GENERAL DATA PROTECTION REGULATION (GDPR) – JANUARY UPDATE

Date Added | January 30, 2018

GDPR came into force on 27th April 2016, and takes effect on 25th May 2018 (regardless of Brexit negotiations), meaning that your firm and business clients need to be preparing for compliance now.

The key changes of the GDPR include an expanded definition of personal data, greater liability for both data controllers and data processors, risk based accountability (essentially having a data protection policy, keeping records, privacy notices, terms of business statements and others), new and strengthened individual rights and applies across the EU regardless of which country you are based in. The GDPR Action Pack highlights actions to ensure you have thought about the new regulations, tidied up your data base(s) and have legal consent to hold data.

Many of you have asked for an example of a typical privacy policy that firms might use on their website:

Our Firm & Partners – contactable via The Street, Wessex, WS3 3SX or 01234 567890 or [email protected] – process your personal data as per our the purposes set out and retention periods specified in the contract with you, which also relies on certain service providers contracting with us (‘we’, ‘us’ or ‘our’).  If you do not provide the required personal financial data to us, we may be unable to fulfil the terms of the contract, for example, in submitting your accounts to the authorities, which includes analysing your personal information to assess your tax obligations.  When your personal information is transferred outside the European Economic Area, we shall seek your explicit consent.  You have the right to access, rectify, erase and port your personal data, as well as restrict processing or object to processing.  You also have the right to lodge a complaint with the Information Commissioner.

You should now introduce the GDPR regulations to your team and explain the importance of keeping client data secure. You can find a webinar introducing the GDPR on the 2020 website or directly: https://www.youtube.com/watch?v=ifen3UzsmEE&feature=youtu.be

Several firms have already done the training and split the webinar into 4 x 10- minute sessions with discussions around what changes the firm needs to make. This makes sense to us at 2020.

One of the key issues coming from discussions with firms is how to send the sensitive and personal data we hold in accounts and tax returns SECURELY to clients. This is probably our greatest risk – sending this data unencrypted by email to clients.

There are several ways of sending sensitive data securely to clients such as Citrix share file  https://www.citrix.com/  or egress https://www.egress.com/what-we-offer/email-and-file-encryption which offer a combination of policy-based gateway and desktop email encryption software designed to secure and control information. There are quite a few other software providers and there is a good article on  http://searchsecurity.techtarget.com/feature/Comparing-the-best-email-encryption-software-products which may help you if you haven’t gone down this path already.

The reputational damage of sending data to the wrong person could be reduced by installing a “send delay” in outlook (say 2 minutes), this gives you some time when realising you have the wrong send address. How you do this?

  • Go to the “Home” tab and click on the “Rules” drop down
  • Choose “Manage Rules and Alerts”
  • Under “Email Rules” choose “New Rule” and under “Start from a blank rule” click on “Apply rule on messages I send.” Click “Next,” which will show conditions — you don’t need to choose any of these, just click “Next” again.
  • On the final menu (the “Actions” page), check “Defer delivery by _ minutes” and fill in the blank.
  • Click “Next,” and fill in any exceptions to your new rule.  Then, click “Next,” and “Finish”.

The ICO has recently updated its website with some really good material, including a new Documentation Template for Controllers that your firm should complete.
This is available here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/documentation/ at the bottom of the page, entitled gdpr-documentation-controller-template – the spreadsheet should be completed with the guidance of either Sandy Gilchrist or Matt Jackson (see below).

Over the next few months we will continue to keep you updated on practical measures to help you comply with the GDPR.

In the meantime, if you need training and help with your procedures please contact our experts:

Sandy Gilchrist – [email protected] 02032878243

Matt Jackson – [email protected] 0121 296 3837

The full GDPR Action Pack is included with 2020 Premier Plus and Platinum Membership.  Click here to discover the benefits of upgrading your membership.