GDPR came into force on 27th April 2016, and takes effect on 25th May 2018 (regardless of Brexit negotiations), meaning that your firm and business clients need to be preparing for compliance now.
The key changes of the GDPR include an expanded definition of personal data, greater liability for both data controllers and data processors, risk based accountability (essentially having a data protection policy, keeping records, privacy notices, terms of business statements and others), new and strengthened individual rights and applies across the EU regardless of which country you are based in. The GDPR Action Pack highlights actions to ensure you have thought about the new regulations, tidied up your data base(s) and have legal consent to hold data.
Our Firm & Partners – contactable via The Street, Wessex, WS3 3SX or 01234 567890 or firstname.lastname@example.org – process your personal data as per our the purposes set out and retention periods specified in the contract with you, which also relies on certain service providers contracting with us (‘we’, ‘us’ or ‘our’). If you do not provide the required personal financial data to us, we may be unable to fulfil the terms of the contract, for example, in submitting your accounts to the authorities, which includes analysing your personal information to assess your tax obligations. When your personal information is transferred outside the European Economic Area, we shall seek your explicit consent. You have the right to access, rectify, erase and port your personal data, as well as restrict processing or object to processing. You also have the right to lodge a complaint with the Information Commissioner.
You should now introduce the GDPR regulations to your team and explain the importance of keeping client data secure. You can find a webinar introducing the GDPR on the 2020 website or directly: https://www.youtube.com/watch?v=ifen3UzsmEE&feature=youtu.be
Several firms have already done the training and split the webinar into 4 x 10- minute sessions with discussions around what changes the firm needs to make. This makes sense to us at 2020.
One of the key issues coming from discussions with firms is how to send the sensitive and personal data we hold in accounts and tax returns SECURELY to clients. This is probably our greatest risk – sending this data unencrypted by email to clients.
There are several ways of sending sensitive data securely to clients such as Citrix share file https://www.citrix.com/ or egress https://www.egress.com/what-we-offer/email-and-file-encryption which offer a combination of policy-based gateway and desktop email encryption software designed to secure and control information. There are quite a few other software providers and there is a good article on http://searchsecurity.techtarget.com/feature/Comparing-the-best-email-encryption-software-products which may help you if you haven’t gone down this path already.
The reputational damage of sending data to the wrong person could be reduced by installing a “send delay” in outlook (say 2 minutes), this gives you some time when realising you have the wrong send address. How you do this?
- Go to the “Home” tab and click on the “Rules” drop down
- Choose “Manage Rules and Alerts”
- Under “Email Rules” choose “New Rule” and under “Start from a blank rule” click on “Apply rule on messages I send.” Click “Next,” which will show conditions — you don’t need to choose any of these, just click “Next” again.
- On the final menu (the “Actions” page), check “Defer delivery by _ minutes” and fill in the blank.
- Click “Next,” and fill in any exceptions to your new rule. Then, click “Next,” and “Finish”.
The ICO has recently updated its website with some really good material, including a new Documentation Template for Controllers that your firm should complete.
This is available here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/documentation/ at the bottom of the page, entitled gdpr-documentation-controller-template – the spreadsheet should be completed with the guidance of either Sandy Gilchrist or Matt Jackson (see below).
Over the next few months we will continue to keep you updated on practical measures to help you comply with the GDPR.
In the meantime, if you need training and help with your procedures please contact our experts:
Sandy Gilchrist – email@example.com 02032878243
Matt Jackson – firstname.lastname@example.org 0121 296 3837