GDPR update and its impact on accountancy practices

Similar documents
Michael R. Cohen CIPP/US, CIPP/E Gray Plant Mooty. Overview of the EU General Data Protection Regulation (GDPR)

The New EU General Data Protection Regulation (GDPR)

Appropriate Policy Document

What does GDPR and the new Data Protection Act mean to Brokers/Intermediaries?

Customer GDPR Data Processing Agreement

Revising policies and procedures under the new EU GDPR

The GDPR how to prepare MiFID II where are we now? Wednesday 21 February 2018

Data Processing Addendum

CLOUDINARY DATA PROCESSING ADDENDUM

IRIS Group of Companies Customer Data Processing Terms

The General Data Protection Regulation (GDPR): action plan for pension scheme trustees

LOCAL GOVERNMENT ASSOCIATION TEMPLATE MEMORANDUM OF UNDERSTANDING FOR LGPS FUNDS

Privacy vs Data Protection: The Impact of EU Data Protection Legislation

Practice Assurance and Money Laundering. Update Presented by John Selwood

2018 Australian privacy outlook

GDPR DATA PROCESSING ADDENDUM INSTRUCTIONS FOR JOSTLE CUSTOMERS

Processing under the GDPR: risk and liability shifts

The contract is important so that both parties understand their responsibilities and liabilities.

GDPR FOR PRIVATE EQUITY AND REAL ESTATE

Data Privacy Notice. Who are we and why do we register and use personal data?

Banks Sheridan Limited Data Protection Privacy Policy 19 May 2018

Man and Machine - Data Protection Policy

GDPR: Frequently Asked Questions to Brokers Ireland, February 2018.

General Data Protection Regulations Briefing (the presentation you ve all been waiting for)

EU General Data Protection Regulation vs. Swiss Data Protection Act (in the Private Sector 1 )

Privacy Policy Statement

ARE YOU READY FOR THE NEW DATA PROTECTION LAWS?

What U.S.- Based Investment Advisers Should Know

Pension Trustees. Final Countdown to the GDPR

International data transfers and Schrems White & Case. Aqeel Kadri and Tim Hickman

Moxtra, Inc. DATA PROCESSING ADDENDUM

LEGAL PRIVACY NOTICE (EFFECTIVE MAY/2018) 12 Demostheni Severi Avenue 5th Floor 1080 Nicosia Cyprus

LAMP Services Limited Privacy Notice v1.2 4 th March Controller

privacy notice who is responsible for processing your personal data and who you can contact in this regard reasons for processing your data

The GDPR Possible Impact on the Life Sciences and Healthcare Sectors

ON24 DATA PROCESSING ADDENDUM

PERSONAL DATA PROCESSOR AGREEMENT

Welcome To Your Data Protection Journey. Paula Tighe Information Governance Executive

States of Guernsey EU General Data Protection Regulation (GDPR) - High-level impact assessment

DATA PROCESSING AGREEMENT

The Controller and Processor Data Protection Binding Corporate Rules of BMC Software

DATA PROCESSING ADDENDUM

Twilio Data Protection Addendum ( DPA ) (GDPR, Binding Corporate Rules, Privacy Shield, and Standard Contractual Clauses) (Revision June 2018)

Important information and declaration

Legal Compliance Education and Awareness. Privacy Act (Commonwealth)

Guidance: The new EU General Data Protection Regulation: Implications for Australia

DATA SUBJECT ACCESS REQUEST POLICY AND PROCEDURE

CHARITY & NFP LAW BULLETIN NO. 419

Information about Danica Pension s processing of personal data

All Sorts UK Limited Data Protection Policy 17 th May 2018

Southern Golden Retriever Rescue Data Protection Policy

A distinctive local company with national standards. Practical Credit Control & New [GDPR] Data Protection Regulations

DATA PROCESSING ADDENDUM

Pension Trustees Final Countdown To GDPR

Institutional Investment Advisors Limited

The General Data Protection Regulation s Impact on M&A

Data protection and transfer

General Data Protection Regulation (GDPR)

Customer GDPR Data Processing Agreement

Broadbean Technology Limited - Data Processing Agreement (25th May 2018)

Data Processing Addendum

Creating a Big Data Strategy: Managing Risk and Enabling Innovation

Privacy Policy. For the purposes of Data Protection Legislation the data controller is the Company.

Data Protection Post-Brexit

HOW TO EXECUTE THIS DPA:

THE UNIVERSITY, CAMBRIDGE IN AMERICA AND THE COLLEGES DATA SHARING PROTOCOL

Privacy Statement v 1.1

DATA PROTECTION ADDENDUM

BAYER PRIVACY POLICY FOR PHARMACOVIGILANCE DATA

DATA PROCESSING AGREEMENT

DATA PROCESSING ADENDUM

PRIVACY NOTICE LAST UPDATED: SEPT. 2018

You may also obtain further information at CNPD Comissão Nacional de Proteção de Dados at

INTERNATIONAL SOS. Data Protection Policy. Version 1.8

BREXIT AND DATA PROTECTION Q & A

Impact of the European General Data Protection Regulation on U.S. M&A

DATA PROCESSING ADDENDUM

Rigor, Inc. GDPR Data Processing Addendum

Brexit Essentials: an update on data protection and privacy

Data Processing Appendix

Member Circular March Implementation of the EU General Data Protection Regulation 2016/679 General Guidance to Members

Data Protection Notice pursuant to the General Data Protection Regulation (GDPR)

The BVRLA Guide to. The General Data Protection Regulation British Vehicle Rental and Leasing Association

Firefighters Pension Scheme

Your Data Your Rights

DATA HANDLING AGREEMENT

NEWS UPDATES FOR MEMBERS OF THE LOCAL GOVERNMENT PENSION SCHEME IN WILTSHIRE

BE PREPARED FOR THE NEW EU DATA REGULATION

Building a Program to Manage the Vendor Management Lifecycle

Data Processing Addendum

Aegon Asset Management Europe ICAV ( the Fund ) Data Protection Policy

MentorcliQ Data Processing Agreement

AWS GDPR DATA PROCESSING ADDENDUM

Your Right Hand Finance Ltd (YRH) Subject Request Policy

GROUP PRIVACY POLICY. Adopted June 20th, 2017 by each of the Boards of Carnegie Holding AB and Carnegie Investment Bank AB (publ).

The Era of GDPR Data Privacy, Two Months In: Do you have a Data Transfer Agreement handy? July 31, 2018

2. FROM WHICH SOURCES THE BANK COLLECTS YOUR PERSONAL DATA?

A guide for the insurance industry

Cyber ERM Proposal Form

GDPR: The Most Frequently Asked Questions: Are the Standard Contractual Clauses Enough?

Transcription:

GDPR update and its impact on accountancy practices Richard Kemp, Kemp IT Law 29 March 2017 Presentation to The Alternative Accountancy Strategic IT Conference

Elizabeth Denham speech to ICAEW, 17.01.17 u u u On a basic level, your jobs involve handling personal data. Payroll info, employee details, people s expenditures. It s your responsibility to keep that information secure and ensure that individuals rights are respected, with the risk of enforcement action and damaging publicity for your company if you get that wrong. The GDPR doesn t change that. If anything, it places more onus on you to handle information correctly. For the businesses you work with, that includes keeping data secure by protecting it from cyber attack, a growing area of risk. I know that for most businesses, you re not just the people who do the accounts. You re a source of advice, good practice, assurance and protection from risk. You re in a good position to explain to your clients and organisations how the issues I m going to talk about today are a competitive advantage if they get them right.

Quick GDPR update u Brexit u The big question is what happens when the UK leaves the EU. It s possible that, Parliament will debate amending the GDPR.. we will be banging our drum for continued protection and rights for consumers and clear laws for organisations. HMG will also need to answer questions about whether the UK will keep the UK s data protection law at an equivalent standard to the EU, to allow unrestricted data flows with EU countries. We need strong data protection laws to achieve all that. u Privacy Shield u The EU-US Privacy Shield is subject to a review in summer 2017 the advice for businesses is that Privacy Shield is a legitimate basis for transferring personal data to the US. The ICO welcomed the additional safeguards it provided compared to the previous safe harbour arrangement. u Article 29 WP currently preparing GDPR guidance u More guidance, consultations at national level u March 2017 ICO Consultation/Draft Guidance on Consent u March 2017 RoI DPC Consultation on Consent, Profiling, Personal Data Breach Notifications and Certification

Sources of duties and obligations u general law negligence, DPA/GDPR, etc u professional conduct u ICAEW Code of Ethics, section 130.1(b): The principle of professional competence and due care imposes the obligations on all professional accountants to act diligently in accordance with applicable technical and professional standards when providing professional services. u ACCA Global Quality Assurance Standards, paragraph 2.7: Maintain systems to allow easy access to information stored electronically and implement controls to ensure the security and integrity of this data is safeguarded. u engagement arrangements u client engagement letters, etc u contractual flow-down of regulatory obligations where client is in a regulated sector (e.g. financial services, healthcare) u These may specifically impact e.g. information security, data protection, etc

Top concerns around the GDPR 9. accountability requirements 8. right to be forgotten 7. new duties for data processors 6. data breach notification 5. new profiling restrictions 4. new personal data categories 3. territorial scope 2. consent requirements 1. new penalties 21% 25% 26% 29% 32% 32% 34% 37% 42%

ICO s action list to prepare for GDPR

State of preparedness Nov 2016, Trust E

ICO s 12 steps to prepare for the GDPR 1. & 11 awareness u senior management u DPO/CISO/IT Director, etc u project plan up to May 2018 2. document what PD you hold u where it comes from u who it s shared with u do you need an information audit? 3. review and update privacy notices u engagement letters u privacy, security policies (staff handbook) u website & other notices

ICO s 12 steps to prepare for the GDPR 4. check procedures to meet individuals rights u right to be informed u deletion and rectification of PD u see also step 3 5. subject access requests u remote access to a secure self-service system u within one month 6. legal basis for processing personal data u consent u necessary for complying with a legal obligation

ICO s 12 steps to prepare for the GDPR 7. consent u freely given, specific, informed and unambiguous u evidenced u must be easily withdrawable 8. children u verify age u show parental/guardian consent 9. data breaches u breach of security u leading to loss, alteration, unauthorised disclosure of/access to PD u assess risk case by case u notify within 72 hours of awareness

ICO s 12 steps to prepare for the GDPR 10. Privacy Impact Assessments/by Design u for projects for e.g. new IT, data sharing, databases, services, etc. u carrying out & documenting the PIA process u identify need and describe data flows u identify privacy risks and assess solutions u agreed and record outcomes u integrate outcomes into project plan u consult stakeholders throughout process 12. International u who is your regulator? u where is data held (e.g. Cloud)? u model clauses, privacy shield, etc

Top tips & takeaways u importance of training and awareness - greatest risk is still the basics: u thumb drives u laptop left in taxi u loss of hard copy documents u documents faxed to wrong number u emphasis on data & system security u business continuity and recovery u data storage & deletion u firms cloud strategies u note importance of due diligence, reliance on ISO, etc standards

Top tips & takeaways u senior management buy-in u understand how the GDPR broadens and deepens obligations u put data protection accountability at the centre of your business processes u project planning in run up to May 2018 u strategy policy process statements u update: u documentation policies, procedures, etc u client engagement arrangements u assess data assets u develop a proportionate firm PIA policy u policy + template u Implement for new IT systems, etc and products/services

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback