One of the challenges facing the General Data Protection Regulation (GDPR) is that it is not yet tested and there are no legal precedents. This, combined with the potentially large fines for non-compliance, is causing some nervousness about exactly what is “good enough”.
The Information Commissioner’s Office (ICO) has said it will not be able to publish the final version of its GDPR consent guidance until the Article 29 Working Party of European Data Protection Authorities (WP29), of which the ICO is a member, has agreed its Europe-wide consent guidelines. These guidelines are due to be published later this year and the latest timetable is for this to be agreed and adopted in December 2017.
The key principles underlying the GDPR are “accountability” – which means anyone who processes data must demonstrate how they comply with the regulations – and “privacy by design”, which means always considering the privacy implications of new policies, working arrangements and technological updates.
If businesses are focusing purely on complying with the legal aspects of GDPR, rather than related operational risk or regulatory risk issues, there are three key areas to address.
First, the data protection principles, which set out the data handling quality expectations of the new law, such as the need for security and confidentiality of personal data use, data accuracy and minimisation of data use.
Second, the rights of individuals over their personal data have to be satisfied, such as the right of access, the right to be forgotten and the right to data portability.
Third, the law prescribes a compliance delivery framework, including the performance of risk assessments, the adoption of the privacy by design approach to data handling and personal data breach disclosure.
Practical steps that businesses can take to ensure compliance with the GDPR include raising awareness to ascertain whether senior management and clients are aware of the regulations, or of whether staff require training.
The status of jobs needs to be reviewed – is someone a data controller, a data processor or a joint data controller with a client and do you need to appoint a data protection officer? You will also need to review what personal data you hold, what you do with it, how long you hold it and who else has access to it.
It’s also important to have clear policies and procedures – who is responsible for data, what happens if there is a breach?
Article 30 of the GDPR contains a set of requirements that are sometimes interpreted as requiring an information audit, which is also referred to as “data mapping”. All organisations need to understand their data landscape, but there are no fixed rules on what the process should consist of. Most commonly, organisations use a manual approach based on questions, interviews and document reviews as well as computer forensics techniques.
In addition to carrying out data mapping to work out what personal data is processed by the business, the GDPR requires that a privacy impact assessment (which is a type of “deep dive” audit into a particular use case) is undertaken by businesses that engage in high risk – or high volume – data processing. High risk data processing is measured by the impact of such processing on the rights of individuals.
Controllers and processors are obliged to appoint a data protection officer if they are required to do so by Member State law; they are a public authority; their core activities consist of regular and systematic monitoring of data subjects on a large scale; or their core activities consist of the processing of sensitive personal data on a large scale.
Guidance provided by the EU’s Article 29 Working Party suggests that unless it is obvious that an organisation is not required to appoint a mandatory data protection officer, the business should document the internal analysis undertaken to determine whether or not such an officer needs to be appointed.
Where the business appoints a data protection officer on a voluntary basis, it should be made aware that the requirements applicable to mandatory data protection officers will also apply to the voluntarily appointed officer.
It is also possible for a business to assign certain data protection related responsibilities to an employee or consultant without designating them as a data protection officer, in which case they will not be subject to the requirements for data protection officers under the GDPR. A corporate group can appoint a single officer, provided that person is easily accessible by each business unit.
Accounting firms need to make sure they know their legal status, whether they are a data controller or a processor, and the differences in terms of their approach and preparations.
RANGE OF OBLIGATIONS
ICO guidance suggests that when acting for their clients, accounting firms will often be acting as data controllers because of the range of their professional obligations.
However, there is some ambiguity regarding exactly when an accounting firm will be acting as a controller and when it will be a processor, so it is important to determine at an early stage in their GDPR compliance.
Data controllers have an obligation to notify relevant data protection authorities within 72 hours of becoming aware of a data breach involving data from individuals that they hold on behalf of a client. And to notify the affected individuals without undue delay when the breach is likely to result in a high risk to the rights and freedoms of the affected individuals.
Accounting firms acting as controllers must also ensure that data subjects are able to exercise their new rights under the GDPR, for example, the right of data portability or the right of erasure.
Accounting firms will also need to think about information audits in the context of vendor management. It is a requirement of Article 28 of the GDPR that controllers only use data processors providing sufficient guarantees regarding their data processing and security measures. For a controller to be satisfied that a processor meets the required standard, it may be necessary for the former to carry out vendor due diligence and for the latter to allow for and contribute to information audits by the controller.
ASSIST AND CONTRIBUTE
The obligation of the processor to assist with and contribute to information audits must also be included in the GDPR mandated contract between the controller and processor.
There is value in accountants working with technology providers and legal firms to develop integrated advice for clients, whether they are looking for niche legal advice or technology solutions to meet GDPR requirements. The GDPR is also an opportunity for accounting firms to develop closer relationships with their clients by using their understanding of client confidentiality, privacy and audit to ensure data is protected.
Most clients will naturally want comfort that their accounting firm is delivering on the GDPR requirements and there will be greater scrutiny of procedures over the coming months and years, which will naturally bring firms and clients closer together.
Mark Taylor, technical manager, technical innovation for ICAEW’s IT Faculty, says: “The strengthening of consumer data protection rights under the GDPR is a welcome opportunity for accounting professionals to extend the range of professional services they offer clients. Accountants have a natural understanding of privacy and confidentiality. By combining these skills with an understanding of the common issues associated with GDPR, accountants are in an excellent position to advise clients on how to remain compliant. The existing Data Protection Act will be 20 years old in 2018 and a revision was needed to ensure data privacy remained in line with advances in technology. The GDPR provides a new platform for accounting professionals to demonstrate their core strength – accountability.”