Chris Turner 7 Mar 2019 06:39pm

Practice Q&A: GDPR and charity regulation

Chris Turner, professional consultant, ICAEW Advisory Services, has all the answers this month to questions on data breaches and security under GDPR, and reporting to charity regulators

QA gdpr 630
Caption: Illustration by Yukai Du

Q: We have recently had a personal data breach. Who do we need to notify?

A: On becoming aware of a personal data breach, a firm should implement its breach response plan, thoroughly investigate the circumstances and take appropriate action to reduce the likelihood of similar breaches in future.

It should go without saying that detailed records of any data breach and the resulting actions should be maintained. In addition to notifying clients of the breach, if the breach is likely to result in a risk to the rights and freedoms of individuals, the ICO must be notified within 72 hours of the firm becoming aware of it.

If the breach is likely to result in a high risk to the rights and freedoms of individuals, the individuals must also be informed without undue delay. In such cases, the individuals would need to be given a description of the likely consequences of the breach, the measures taken or proposed to deal with the breach and a contact point for more information.

There is no automatic obligation to inform ICAEW of all personal data breaches. If, as a result of the breach, a member and/or firm has become liable to disciplinary action, members may need to report to ICAEW under their duty to report misconduct. Such circumstances are expected to be extremely rare and ICAEW would not usually need to be notified of personal data breaches.

Further guidance is available to members from the ICAEW Ethics Advisory Service on 01908 248 250 and in the helpsheet GDPR – Data Breaches. The ICO has also published extensive guidance on personal data breaches, available on its website at

Q: I am issuing a modified audit report for a charity. Do I have to tell the charity commission?

A: The short answer is yes. An auditor or an independent examiner of a charity has a duty to report ‘matters of material significance’ to the appropriate charity regulator(s) (the Charity Commission for England and Wales, the Office of the Scottish Charity Regulator and/or the Charity Commission for Northern Ireland).

The charity regulators consider an auditor intending to issue a modified audit opinion, an audit opinion with an emphasis of matter, or material uncertainty regarding a going concern to be a matter of material significance. They also consider that an independent examiner intending to issue a qualified independent examiner’s report which identifies one or more concerns about a charity’s accounts to be a matter of material significance.

These become reportable to the relevant regulator(s) as soon as there is the intention to issue such an audit or independent examiner’s report, not when the report is actually issued. Further guidance on matters of material significance and how to make a report is available in the guide for auditors and independent examiners issued by the charity regulators.

It’s worth noting that a charity’s trustees have an obligation to report “serious incidents”. While these are not the same as “matters of material significance”, such incidents are often the driver of modifications to audit reports or qualifications to independent examiner’s reports. Further guidance is available to members from the ICAEW Ethics Advisory Service on 01908 248 250.

Q: Under the GDPR, can I send documents to clients without password protection or encryption?

A: The GDPR includes the “security principle”, which, in broad terms, means that you must have appropriate security to prevent the personal data you hold being accidently or deliberately compromised.

The GDPR does not however stipulate the security measures you need to have in place – these should be based on your risk assessment and will also take into account the costs of implementation. Given the sensitivity of the personal data accountants typically send to their clients, and the relatively low costs of implementation of widely available security measures, it would be difficult to justify a policy of emailing documents without some level of security.

The GDPR doesn’t contain an opt-out from the security principle, so it is unlikely that clients granting permission or asking you to send unprotected documents would be a suitable defence should a personal data breach occur.

The responsibility for compliance (and any penalties for non-compliance) with the GDPR rest with the firm after all. Further guidance is available to members from the ICAEW Ethics Advisory Service on 01908 248 250 and in the helpsheet GDPR – Communicating safely with clients. The ICO has also published extensive guidance on security and encryption on its website.

Five in brief

1) MTD for VAT
From April 2019, all VAT registered businesses and organisations with taxable turnover above the VAT threshold of £85,000 will be required to maintain digital accounting records and submit them in digital form to HMRC.

2) 2019 loan charges
Finance Act (No.2) introduced a new charge on outstanding disguised remuneration loans, known as the 2019 loan charge. This will apply to all loans made since 6 April 1999 if they are still outstanding on 5 April 2019.

3) Gender pay gap

Under the Equality Act 2010, large employers with more than 250 employees must publish data on their gender pay gaps. For public sector bodies, the annual “snapshot” date on which pay data is collected is 31 March; for private and voluntary sector employers, it is 5 April.

The SORP for LLPs has been revised to take account of the triennial review of FRS 102, The Financial Reporting Standard Applicable in the UK and Republic of Ireland. It applies for accounting periods beginning on or after 1 January 2019.

5) Going concern
ICAEW has recently published an updated helpsheet on material uncertainties relating to going concern. This may be helpful if there are worries about the impact of a no-deal Brexit. audit-and-assurance