaccountants.ie/knowledge-centre/guidance/gdpr/gdpr-resources

and includes the following:

• GDPR 8 Step Guide;
• Explanation of GDPR terms;
• GDPR Template Outline Procedures to be tailored and used by an accountancy firm; and
• Example paragraphs for a client engagement letter addressing GDPR and a template privacy statement.

From talking with our members in practice over recent weeks, it is evident that practitioners are at different stages on their journey to GDPR compliance. While it may appear a daunting exercise at the outset, the process of becoming GDPR ready can be broken down into a few key practical steps. With this in mind, in this article, I am going to outline the key points to achieve GDPR implementation from our 8 Step Guide:

1.  Raise GPPR awareness

As a starting point on your GDPR journey, the partners and staff at your firm need to be fully aware of the Regulation, the work to be undertaken to ensure compliance, the likely problems that may arise and any budgetary implications. A basic step that can be undertaken in-house at your firm is a GDPR awareness presentation for all the staff.

Your clients also have to comply with GDPR, so it is worthwhile checking that they are aware of these changes, to tell them of their GDPR obligations and how your processes may be changing. Such support may be an ‘added value’ opportunity for your firm to assist your clients.

2.  Appoint someone senior to oversee the process & resource this appropriately

Your firm should appoint someone internally to take control of understanding GDPR and how it will affect your practice. It is essential that this a senior member of staff who will take responsibility for overseeing the GDPR compliance process at your firm.

While it is expected that the majority of the work in relation to meeting the requirements of GDPR can be undertaken internally, a project team may be required, which may include external support and assistance on certain issues. Hence, it is vital that reasonable funding and resources are set aside to achieve your GDPR requirements.

It is currently envisaged that most accountancy firms will not be required to appoint a Data Protection Officer (DPO). It is, however, recommended that you still appoint someone to be responsible for data protection within the firm going forward, but give them a title other than DPO (i.e. “Data Privacy Lead”).

3.  Review and update existing information and cyber security measures

Having comprehensive levels of information and cyber security is a key step towards building a resilient organisation and ensuring GDPR compliance. It is therefore recommended that members should review their existing security measures and update as necessary.

Both controllers and processors are required under the Regulation to implement “appropriate technical and organisational measures” to ensure a level of security appropriate to the risks that are presented by the processing of personal information. Such measures are described as including:

• Pseudonymisation and encryption of data (The use of secure portals to share documents is also of benefit);
• The ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
• A process for regularly testing, accessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Detailed listings of examples of both practical physical and technical security measures to aid GDPR compliance at your firm are included in the full version of our 8 Step Guide as published on the Institute website.

It is important to remember that managing cyber risk is not simply about managing data within your firm. Therefore, it becomes necessary to document the security risks from your supply chain (e.g. cloud service provider), as well as your own organisation.

4.  Map your data

With the many potential pitfalls of non-compliance to GDPR, taking action to map any gaps in relation to the personal data your firm holds is critical. The first step is to get started by scoping the problem and mapping the data flows associated with your firm.

It involves identifying, understanding and mapping out the data flows into and out of the organisation. As the data map evolves, you should be able to identify the flow of data, as well as gaps in required contracts and consents for processing data under the GDPR, and risks in security measures etc. that will need to be prioritised and resolved to ensure compliance.

This requirement for data mapping is quite far reaching when you think about it. A typical accountancy practice possesses the following: accounting and tax software, audit software, payroll software, practice management systems, network drives and, of course, paper accounting, tax, company secretarial and audit files. This review will also need to extend to the many individual devices on which information is stored (e.g. laptops, desktops, tablets, phones and memory sticks).

Finally, it is important to emphasise that, when completing your data mapping, GDPR compliance is only required for personal data that you hold. Company data is, for example, beyond the scope of the regulation, however your data mapping exercise may have an added benefit of identifying efficiencies that you can implement at your firm for non-personal data as well.

5.  Review your contracts with clients and suppliers

As the GDPR imposes new obligations on data controllers and data processors, you will need to make sure you understand your status and your responsibilities with regard to both client data and firm data. At the very least, firm contracts will need to be updated to reflect the requirements of the GDPR.

Accountancy firms should review their existing contracts with their clients, suppliers and sub-contractors to identify whether the accountancy firm is the data controller or data processor of any personal data it processes under the different contracts. This involves identifying which party ultimately determines the purpose and means of processing data. It is of vital importance that you satisfy yourself that your firm is correctly assigned the role of either data controller or processor (with matching appropriate requirements/liabilities) before signing any contract with your client or supplier. Remember that entering into a contract on the wrong basis may potentially open both you and your firm to unnecessary requirements/liabilities that may be difficult to overturn.

More detailed guidance on each of these areas is included in the full 8 Step Guide, while Section 5 of our Outline Policies and Procedures provides advice on your firm’s
likely status as either a Data Controller or Processor for a variety of possible assignments that you may undertake. Both of these documents can be found on the Institute website under GDPR resources.

6.  Employment contracts & information for your employees

As with existing legislation in this area, under GDPR, certain information must be supplied to employees before their personal data is collected and processed by your firm. The information will typically be provided in the form of a notice to job candidates, and a further privacy policy will be supplied to successful job applicants as part of their on-boarding induction to the firm (typically included in an Employee Handbook along with other firm policies).

It is also important to remember that, for the processing of employees’ personal data, where possible, the employer should rely on performance of the employment contract as the legal basis for processing, rather than consent. Consent is a weaker legal basis for such processing, as it can for example be easily withdrawn by the data subject

Finally, do not forget to review (and redraft as necessary) employment contracts to update any data protection references or sections to comply with GDPR.

7.  Draft/update data protection policies and controls to meet the new requirements

The GDPR introduces the principle of ‘accountability’. This means that all organisations must not only ensure they are compliant with the GDPR, but be in a position to prove this too. The best way to prove this is to document your data protection policies and procedures. We suggest that your firm’s GDPR policies and procedures should include, but not be limited to, the following (Outline policies in several of these areas are included in “Outline GDPR Policies and Procedures” on our website):

1. Who is responsible for GDPR at your firm and what are the reporting lines?
2. Data Processing

   Your policies in this area should detail the categories of personal data collected by your firm and the purpose for which it is collected. In addition, these policies should detail your firm’s role as a Data Controller and also instances when you act as a Data Processor, together with your responsibilities in fulfilling these roles.

3. Data Subject Rights

   Your firm will need to have specific policies and procedures in place to ensure the rights of your data subjects are upheld under GDPR and that you have adequate processes and resources to meet the requirements of the Regulation. Specific subject rights areas requiring defined policies and procedures include:

   • Data Subject Access Requests (DSARs);
   • Right of erasure (Right to be forgotten);
   • The right to restrict processing;
   • The right to object to processing; and
   • The right to data portability
   Some of these rights may not be enforceable by the data subject where data is held under legitimate purpose.

    

4. Data Governance

   Example areas of data governance to be considered for inclusion in your GDPR related policies and procedures include the following: Data Protection Impact Assessments (DPIAs), Privacy by Design and Privacy Notices, Document Retention, Security and Breaches.

8.  Staff training and ongoing compliance

While not all staff will need to understand the GDPR in its entirety at your firm, each of your staff should at least be aware that data protection is an issue for everyone.

For staff who do not deal with personal data, training can be limited to an annual (refresher) course on information and cyber security. On the other hand, for staff who regularly deal with personal data, training should focus on security over data, plus an awareness of the firm GDPR policies and procedures on a regular basis (at a minimum annually or more often if the need arises). Again this can be tailored to their particular role and responsibilities.

Ongoing testing

Testing in the areas of IT Security and other key aspects of GDPR compliance (e.g. audits of records held for constant compliance) should be formalised into a regular ongoing programme of work at your firm, as well as outsourced providers. Cyber security is a rapidly evolving area. Meeting best practice in May 2018 does not mean you will maintain compliance over the months and years ahead; you will need to keep this area under review.

Conclusion

At first glance, the process to ensuring GDPR compliance may appear to be a massive undertaking and a drain on resources for your firm. It is important to bear in mind that most accountancy firms and small businesses are in the same boat as you, and that by breaking down the required steps into clear manageable stages as above, you too can achieve GDPR Compliance in a timely manner.

Should you need further assistance, Practice Consulting has also developed a half day consultation offering. One of our consultants can visit your firm and offer practical advice and guidance on how to tailor your procedures, make progress on your GDPR journey, and meet key compliance milestones. If you have any question in relation to GDPR, please feel free to contact either Conal Kennedy or myself in Practice Consulting.